Fostering firm-wide compliance: A Post-GDPR Adoption To-Do List
This post was updated 2/20/19
It's been nearly a year (9 months, to be exact) since the deadline for General Data Protection Regulation (GDPR) compliance hit – that is, the EU’s sweeping data protection and privacy regulation designed to give individuals more control over their personal data and privacy protection. As you know, the regulation has massive data collection, storage, portability, and use implications for any company that accesses data belonging to EU individuals, which pretty much means all of us.
Chances are, you sent emails, held briefing sessions, and maybe training workshops leading up the May 25th compliance deadline to get key players up to speed, and that some of those efforts – company newsletter notifications, for example – at least theoretically permeated to every member of the organization. But translating sweeping regulation and aligning protocols throughout the firm takes time, and achieving full compliance will continue to be a work in progress. In light of this, we've developed a post-adoption to-do list to help you foster compliance.
Make someone in your organization ultimately responsible for data handling, and establish a clear line of communication to that position.
The GDPR requires certain organizations to appoint a Data Protection Officer (DPO), depending on size and core activities relating to sensitive personal data processing. In other cases, member state law may stipulate broader DPO appointment requirements for organizations. However, many companies are opting to voluntarily appoint a DPO, without a requirement. Whether appointed internally or outsourced, the DPO acts on behalf of data subjects, not your business, and therefore acts as an “insurance” policy while guiding your team through complex compliance issues. Alternatives to a DPO include Chief Data Officers (CDO) or Privacy Counsel. Whatever you decide, appointing a single person who is ultimately responsible for data handling will create a clear chain of command when issues arise.
Go back to the basics
In the midst of complex compliance protocols, going back to the basics is a useful exercise. Find a way to regularly remind your team why the EU crafted these regulations, and why their adoption ultimately helps guide your business to better serve all clients. Specifically, the GDPR has three goals:
- To unify and strengthen the protection of personal data for EU citizens
- To give EU residents greater control of how their data is stored and used
- To control how personal data is exported outside the EU
“Understanding how your business can fulfill these aims is the first step to compliance,” says Alex Pavlovic of Qualsys. Making sure everyone has a basic grasp of the fundamental goals of the regulation can go a long way toward establishing a culture of privacy protection.
Regularly remind your team about GDPR core compliance principles
In the same vein of going back to the basics, reiterate core GDPR compliance principles as regularly as possible. These include:
- Obtaining Consent
- Timely Breach Notification
- Right to Access Data
- Right to be Forgotten
- Data Portability
Reminding team members of these core principles will help to foster compliance fluency, and in doing so, help to embed compliance-minded behavior throughout the organization. And making sure that everyone is aware of these principles will help team members whose specific job functions may not relate to each one, or any, garner a more comprehensive understanding of data privacy protection.
How many times can we say 'affirmative consent?'
This one you know, but it bears repeating – especially to team members who may only have a soft relationship with data collection. Valid consent under GDPR is defined as “freely given, specific, informed, and unambiguous.” This means no pre-ticked boxes, keeping consent requests separate from other terms and conditions, and making it easy for users to withdraw consent at any time. It also means that consent must be understood and obtained on a more granular level, requiring separate consent for different forms of processing, which is why it's so important for everyone in your organization who might engage with clients and their personal data to have a clear understanding of exactly what it means under GDPR.
Know the difference between data processors and data controllers – and what this means for third-party support functions
The GDPR distinguishes between data controllers and data processors as a way of assigning roles and responsibilities to companies and the parties they work with to make data useful through processing. The data controller is the person (or business) who determines the purposes for which, and the way in which, personal data is processed. By contrast, a data processor is anyone who processes personal data on behalf of the data controller(excluding the data controller's own employees). The more complex your system of internal and outsourced processors are, the greater your data’s net exposure, and exposure risk. So cultivating an understanding of how new regulations apply as data flows across various systems is a good way to help fill compliance gaps. A clear picture of data controller vs. processor roles and responsibilities can help foster end-to-end accountability.
Stay tuned for more about GDPR and its implications. For further reading on compliance, explore the links below.