The attention surrounding the EU’s General Data Protection Regulation (GDPR) is growing as the law's May 25, 2018 effective date looms closer.
Given the consequences of non-compliance (4 percent of revenues or €20 million — about $23.6 million), I would have expected companies to be further along on their compliance journeys. Instead, a recent report indicates that only 66 percent of senior management are aware of the implications of GDPR, and 41.5 percent are still in the planning stages.
Short of GDPR Resources? Join the Club
Considering that the GDPR was introduced more than a year ago, it looks as if a good number of organizations will accept the risk of non-compliance given the regulation's complexity and enforcement uncertainty.
If your organization usually complies with laws and regulations that impact the business, but is simply short of resources and expertise, join the club. Over 70 percent of organizations I have spoken with in the past six months are in the same situation, and I suspect the numbers are higher still for not-for-profit and higher education institutions.
Panic might seem like a natural reaction to this situation, but as an alternative you should consider a well-laid out plan.
Steps Towards GDPR Compliance
While meeting GDPR requirements may seem a little overwhelming at first, it’s actually not that hard when approached with a planned, one-step-at-a-time process. And with eight months till the plan goes into effect, you’ve got some time to work on it.
With that said, this is how I would proceed.
Thoroughly Analyze Your Current Data Situation
Before you can bring your company’s data situation into compliance, you first need an accurate picture of what it looks like today: what information you have, what you do with it, how you process it, who has access to it, etc. That means mapping all incoming and outgoing data — and not just for your customers. You’ll also need to include data exchanges with vendors, partners and governmental agencies.
You can’t be compliant if you exchange data with someone who isn’t.
Cull Unnecessary Data
Don’t be a data hoarder. Every piece of data you collect, store and process has associated risks, so the, “We may need it someday, and there’s no harm in keeping it,” philosophy is fundamentally flawed. If you can’t come up with a business case for keeping a certain type of data, seriously consider deleting it. Doing so will reduce both your liability and your workload.
Identify Every Touchpoint That Requires Notification and/or Permission, and Develop Those Messages
Work with your legal team to develop wording that meets the law’s requirements without being too convoluted for people to understand. Once the notifications have been written and approved by legal, you can turn them over to your digital team to add to your website, along with any relevant links or forms.
There’s no harm in meeting this requirement early, so don’t wait until the last minute to write them up in a rush.
Talk to Your Vendors and Partners
Your compliance only goes so far if you do business with companies that are not compliant. In addition, the rules about deleting data apply all the way down the line. As part of your own compliance, it’s important to develop processes to notify third parties who use or access your customers’ data and request deletion on their end as well.
Address the Issue of 'Right to Access'
This is a multi-layered initiative. Not only do you have to let your site’s visitors know that they’re entitled to a copy of their data, you have to institute the process by which that will be achieved.
You’ll probably need to involve both your legal team and IT resources to figure out the safest, most efficient way to do it. For example, will customers be allowed to download or print their own information or will they need to work with a representative of your company?
Develop a Process for Breach Notification
The GDPR also requires you notify consumers when there’s a possibility their data has been accessed by unauthorized parties. Start the policy development process by nailing down the timeframe in which you’ll send out notifications and the processes by which you’ll do it. Note the regulation specifies a 72 hour window to address this.
Next, write copy that will apply regardless of the nature of the breach. Incident-specific copy can be written as needed, but it’s always a good idea to get your legal team’s input ahead of time so you can work quickly in the event of a breach.
Hire Additional Team Members as Needed
This is one of those situations where, unless it’s a specific person’s responsibility, it’s no one’s responsibility, and it won’t get done. For the job to be taken seriously, identify one person whose primary focus this will be.
In addition, some businesses, such as those that process demographic data or are in highly regulated industries, need to identify a data protection officer (DPO).
Identify Outliers and Decide How to Deal With Them
The GDPR doesn’t consider market size in the application of the law. If you only have a few customers in a given location, you’ll need to decide whether those customers are valuable enough to justify the costs of coming into compliance. You may discover that “firing” those customers is actually your best choice.
For example, if 99 percent of your customers are in the US, does the remaining 1 percent spend enough to justify the cost of compliance?
Compliance Is Within Reach, Provided You Have a Strategy
Coming into compliance with new regulations can be expensive in terms of both time and resources. Some smaller businesses with just a few customers in the EU may decide that coming into compliance isn’t worth the expense. Others may choose to exceed the GDPR’s requirements after concluding that data security is an important factor in their brand identity. Most will probably decide to meet the minimum requirements to have things in order by next May.
Whichever option you choose, breaking the project down into manageable steps and working through them systematically will help make GDPR compliance a bearable process.
In addition, keep in mind that the goal of GDPR is to improve consumer data protections, not to generate revenue from fines. Initially, we expect to see a focus on supporting businesses in their efforts to become compliant rather than on audits and fines. So any progress you make is a good thing — no one is expecting immediate perfection.