The impending European Union General Data Protection Regulation (EUGDPR) is certainly a hot topic right now with much of the discussion centred around what the preparations for EUGDPR might entail and what the impact will be.
Those following the discussion will no doubt have noticed a troubling degree of complacency and a general air of cynicism at the possibility of achieving full GDPR compliance in time for next year’s deadline of May 25th. No matter where in the world data is held, it is still subject to the regulations if it contains the personal data of an EU citizen. The penalties for non-compliance are potentially very severe, therefore it is a topic that deserves to be top of the agenda.
However, if we sidestep all the doom and gloom, there is a measured approach that will still deliver compliance if businesses are prepared to act on a few simple key points.
Board-level buy-in is critical for compliance
The first is that effective management of GDPR compliance requires board-level visibility and sponsorship. Without it, your organisation is going nowhere. If compliance is regarded as just another task there is a fundamental lack of understanding of the ramifications of a compliance failure and its penalties. For many businesses, the regulation will necessitate a root and branch reform of operations.
This is about day-to-day management and requires a presence on the board of an executive who is the direct point of contact for the person running compliance and responsible for it.
Work out how it will affect your business
Secondly, it is essential that each organisation obtains a contextual understanding of how the GDPR will apply to its operations. In most cases this requires professional help using purpose-built tools rather than a skim-through of online advice. The terms of the regulation are complex and there is no point in denying that expertise is needed in their application. When you map out processes and see how they are underpinned by the data your organisation holds, that’s when you apply the legal justification for what you are doing against it. After the deadline, retrofitting the legalities of compliance will not work.
Appoint the right Data Protection Officer
The important role of the Data Protection Officer (DPO) must then be addressed. Only three types of organisation are mandated to appoint one, but too often that is an excuse for assuming there is no requirement. Any organisation taking this approach needs to ask how it can stay on the right side of the regulation.
The role of the DPO includes telling those deemed controllers and processors under the regulation what their obligations are. It involves monitoring the organisation’s compliance and performance, providing advice on data protection impact assessments, and giving due regard to risks associated with data processing operations.
DPOs must have the legal and information security knowledge and skills necessary to help organisations achieve compliance, yet often the confusion between privacy and security means the responsibility is pushed on to those responsible for security, which is definitely the wrong approach.
Why? Because anyone whose remit is security is looking at the protection of data from the company perspective, whereas the responsibility of the DPO is the data-subject and not the company. For a DPO there should be no conflicts of interest with any other activities in the organisation and if a breach occurs, a report must go to the authorities – it is not a matter for debate.
Business must have an action plan
At this point the business needs to start building a remedial action plan as the days tick away. There is no point thinking it is all too difficult. It is certainly worth breaking down the entire project into consumable chunks. Apart from anything else, it makes the whole project appear more achievable and lifts morale.
Grasp the difference between privacy and security
This plan should involve an examination of technologies that make compliance easier on a day-to-day basis. Here it is vital to grasp the distinction between privacy and security. While everyone is worried about a breach, it is important to get the priorities right and not put walls around data that it is no longer permissible to hold.
Companies will have to make a shift in mindset recognising that "It’s their data, not ours" when it comes to personal information about EU citizens. This is a really significant change that makes data-hoarding dangerous. "Data-minimalisation" is now the name of the game. In other words, you should only have the amount of data you require to perform the role your company said it would.
The crucial role of cloud-provider
Since any efficient business is likely to have data in the cloud, this means assessing the cloud footprint. Unfortunately, many cloud-providers are way behind in realising they have a responsibility as data-processors.
Businesses, as data-controllers under the regulation, need to find out from their cloud-providers how they are going to help with compliance on a footing that is legally certain. Any processor can only carry out activity in line with a written agreement with the controller and in many cases this is not in place.
Inevitably such discussions will involve the Privacy Shield arrangement which has allowed EU data to be stored in the US but which now is under threat of legal challenge.
Although the GDPR deadline is coming up fast, a systematic, measured approach following the tips outlined here should, if mixed with appropriate levels of expertise, lead any business or organisation into safe compliance with the regulation. Anything less is going to be fraught with risk.
Adam Ryan is GDPR practice lead at Calligo