We’re officially at the one year mark before the EU General Data Protection Regulation (“GDPR”) comes into effect on May 25, 2018. In the last month many EU Member States have been busy proposing GDPR implementation bills, and this week the CNIL published a summary of the responses received to its consultation on profiling, consent, certification, and notification of violations, which are expected to advise Article 29 Working Party (“WP29”) guidelines on these topics. While the WP29 and many Data Protection Authorities (“DPAs”) have published guidance documents regarding certain GDPR requirements, many questions still remain regarding the exact steps organizations will need to take over the next 365 days to be in compliance. However, organizations that continue to delay and wait for answers to these questions have little chance of being close to compliance by next May.
For some organizations this one-year milestone should indicate it’s time to kick into high gear with GDPR preparation, while for others it means they need to get started now before they run out of runway. Organizations that have not devoted much effort to GDPR compliance should not delay any longer, but should start planning their GDPR readiness timeline now to build a practical level of GDPR compliance by next May – especially considering that DPAs have made it clear that there will not be a grace period for GDPR compliance.
Organizations that have done little or nothing to prepare for GDPR would be wise to focus on the following three requirements to get started:
- Data Mapping. In the Age of Big Data, where companies regularly collect and analyze vast amounts of data, it can be difficult to know where to start with data mapping. Generally speaking, the first step to GDPR compliance is to understand the personal data held by your organization – who the data custodian is, the source(s) of data, where the data is being sent, how it is used, purpose(s) of collection, location of the data, and much more. For small companies, creating a data map or inventory can done manually, but companies with more data will want to consider investing in various data mapping products which through machine learning can do much of the work (though some manual work will still be necessary).
- Vendor Management. Under the GDPR, organizations must include certain provisions in their contracts to ensure clarity regarding their various data handling obligations. Data controllers are explicitly responsible to ensure that their vendors handle personal data entrusted to them properly, and processors can now be held liable when acting outside the instructions of controllers. Thus, organizations should start by identifying all of their third party contacts that involve the processing of EU personal data, and begin to assess how they need to be revised to be GDPR compliant. Organizations in the US that are Privacy Shield certified will also likely need to update and renegotiate their contracts for compliance with the Onward Transfer Principle.
- Data Subject Access Request (“DSAR”) Systems. Most organizations have a vast amount of personal data stored in various servers – sometimes at different locations around the world – and would be unable to respond to a data subject’s request for access, erasure, correction or portability. Setting up a DSAR System can be quite onerous. Thus, you should start investigating possible technology solutions to respond to DSARs now to reach compliance by May 2018.
A good way to get started on these tasks is to first educate and obtain C-level buy-in. While the possible sanctions are a strong motivator, it is important that your organization understands that GDPR compliance will add value by ensuring better data management. Once buy-in is secured, you should create a GDPR Core Group consisting of key stakeholders from major departments in your organization. Your GDPR Core Group will be essential in driving these tasks to completion. Without a GDPR Core Group and clear workplans, tackling the vast GDPR requirements and its many projects can be overwhelming – not to mention Member State derogations that likely will be trickling in over the next 12 months.
While a year may seem like a long time, companies need to start GDPR compliance efforts sooner rather than later because certain tasks (such as those mentioned above) can take many months to complete. With sanctions at 20,000,000 EUR or 4% of global annual turnover, the risk of noncompliance is a lot more significant.