The European Union's General Data Protection Regulation (GDPR) presents challenges for organizations in virtually every industry to meet strict privacy compliance requirements before the imposed May 25, 2018 deadline.
Although GDPR applies to Europe, it impacts any U.S. company that handles EU resident data and failure to comply with its regulations may lead to fines of up to €20 million or four percent of global annual turnover, whichever is higher. At 200-plus pages and 99 articles and recitals, GDPR is a massive law with numerous stipulations.
In a recent IAPP survey, measuring 500 privacy professionals' perceived risk of not complying with the GDPR, U.S. and EU respondents ranked failure to prepare for the GDPR 72-hour breach notification, failure to conduct data inventory, and failure to obtain user consent as the top risk areas.
To implement the changes required to comply, most companies will need to combine expert guidance, technology and employee training. But with 100 days until the deadline, companies that have not yet adequately prepared for it should focus on at least three critical steps to dramatically improve GDPR readiness and the ability to demonstrate compliance before the deadline. These include:
Determining the distinction between data controller and data processor
Under the GDPR, a company is either a data controller or data processor in its vendor/partner relationships and contracts. Determining which you are is very important as it determines which GDPR articles you are required to comply with. For instance, GDPR treats the controller – i.e. the natural or legal entity that “determines the purposes and means” of the data – as the principal party responsible for activities such as collecting user consent. Based on the resulting outcome of data mapping flows, organizations can make the distinction between data controller and processor, and the different obligations that apply.
Determining high-risk data processing activities
For the first time, private organizations will now have to demonstrate to regulators that out of the volumes of data that they manage, they know what data is high-risk, where it resides and how they will build new business processes that ensure the protection of that data. Before the deadline, companies would do well to deploy a data mapping solution that helps determine what type of data is being collected throughout the organization, where it is being collected, where it originates (such as the EU), with whom it is shared, its sensitivity and how it should be classified for storage or deletion. That might sound like a lot of different variables, but today's data mapping tools are increasingly sophisticated and an invaluable asset to manage company-wide data flows.
Managing user consent at scale
The GDPR extends the requirements for obtaining data subject consent, which must be “freely given, specific, informed and unambiguous.” In the world of marketing for example, that means companies must demonstrate consumer opt-in and consent for ad personalization. Deploying a process that determines each purpose of personal data processing and that has a scalable method for recording the data and time of each consent – and makes it possible to withdraw consent upon user request – will drastically simplify the process.
As companies scramble to adopt new technologies and processes to become GDPR compliant by May 25, the new EU regulation continues to consume the enterprise security and privacy agenda. But as we get closer to the deadline, it is also becoming clear that privacy professionals need to prioritize and be smart about the processes they deploy. Only time – and the first enforcement cases – will reveal what companies can come to anticipate from EU regulators. But in preparing for the GDPR, companies that have a handle on their data flows, the data that is high-risk, and how to manage user consent, are in a stronger position to successfully comply with the new EU law and to scale to its different requirements.