More than 5 years ago the conversation about a new General Data Protection Regulation (GDPR) began. What started with lengthy negotiations transformed into a proposal by the European Commission (EC) to the European Union (EU), which was eventually approved and given an effective date of May 25, 2018. Time has seemingly flown by since then and we now have just under 12 months until the changes take place.
While many have already begun their research, which is great, I have heard from some others that say they “have it on their agenda for next quarter” or “will get to it at the end of the year”, which is not so great. The new GDPR should not be taken lightly as it will be the most stringent piece of compliance regulation we have seen to date and can enforce significant penalties and fines on your business.
Now (if you haven’t already) is the time for your business to begin its official countdown to the new GDPR and start taking the necessary preliminary actions in preparation.
While there is no lack of content surrounding what to expect with the new GDPR – meetups, training events, whitepapers, webinars, etc. – I have yet to find a prescriptive checklist to help organisations navigate the transition. As such, I took the time to work with our legal team and develop just that – a prescriptive checklist to complete over the next 12 months in preparation for the new GDPR.
While every business will have unique needs that go beyond what I have included here, this will serve as a useful guideline of action items for those who will be affected by next year’s changes.
Assess Your Data – At 12 months out you need to take a comprehensive look at all of your data. Assess what kind of data you have, how sensitive it is, where it is held, and how you process it. Make sure you and your team understand the difference between the structured and unstructured data you are currently dealing with. Structured data is the type of data that is easily searchable by basic algorithms, like spreadsheets or word documents. Unstructured data is more like human language, which doesn’t fit nicely into relational databases. Once you’ve properly assessed your data it will help you with the roadmap for the rest of the steps that will follow.
Define Your Processes and Procedures – After taking a look at the data your organisation is dealing with, it is probably safe to assume that you are dealing with some level of sensitive data; whether that is insurance information, bank account details, national insurance numbers, etc. With that in mind, your next step will be to define the processes and procedures around how you handle that data. For example, does the repository you use to handle your data have the ability to be structured with subfolders so you can properly organise your sensitive files? Can you properly define who has access to those folders and set up a protocol for how those files are shared internally and externally? Do you need to set up an archiving process for when an employee leaves? And most importantly how do you handle data sovereignty, i.e. where should the data be stored, in the EU, in the US, or elsewhere?
Implement Your Processes and Procedures: Everything you have identified and outlined in steps 1 & 2 are vital in getting you to the implementation stage. While there is a lot to cover and it may seem a bit overwhelming, 10-12 months should give you plenty of time to implement the necessary processes and procedures required for operating under the new GDPR. Though it is not required, when it comes to implementing your new or improved processes and procedures, I highly suggest looking into hiring a Data Protection Officer (DPO). While some may opt to give this responsibility to Human Resources, investing in a DPO can be a better choice because it will provide you with a dedicated resource whose sole job is to keep your business compliant from top to bottom. Whether your company chooses to go the HR route or hire a DPO, make sure they focus on the organisation’s accountability in terms of data privacy and mandate that they build a comprehensive privacy compliance program. The best advice I can give here is to integrate privacy by design and be transparent. Try and collect the minimum amount of personal information from customers and consider privacy from every aspect of the business. When it is necessary to collect more, make sure you are fully transparent about how you handle the processing of that information.
Create a Monitoring System: I cannot stress enough how important it is to have full visibility into your company’s data handling processes and procedures. Prioritise compliance activity and remedial measures based on areas with the highest risk and most significant impact. Priority areas will include those that are subject to legal action based on the new, more specific GDPR requirements; such as getting proper consent, processing of sensitive personal data, compatibility of new systems, and shorter time frames for subject access requests. The easiest way to maintain visibility is to be highly communicative and keep an open line of communication with everyone involved, reviewing and updating privacy policies with them on a regular basis.
Implement Checks & Balances: After you have implemented all of the aforementioned processes and procedures, it is vital for your company to stress test itself on an ongoing basis. If your company can spot problems before the EU, it could mean avoiding harsh penalties and millions in fines, which can cripple your business. One form of checks & balances that can be extremely helpful for a company is to conduct Privacy Impact Assessments (PIAs). PIAs are essential in helping privacy professional identify and guide the use of personal information across the organisation. PIAs require tight collaboration between your company’s compliance team and its business leaders in order to address privacy related regulatory requirements. Given that he GDPR calls for conducting Data Protection Impact Assessment (DPIA) in order to meet compliance, conducting regular PIAs with a similar template will be extremely helpful.
Plan for the Worst-Case Scenario: While nobody wants to imagine failure, it is always important to have a plan for every scenario, even the worst-case ones. Should your company find itself in the midst of a breach I suggest setting up a plan for proper communication, as well as pre-emptive courses of action your company can attempt to take in order to fix the error. As a part of the new GDPR the EU will be enforcing a new breach notification duty for all organisations, which mandates that any breach resulting in the harm of an individual, such as identity theft or a confidentiality breach, will have to be reported to the Information Commissioners Office (ICO). Failure to report these breaches properly could result in more fines, on top of the initial penalty for the breach itself. While not every breach needs to be reported, it is best practice to treat every breach with equal significance so that you are well prepared for even the worst-case scenarios.
Assess Potential Costs: There are two types of potential costs relating to the GDPR, the readiness and compliance setup cost and the infringement cost if you suffer a data breach. For the readiness and compliance setup, you will actualise the financial impact during this stage. This cost will vary depending on the size and makeup of your organisation. For example, data-heavy businesses are likely to face higher costs coming from the more burdensome requirements of the new GDPR. For the infringement cost, this is hopefully something you will never have to feel the financial impact of, but it should be something you are prepared for nonetheless. Every organisation should run theoretical scenarios of how they would handle the financial repercussions of a breach, even the previously mentioned worst-case scenarios. Sound preparation and planning here can be make or break your business when it comes to surviving a breach.
Purchase Cyber Insurance: The last thing to do before the GDPR goes into affect is to check on a cyber insurance policy. If you do not have one, I strongly advise looking into one. If you do have a policy already, I would suggest reviewing your policy with your provider to ensure you are covered for GDPR. The changes in the data protection landscape and regulations are likely to have a knock-on effect on the cyber insurance market and the availability of insurance policies. It is likely that businesses will now seek increased insurance protection for data breaches under GDPR. GDPR has introduced a provision for voluntary codes, which presents a number of implications. These ‘best practice’ standards give businesses the opportunity demonstrate their willingness to comply with the GDPR requirements. It is quite likely that we will see insurers consider rewarding companies with discounts on premiums if they show adherence to these codes. The additional requirement for organisations to report data breaches could also feasibly increase awareness in organisations for the need for cyber security and the impact of breaches. This means that insurance companies will demand better and more vigorous risk management strategies to reduce the likelihood of breaches. Companies could also see increased premium where these measures are not in place.
While the new GDPR has a number of changes to it and the transition is creating a significant amount of extra work for organisations, it is a good thing. The new GDPR is holding us accountable for the way we process and handle sensitive information, making ourselves and the people we do business with safer in the digital world we live in – not only today, but in the future. Hopefully this GDPR checklist will help you and your organisation through the transition, whether you are just getting started or are already on your way!