GDPR: Five Steps Towards Compliance
3 March 2017
The Global Data Protection Regulation (GDPR) is set to come into force in May of 2018 and will impact any organization handling the personal data of EU citizens. So, whether you’re based in Australia, Europe or post-Brexit Britain – if you handle EU citizen data, you have about just a year to comply.
The GDPR states that personal data must not be transferred outside the European Economic Area (EEA) unless the European Commission deems an adequate level of data protection is in place or another compliant data transfer mechanism is available. But there is no “one size fits all” when it comes to GDPR compliance.
Instead, businesses across the globe should now start looking toward a holistic data privacy regime to provision for this incoming heavyweight regulation, violations of which could result in fines of €20 million or 4 percent of annual revenue – potentially billions.
So what can companies do now to plan for this incoming regulation? Here are five steps that are essential to ensure compliance.
1. Implement a data security strategy
It’s important to ascertain where responsibility for data security lies within the organization early on and to develop a corresponding response strategy.
It’s necessary to run a complete inventory and show the flow of data through a company and its systems. Finding out where each line of data comes from and who touches it is no easy task, but it’s an essential part of outlining an initial privacy strategy.
A business must also ensure there is a strong policy in place to manage data privacy strategies. If there is a breach, for example, who handles that? What do you do? And what about a suspected breach?
A team should be tasked with setting and enforcing company-wide controls, policies and procedures for compliance, and should be a combination of legal, IT and security roles. These teams are often headed up by a Chief Information Security Officer (CISO) and, as is becoming more frequent, a Data Privacy Officer (DPO).
2. Appoint a data privacy officer
In a few years’ time, there will be thousands more data privacy officers tasked with protecting personally identifiable information (PII). DPOs will materialize from various sectors, primarily from a legal or IT background.
Employees should be at the core of any holistic data privacy program, and the DPO will be tasked with ensuring that the entire business is educated on the GDPR and other data privacy regulations.
3. Live and breathe ‘privacy by design’
It’s important to ensure any systems implemented have privacy built in at their core. This ‘privacy by design’ approach helps organizations avoid any unnecessary shortcomings.
Companies must choose cloud providers following the “privacy by design” approach, as well as providers who are aware of data privacy practices in all relevant countries.
Businesses need to ask the right questions of their cloud providers in advance of the GDPR coming into effect. Are you sharing my data with third parties, for example? And can you show me your subcontractors and their processes?
Having answers to these questions is crucial. As a rule, cloud providers work with third-party suppliers to help them process, transfer, and store their customers’ data. Therefore, to ensure the protection of their data, these customers (businesses and consumers) should first know who is handling their data. Specifically, businesses need to ensure cloud providers (and the cloud providers’ suppliers) comply with data privacy laws.
4. Make sure you understand how your data moves from place to place
Businesses must be mindful of exactly where their cloud providers are storing PII and how their data are moving around the world.
For example, if the data are processed and stored within the EEA, the data may not leave the area unless certain mechanisms are in place. This European Economic Area includes Iceland, Norway, Liechtenstein and all EU countries.
However, in most cases, as long as companies have certain mechanisms in place – such as EU Model clauses – data may be transferred from place to place.
5. Tier your data and conduct risk assessments
Businesses need to differentiate data according to their level of confidentiality and protect them accordingly. They need to consider whether the appropriate solutions are already in place to assess company content – and, conversely, whether they are using technologies that may increase risk, such as consumer file-sharing tools.
Focusing on these five key areas will enable companies, wherever they’re based, to start on the road to compliance with the GDPR before the May 2018 deadline.
Deema Freij is SVP, Deputy General Counsel and Global Privacy Officer, based in Intralinks’ London office. Deema oversees global data governance within the company and is responsible for further strengthening the company’s worldwide focus on data privacy and the regulatory demands placed on its customers. Deema brings almost two decades of experience in the legal profession. Prior to joining Intralinks in 2011 as Legal Counsel, EMEA & APAC, she spent seven years as a legal consultant.