There will soon be an unprecedented amount of activity relating to GDPR. Is it really that bad or are we just surfing the crest of a prime sales and marketing opportunity?
With May 25th fast approaching there is an unprecedented amount of activity in the compliance and ethics blogosphere relating to GDPR. As the implementation date gets closer, the hype has increased. In some cases it has reached scaremongering proportions, with much focus on the new €20M / $25M USD penalties for non-compliance that will be available to regulators. But is it really that bad or are we just surfing the crest of a prime sales and marketing opportunity?
In its guidance on preparing for GDPR, the Information Commissioner’s Office advocates a measured approach saying “Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from.”
In this series we’ll be offering a practical six-step plan to help you achieve GDPR compliance in the remaining weeks leading up to May 25th, focusing on the key activities that you can realistically complete and that will put you (or keep you) on the path to GDPR compliance.
Each of these steps will be covered in more detail in our weekly posts and they are also set out in our template GDPR compliance project plan which you can download here. Below is a closer look at step 1: scoping and mobilisation.
Step 1: Scoping and Mobilisation
(otherwise known as ‘failing to plan is planning to fail’)
If you haven’t already got your GDPR compliance project plan up and running, we suggest you start by scoping and planning your activities and deciding how to mobilise the right resources. To decide what you need to do, perform a gap analysis in your existing program by considering the differences between the current and new legislation. This will give you a sense of your organization’s ‘GDPR readiness’.
To start, here are a few key questions worth considering:
- Do you have processes in place to conduct the required Data Protection Impact Assessments (DPIAs)?
While privacy impact assessments have been recommended best practice for some time, Article 35 of the GDPR now mandates DPIAs in a number of circumstances. To conduct an effective DPIA you, of course, need a sound appreciation of what personal data you hold in your organization, what processing activities you conduct, and what data flows and transfers are taking place.
- Are your consents in order?
Where you are relying on consent as the lawful basis for processing data, are you able to demonstrate that you meet the requirements of Article 7 with regard to clarity, accessibility and ease of withdrawal? A best practice here is to audit existing materials and processes where consent is currently gathered from data subjects, and to review the language and process used.
- Do you have a process in place to ‘forget’ data subjects on request?
Again, the right to erasure is not an entirely new concept but Article 17 of the GDPR aims to give data subjects greater control over their personal data. This includes the right to have data controllers erase personal data, cease further dissemination and, in some cases, have third parties cease processing. Your audit of the personal data your organization holds and the flow of personal data both within your organization and between your organization and third parties will be critical to implementing an effective erasure process.
- Do you need a DPO?
Article 37 of the GDPR sets out the circumstances in which an organization must appoint a Data Protection Officer. Even if you are not required to appoint a DPO, now is a good time to review the available resources within your organization that can be assigned to assuring GDPR compliance, to engage key stakeholders, and to assign and document roles and responsibilities for data protection.
- Are you confident that you can notify a data breach within 72 hours?
Do your employees understand how to recognize a data breach and know what to do if one occurs? Do you have appropriate systems in place to ensure that the necessary workflow can be completed within 72 hours? Compliance with Article 33 will have both training and procedural impacts.
- Do you have systems and processes in place to securely and efficiently transmit personal data to another controller?
The new right to data portability set out in Article 20 of the GDPR affords data subjects the right to have their personal data transmitted directly from one controller to another. This will, of course, need to be done securely and in a manner that also respects the requirements of Article 17, the right to erasure and the requirement in paragraph 1e of Article 5 for data to be kept no longer than necessary.
A thorough readiness assessment will lay the foundation for a pragmatic plan to close the gaps between your current data protection program and the requirements of the GDPR. SAI Global’s governance risk and compliance software can help. It contains several modules tailored to meet the requirements of GDPR including a comprehensive readiness assessment tool that includes key stakeholder surveys, action tracking, and project management capabilities.