With the enforcement date approaching, organisations are moving quickly to ensure readiness and compliance with General Data Protection Regulation (GDPR). Businesses large and small have had years to prepare for the regulation, but some small-medium sized organisations without dedicated compliance resources may find themselves behind and with just days to go.
In fact, a survey by Deloitte found only 15% of EU organisations expect to be fully compliant by 25 May. The report also found that although 89% of the organisations surveyed had a formal GDPR-readiness program, only 45% had completed a GDPR assessment.
Most global organisations are familiar with the ‘what’ and ‘why’ of GDPR, as well as the potential fines associated with non-compliance – up to 4% of annual global turnover and a maximum of $20M. However, many will be scrambling to meet the most achievable articles in advance of 25 May, evidenced by the barrage of updated privacy policies and notifications most web users have received over the past month. Because GDPR approaches privacy from several angles, businesses need to strategically prioritise each article, focusing on quick win articles first.
Deloitte’s survey identified four specific requirements that most companies have already addressed, or could be easily addressed in the short term:
- Data breach reporting – notifying without delay (within 72 hours), “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
- Privacy notifications – updating privacy policies and terms of services to ensure consumer consent.
- Appointment of a Data Protection Officer (DPO) – creating a named role either internally or externally to ensure continued compliance.
- Privacy impact assessment (PIA) – systematic process to assess privacy risks to individuals for the purposes of creating mitigations strategies, such as encryption, anonymisation, and pseudonymisation.
In addition to these quick wins, those playing catch-up should also consider the following activities:
- Conduct a data mapping exercise to determine ‘data footprint.’ This is a primary step before any internal analysis can be conducted and answers the question, “Where is the data today?”
- Perform a gap analysis to identify specific areas of non-compliance, highlighting specific systems, policies, and procedures that fall within the scope of the GDPR.
- Create a compliance roadmap and prioritisation strategy to address the gaps identified during the analysis/discovery effort.
- Design and implement a living, continuous maintenance and monitoring program to ensure ongoing compliance.
Other regulatory requirements will present challenges to global organisations, requirements for additional resources, and a top-down strategic approach to overcome, including:
- Consent – ensuring customers and participants are given the opportunity to grant consent to each form of processing they are subject to, clear and concise explanations must be provided for each processing instance. For organisations to provide this level of transparency, they must understand how user data flows through their internal systems.
- Right to erasure – the right for a user to request to have all their data permanently and immediately erased from an in-scope system. Again, the organisation receiving the request would need to know with certainty where all user data resides to comply with this article.
- Records of processing activities – upon request, organisations must provide specific and granular information regarding the data processing, data categories, impacted people, purpose of the processing and receivers.
- Portability – the right for users to request and receive personal data concerning them. The data must be provided in a structured, commonly-used and machine-readable format. Furthermore, users have the right to request their data is transmitted to another controller.
- While GDPR sets a high bar when it comes to the protection and portability of citizen data, it’s important to stress a layered approach to compliance.
- GDPR requirements should initially be addressed as a business challenge rather than an IT problem.
- GDPR compliance begins at the top as a function of a business-driven strategy. You simply can’t solution your way to GDPR compliance – it must be part of the overarching business strategy to be effective.
- Understanding the challenges of compliance, identifying critical gaps and executing outcome-based remediation efforts is paramount.
The go-live date of GDPR will come and go, but the regulations are here to stay and require ongoing monitoring. So, the question is, where will your organisation be headed on 25 May?
If you’re GDPR ready, then the new UK Data Protection Bill (UKDPB) may require your attention. Download this White Paper to find out how the new complete data protection system governs data covered by GDPR, as well as covering general data, law enforcement data and national security data.