General Data Protection Regulation (GDPR): Devising an Action Plan for the Road to Compliance
The new regulation is intended to enforce organizations to incorporate privacy and data security into their operations by design and by default. The strict rules set a new standard for customer rights regarding their personal data.
Organizations will be challenged to put policies, procedures, processes, and systems in place in order to comply with these requirements. And non-compliance could cost an organization significantly – impacting the bottom line, client relationships, and brand image.
Which companies does the GDPR apply to?The GDPR will apply to data controllers and data processors that process/store the personal data of data subjects who are in the EU. More specifically, GDPR applies to any organization that:
- Is headquartered or has a legal entity within the EU, including the U.K.
- Provides goods or services to data subjects who are in the EU
- Has a business model/activities that involve collection and processing of “sensitive” personal information; process data relating to “monitoring” of data subjects’ behavior, who are in the EU; or perform “profiling” activities
- Collects and processes personal data outside the EU, but in a place where Member State Law applies by virtue of public international law
What are the risks of non-compliance?Failure to comply with GDPR could result in direct and indirect risks, in the form of fines, a damaged reputation, and potential loss of customers and their trust. For minor violations, fines could amount to 10 million euro – or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Major violations could amount to 20 million euro – or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. GDPR also intends to keep organizations on their toes continuously by requiring organizations to be able to demonstrate the ongoing monitoring of their respective environments and continuous compliance. It is definitely not intended to be a “one and done” compliance assessment or just another “check the box” kind of compliance exercise.
How are GDPR non-compliance fines enforced?Independent Supervisory Authorities (SA), as established by each member state of the EU, is empowered to audit organizations to verify compliance with GDPR. Each SA, or the Data Protection Authority (DPA) of the respective EU member states, has investigative powers. In addition, enforcement actions against organizations outside of the EU may be done in conjunction with data projection governing agencies of countries where the organization is established.
Where do I start the journey for compliance?While we understand and acknowledge that organizations will be challenged to be fully compliant with the GDPR by May 25, 2018 we recommend organizations start their journey toward GDPR compliance as early as possible.
Here are recommended action steps to take on the road to compliance:
1. Identify purpose for collecting personal data and the respective personal data collection points
2. Develop a data flow map to indicate how the personal data is flowing within the environment
3. Create an inventory of personal data that is collected
4. Conduct a privacy risk and impact assessment
5. Conduct a Readiness assessment, including assessing existing systems and applications to understand if they can be modified to adapt to GDPR principles and requirements
6. Review and update relevant policies, including data privacy
7. Review and update plans, such as vendor management, security incident plan, including data breach identification and handling, as well as data privacy plans
8. Implement Data Protection Impact Assessments strategy (DPIA) and plan along with data privacy awareness and training strategy
9. Develop an ongoing GDPR compliance strategy/plan
1GDPR defines Data Subjects as an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person