The General Data Protection Regulation (GDPR), no matter how exacting it seems, should be taken as an opportunity to reassess not just your organization’s data privacy model but also its entire data management and governance framework so you can sustainably comply with the GDPR.
Here’s a step-by-step guide we have prepared to enable you to sustainably achieve GDPR compliance:
Step 1. Get a good grasp of the GDPR
Understand its provisions
In April 2016, the EU parliament approved the GDPR standard, which was intended to replace the 1995 Data Protection Directive 95/46/EC. The key purpose of the GDPR is to “protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.” Specifically, it aims to (i) harmonize data privacy laws across Europe, (ii) safeguard and empower all EU citizens’ data privacy, and (iii) reshape how organizations across the region approach data privacy.
All affected industries are expected to be GDPR compliant by the 25th of May 2018. But which businesses will be specifically affected? What is the territorial applicability of the GDPR standard?
Whether you are located within or outside the borders of the EU, your organization should comply with the GDPR if it gathers, processes, and/or stores the personal data of Europeans, as well as meets more specific criteria such as (i) having more than 250 employees and (ii) having fewer than 250 employees but its data-processing can influence the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data.
Determine its implications for your organization
Noncompliance with the GDPR can literally cost you millions of dollars. You can be fined up to 4% of your business’ annual global turnover or €20 Million, whichever is greater. Oliver Wyman expects that in the first year alone of GDPR implementation, EU could amass at least $6 billion in fines and penalties. This could happen because many organizations are still not ready and the GDPR complicates an already inherently complex data management and governance landscape.
Under the GDPR, you need to observe and implement various measures including the following:
- Data subject rights. Ensure that every individual has the right to be informed, right of access, right to erasure (to be forgotten), right to rectification, right to data portability, right to object, and right to restrict processing of their personal data.
- Breach notification. This is mandatory and should be done without undue delay or within 72 hours of becoming aware of the breach that can compromise individuals’ personal data and risk their rights and freedom. The parties that should be notified include the customers, as well as the data controllers or the organization that collects or “owns” the data, if you are a data processor.
- Contracts and documentation. A written contract that details relevant provisions of the GDPR should be in place whenever a data controller hires a data processor, or a data processor hires another processor. Whether you are a data processor or controller, you are required to document your data processing activities.
- Data privacy by design. Privacy and data protection should be considered from the onset of any project that involves and can affect data privacy.
- Data Protection Officer/DPO appointment. Hiring a DPO is mandatory for public authority organizations and private organizations that carry out large-scale data processing activities and activities that may reveal sensitive information about individuals such as their ethnic origin, political affiliation, religion, and conviction of a felony. A DPO can be an internal or external appointee.
Step 2. Evaluate Your GDPR Compliance Readiness
To determine if your organization is all set for the GDPR, you should assess key factors that can influence data privacy, security, and protection. Ensure that your and your partners’ people, processes, and technologies across the value web meet the provisions of the GDPR.
Establish a team to ensure sustainable GDPR compliance
Appointing a DPO alone may not be enough. Forbes suggests building an office comprised of individuals who are “proficient at managing IT processes, data security (from prevention to response and remediation), and critical business continuity issues around collecting, storing and processing sensitive personal data.”
Ensure that everyone in the organization is GDPR aware and compliant.
GDPR noncompliance can be terribly costly and damaging to your organization’s reputation, so it should be a paramount concern not only of the DPO and CDO, but of all C-level executives and every business user across the entire organization (including third parties). Organize continuous orientation and training programs to educate and keep all stakeholders updated of the changes in GDPR provisions.
Rethink existing workflows
Ascertain whether individual processes in your organization meet all the requirements of the GDPR such as privacy by design. Ensure data visibility into every process to ensure security and protection of personal data across all workflows.
Enable near real-time breach notification
Ensure that you have a mechanism in place that allows you to immediately and automatically notify all concerned individuals in case of a data breach.
Introduce new practices and policies
Formulate ways to properly and comprehensively document data processing activities, proactively detect and mitigate data threats, and cater to data subject rights. For example, to enable the right to data portability, have a process in place that enables you to securely and compliantly transmit personal data upon the subject’s request. Technology
Re-evaluate your technology stack
Do you have the right technologies in place that will allow you to completely and sustainably comply with the the GDPR standard? Can your legacy systems keep up with its requirements? What technologies should you invest in to ensure continuous compliance?
Invest in technologies with data in mind
The GDPR is all about data so you should invest in platforms and solutions that can enable you to map where your data is, safeguard it from all kinds of attacks, and preserve it throughout its lifecycle.
Step 3. Future-proof your compliance strategies
Make provisions for future integrations
Integration processes can influence data security, quality, integrity, and compliance. It can be helpful to host your applications and processes on a GDPR compliant integration platform. A “compliant container,” however, does not make “noncompliant contents” compliant. Look to a host or an integration platform that offers more than just infrastructure and physical security as well as allows you to wire your systems seamlessly and transport data across integrated systems without violating the provisions not only of the GDPR but of other data standards as well.
Embrace a data-led approach
Again, the GDPR is all about data, so it should be the focus of your compliance efforts. A data-led approach is a more sustainable approach to GDPR compliance because it ensures compliance at the data layer without having to “duct-tape” your applications, systems, and processes.
Just like any other standard, the GDPR is subject to amendments. The GDPR could also be just the tip of the iceberg of the even more complex global data standards to come. This is why you should do more than just “tick the boxes.” Create a full-scale and sustainable compliance program using a data-led approach.
Liaison’s ALLOY® Platform, the world’s first Data Platform-as-a-Service (dPaaS), can empower you to sustainably comply with the GDPR standard by keeping your data safe and compliant throughout its lifecycle. Contact one of our data experts to learn more about how it can help you ensure sustainable GDPR compliance.