If this is the first time you’ve heard that as of May 25th, the EU will begin enforcing the General Data Protection Regulation (GDPR), take a brief moment to freak out.
Now take a deep breath and know that you’re not alone in being behind on preparation. Despite having two years of warning about coming into compliance with the new privacy requirements that shape how data must be responsibly transferred and stored, most businesses in North America aren’t ready. Gartner has estimated that more than half of organizations won’t be ready by the end of the calendar year, let alone as of today.
GDPR means stricter data protection frameworks, stricter penalties for misuse of personal data, and stronger enforcement of such regulations protecting EU citizens. Enforcement of GDPR in Canada and the U.S. will be assisted by cooperation of local authorities that are duty-bound to uphold international laws.
It’s a good bet that EU regulators will go after a large multi-national company to make an example of for GDPR – Google is an example of a firm that’s already been fined billions by EU enforcers for regulatory transgressions – but that doesn’t mean that a long list of companies that aren’t up to snuff on GDPR will be hit with big penalties in the early days, de Guzman says.
Now that you’ve exhaled, here are 10 things you should be doing to prepare for GDPR starting ASAP.
1. Figure out how it applies to you
There are different responsibilities under the new regulations depending on how you touch the data of EU residents. If you market or sell into the EU, have employees in the EU, or collect and monitor data of EU residents for any business purpose, then you must comply with GDPR. There may be slightly less onerous requirements if you’re a smaller organization. In fact, there might even be some benefits.
2. Obtain executive sponsorship
Most often companies are appointing a chief legal officer or a CIO to take the lead on GDPR. The legislation requires appointing a data protection officer that’s responsible for compliance as well. But in addition to that person, another executive can oversee the implementation.
3. Assemble your cross-functional compliance squad
Any department in your organization that touches customer or employee data must be involved in your compliance plan. That includes legal, marketing, sales, HR, and so on. Marketing is probably the highest risk area. Because that department holds the most information and customers and prospects.
4. Identify all processing activities and create a register
GDPR specifically requires a Register of Processing Activities (ROPA) to be kept at companies under compliance.
Look to processes like employee administration, supplier screening, account management, and email marketing campaigns. The records of these activities should contain the name and contact details of the data controller, the purpose of the process, a description of the categories of data, how long the data will be stored for, and a description of the security measures.
5. Don’t forget data managed by third parties
If you’re collecting data from customers and then using third-party providers for cloud services or data processing of any kind, you’re still responsible for your customers’ data when its in the hands of your partners. Look for compliance commitments from your providers and have conversations with your vendors about how they view compliance.
6. Classify personal information
Not in the sense of making it top-secret. But in the sense that data should be tagged as containing personally identifiable information. This data should be organized into categories based on type, and those categories should have guidelines for when data should be deleted.
7. Conduct a data clean-up
A key concept of GDPR is data minimization, meaning that data should be deleted when the purpose for which it was collected is complete. GDPR requirements don’t override other regulations that require your company to keep records for a certain length of time. For example, financial organizations must keep data on hand to comply with know your customer regulations. That doesn’t change.
8. Understand the recording requirements
Collecting consent from your customers and proving that you have it will be a big part of GDPR. You may have noticed that in the past days just about every web service was updating its privacy policy or terms of service, and asking you to acknowledge you read them. That was an effort to prove it’s made an effort to inform its users of how it handles their data.
Also, keep in mind that you’re now required to track any events that may be considered data breaches. You must also notify affected customers of data breaches within 72 hours of detecting them.
9. Review and update policies and procedures
As with any changes to regulation, you should update your privacy policy and records management policy to reflect GDPR compliance. The policies should contain many of the specifics of how a user’s data is collected, stored, and deleted. Outlining why you’re collecting user data in the first place is important too.
10. Formalize education and awareness
All of your employees will have to be familiar with the new data protection policies at your company. Formal education around this should be mandatory for all your staff. Depending on how much the new regulations impact their day-to-day operations, the training length and depth will vary. Make sure that you’re at least raising awareness of the new compliance requirements and how important it is to take it seriously.
One more bonus step: Meet with the experts. Even lawyers are asking for help from legal counsel that are more specialized in privacy law. But the risk advisory consultants out there and the technology vendors that you have good relationships with can help with advice as well.