"I've got an opportunity for you," your boss chirps in that telling tone. "The board has requested that you singlehandedly ensure we're GDPR-compliant."
Oh, yes, you can!
The task of making sure your organization is in full compliance with the EU's General Data Protection Regulation may seem daunting, but the good news is there are plenty of resources available. This guide is intended to get you started with strategy, tactics, tips, and potential pitfalls to satisfy the requirements of Europe's landmark data privacy legislation.
And if misery loves company, the reality is that lots of other non-privacy people have been tossed into the GDPR pit by their organizations. While it's often someone in IT or information security who gets the honors, it could also be someone in the legal department or possibly an office manager.
"Very few people are qualified, trained, and up to speed on all the different competencies required with GDPR's data privacy requirements," says Omer Tene, VP and chief knowledge officer for the International Association of Privacy Professionals (IAPP). "Lawyers have tech deficiencies and tech people can't understand laws," but a privacy program needs both to make sure compliance, risk mitigation, and data governance all get addressed.
Regardless of who takes on GDPR compliance, that person (let's assume it's you) will need to involve IT personnel tasked with ensuring data privacy – security, storage, data sharing, and other privacy functions spelled out in the legislation. You'll need to work with business unit leaders to understand how the data is acquired, how it gets shared externally, and which third parties have access to an organization's personal data. Regardless of education or training, you'll need to be well-organized and able to navigate all echelons of your company to get answers and documentation.
But the first step in demonstrating compliance with any data privacy law is data mapping (more on this in a minute), IPAA's Tene explains.
"You need to understand what personal data actually is, what's covered and where it resides within an organization, and how it flows through [internal and external] systems," Tene adds. Regardless of whether IT or infosec personnel are leading the GDPR charge, they'll be brought in to handle the data mapping since it's an IT activity, not a legal one. The task is simply too complex – and important – to be left solely to expensive lawyers.
Now let's get started on your GDPR journey.
Learn the Basics
Of course you want to get up to speed fast: The prospect of fines, bad publicity, or lost business is plenty of incentive to be as informed as possible about GDPR and data privacy. But you still have your regular job to do, and devoting all your time to GDPR compliance simply won't fly.
Still, there's no denying that getting up to speed is going to require time and extra attention. The good news: Nobody we contacted for this article said, "Make sure that you read the entire text of the GDPR legislation."
"Yes, being familiar with the GDPR text is useful," observes Rebecca Herold, CEO of the Privacy Professor, a security consultancy. "Do a scan through the GDPR regulation. Get a feel for what is within the regulation." She also advises becoming familiar with what GDPR is asking for and not to rely only on vendors and other third-parties to educate yourself.
Herold recommends bookmarking guidance and practical advice from the EU's data protection authorities (DPAs). Among her recommendations:
GDPR has exposed an uncomfortable truth about most organizations: They have no idea what their data consists of, not to mention how much of it actually qualifies as "personal data," according to Privacy Professor's Herold. By performing a data inventory, organizations can get a better handle on what they have, where it came from, where it's stored, and how it's shared with third parties.
Given the global monetary value of personal data, organizations should do some kind data-mapping exercise, regardless of whether they're subject to GDPR, IAPP's Tene says. Given data's value, Tene would like to see organizations account for it like they do with their cash.
"No one in their right mind would have $100 bills laying around and unaccounted for," he says. "Companies should know where their data resides and how it moves within and outside the organization."
And that leads to the second part of inventory: Those subject to GDPR must also review the contracts with outside service providers and vendors that touch the organization's data. That includes (but is not limited to) call centers, processors, and cloud service providers. Contracts may need to be revised so that external third parties are following the GDPR requirements as well, Tene says.
Marketers and spammers have for years crawled the Web with impunity, using their email dragnets to capture email addresses. No permissions, agreements, terms-of-service sharing, nada. But one of GDPR's cornerstones is user consent. And the consent aspect of GDPR comes with the teeth of enforcement: The French data protection authority fined Google 50 million euros (roughly US$55 million) for its failure to obtain valid consent for personalized ads and its lack of transparency about its marketing.
What's still not well understood, according to privacy experts, is when, where, and how consent is required.
"Most organizations believe consent must be obtained for every type of use of personal data from EU residents and citizens," Privacy Professor's Herold explains, but she's quick to add that obtaining consent is one of six ways that allow for lawful personal data processing.
When consent is required, organizations may be understandably confused about where to place consent notices. Do they place them prominently on their websites or more discreetly? Do they email consent notices to prospective data subjects? Herold recommends that GDPR administrators consult Guidelines on Consent under Regulation to better discern when and how to handle their consent functions.
The advent of GDPR has both codified and helped popularize the right to be forgotten, in the data sense, by computer servers, digital marketers, and any other commercial collector of personal data. This aspect of GDPR is also referred to as data erasure.
Your organization has 30 days to respond to legitimate erasure requests, or 60 days if the erasure process is especially complex. This means also notifying and working with third parties that have the same data as you – hence the necessary step of doing a data inventory so that all copies of personal data get expunged. Article 17 of GDPR provides more detailed information about data erasure and what must happen once such a request is received.
The right to be forgotten isn't absolute; media organizations, for example, may claim a freedom of expression exemption. Public health and scientific research organizations may also claim that data retention is essential to performance of their activities or charter. Organizations involved in legal action may also retain relevant personal data.
A new best practice with data hygiene has emerged as a result of data erasure: purging data that is either no longer used (or useful) or that's obsolete. It's the sort of policy that can prevent administrative and legal headaches, not to mention reducing the volumes of erased data that should have been dumped anyway.
GDPR's Article 27 requires organizations that aren't located inside the European Union to appoint someone as their local contact for individuals and local data privacy entities. This is a different function than a "data protection officer," an in-house role not delegated to a third party or consultancy.
The IAPP notes that few companies have emerged to take on the role of Article 27 reps, since the authority also comes with more liability than they want. General enforcement actions – and fines – in the first year of GDPR may confirm these third parties' worst suspicions.
Rightly or wrongly, not having an Article 27 rep may also draw unwanted enforcement action.
"Put simply, if a company does not have a base in the EU and does not have details of their representative in their customer-facing privacy notice, it is immediately apparent that it's failed to meet the Article 27 duty," wrote Tim Bell, managing director of DPR Group, on the IAPP website. "For the EU data protection authorities, spotting this failure is likely a red flag of potential noncompliance elsewhere."
And it's why the Article 27 rep requirement is sometimes referred to as the hidden obligation of GDPR.