Pay your taxes. Walk the dog. Submit that expense report. Each of us has that ever-growing catalogue of tasks to accomplish and slowly cross items off the list. Whether we are holding ourselves accountable or someone else is, it’s important for us to complete each of those tasks – no matter how many months they have been on the list!
Lucky for us, not completing one of our to-do’s this weekend will not carry the same consequences as not complying with the new European Union (EU) General Data Protection Regulation (GDPR). Starting on May 25, 2018, organizations that maintain any data (i.e., HR, customer, business partners) of citizens of European member countries must comply with GDPR principles. To avoid a potential fine of up to 4% of global annual revenue, there are several critical activities to add to your to-do list.
- Hire/Appoint a DPO - As the steward of the data governance program, GDPR mandates that each entity appoints a Data Protection Officer (DPO) who is responsible for ensuring compliance with not only GDPR requirements but also with other data protection regulations. This individual is ultimately accountable for compliance and coordination with the supervisory authorities as necessary.
- Incorporate Privacy by Design/Default - Privacy should no longer be considered as an afterthought or simply a compliance issue. Organizations should consider privacy at the design phase and throughout a product or data lifecycle.
- Update Consent Guidance - Free and clear consent, or approval to collect, must be obtained for all personal data an organization stores, transmits or processes.
- Improve Transparency in Data Processing - As part of an updated consent process, organizations should validate their data processing methods to match those described in the consent form. Furthermore, organizations should be aware of how third-parties use and process sensitive data.
- Ensure Right to be Forgotten - Organizations should provide reasonable assurance that upon request, personal data is deleted – completely. The same principle also applies to data that is no longer needed for the originally stated purpose at collection.
- Implement Data Breach Notification(s) - Most organizations are aware that they must provide notification upon data breach, but GDPR raises the bar and mandates that notification be sent, where feasible, within 72 hours of breach.
- Build a “One-Stop-Shop” - Multi-national organizations, under GDPR, must consolidate data protection operations to a “main establishment” to best determine which state’s data protection regulations are the primary authority. It must also coordinate its data protection “actions,” such as those requested by individuals (see next three steps), across geographies and offices. This will help drive consistent privacy and data protection policy throughout the enterprise.
- Ensure Right to Object - Individuals have the right to object to their data being used for direct marketing campaigns or any other processing. Organizations should provide adequate means for an objection to data processing and marketing.
- Improve Subject Access Requests - Individuals have a right to request access to their personal information at no fee or charge, and they also have the right to request that their data be erased – completely. Organizations have only 30 days to respond to each request.
- Enhance Data Subject Rights - The expanded GDPR regulations include increased rights for individuals, some already mentioned above as well as the right to request a change in data owner – also known as data portability.
- Confirm Compliance - Perform a detailed assessment of your privacy and data governance program to ensure that you meet GDPR requirements and other regulatory mandates (HIPAA, COPPA, etc.). It’s also important to consider the increasing importance of privacy as part of an organization’s overall risk management program – see the recent updates to NIST guidance here.
Approaching the May 25th, 2018 deadline for GDPR compliance, it is important that organizations stay organized and on schedule to ensure they meet the new standards.
This will be the first of a series of posts on GDPR so check back here often for more information!