These questions were posed to us during our recent webinar on GDPR planning. You can listen to the full webinar on-demand and/or download the slides here.
Gartner predicts that by the end of 2018, only half of companies required to comply with the General Data Protection Regulation (GDPR) will actually be compliant. GDPR will be here in under 10 months and is proving to be a bigger challenge than many expected. While most recognize the weight of this new regulation, many companies are struggling to find the time to get GDPR implementation plans off the ground.
This lack of action doesn’t mean companies aren’t worried about new GDPR requirements. In fact, it’s quite the opposite. More than 85% of organizations believe their failure to comply with the GDPR will have a negative impact on their business. One in five companies fear having to lay employees off after suffering a penalty from non-compliance with the GDPR.
These are legitimate fears. The GDPR has stiff penalties for those who fail to comply – up to $21 million or 4% of revenue, depending on which is higher. For many companies, a hit like this could mean serious layoffs, as well as reputation and client loss.
With less than 10 months to go, many are wondering if it’s even possible to become compliant by May if they start now, or feel overwhelmed by the number of projects they have left in their GDPR plan. But our Data Privacy team has been helping clients with operations across the globe execute their GDPR compliance programs for over a year now, and have identified a few key practices that will help you speed up your timeline and prioritize GDPR projects effectively.
To help you out, our experts answered some of the big questions they get around GDPR compliance. They’ll help you figure out which GDPR activities can be done in parallel, which areas to focus on first, and what areas are going to take the most effort. Let’s dive in.
Question 1: What are you finding are the largest projects that need to be tackled – in terms of timing and effort?
Policies and procedures are one thing. But to operationalize and maintain some GDPR-mandated programs, many organizations will require new or upgraded systems. For larger organizations, these systems may be in place, but for others, this could be a significant expense. Before finalizing your budget, take the time to look at what systems you have in place and how they’ll measure up against GDPR requirements. Determine what tools you’ll need to close the gaps. Most organizations end up needing support tools to address:
- Data Subject Request management
- Consent management
- Data Privacy Impact Assessment (DPIA) program
- Data mapping
Managing your timeline may be your biggest challenge. Quite a few of the Articles under GDPR require extensive efforts from a number of resources and departments across your company. Depending on your industry, we see resources from nearly every side the business getting pulled into GDPR compliance: IT, security, privacy, HR, legal, marketing, customer service, and more. Requirements like Right to Erasure or Data Portability will require you to make changes to entire workflows, which means resources from a number of departments will need to review and provide input. Once you’ve updated these workflows properly (and those connected to them), you’ll need to provide training to all parties involved.
Depending on your industry, we see resources from nearly every side the business getting pulled into GDPR compliance: IT, security, privacy, HR, legal, marketing, customer service, and more.
Question 2: What are some GDPR projects that can be performed concurrently?
With everyone under the gun to get GDPR in place by May, many are looking for opportunities to run projects simultaneously. Based on our experience helping companies get GDPR plans up and running, we’ve identified a few areas where you can run projects in parallel and get a bit ahead of the game.
Security is an area with ample opportunities to get multiple projects off the ground simultaneously. For example, nearly every organization is going to need to implement new security safeguards, like encryption for data at rest in higher-risk systems. Implementing these security safeguards concurrently will help you speed up your timeline and reduce the amount of effort required from resources across your company.
Like we mentioned in the last question, a number of projects are going to require the creation of new policies, procedures, and training programs, which can be pretty time-consuming. The good news is that, in our experience, a lot of policy and workflow creation can be done in parallel. Developing or enhancing policies and procedures simultaneously will help you create cohesive baselines, set strong standards for current initiatives and future projects, and ensure consistency across all new documentation.
In slide 11 of our presentation below, we recommended a few ways to group GDPR projects so you are tackling enhancement activities in the most efficient way possible.
Question 3: Which risks should be prioritized in terms of what regulators are placing a heavy focus on?
While we wish we had a crystal ball that told us exactly what regulators will be focus on next year, we unfortunately do not. But based on the motivation behind this regulation and behaviors we’ve seen around similar privacy laws, we believe regulators will focus on the risks that could have the greatest impact on the data subject, while things like system-specific assessments may take a back seat at first.
An area like data subject request management can serve as a good example. Let’s say that due to time constraints or a lack of budget, your organization failed to get the proper channels in place for customers to submit requests around Articles like Right to Erasure. Regulators would view the inability to submit a request as a high risk to individual privacy rights and as a leading indicator that your organization may be non-compliant elsewhere, leading to further investigation and potentially devastating penalties.
We believe regulators will focus on the risks that could have the greatest impact on the data subject.
While regulators may shift their focus over time or adjust it depending on industry, when it comes to planning a GDPR implementation, we recommend considering the impact different projects will have on the data subject and making those a top priority.
Question 4: Do privacy impact assessments need to be retroactively performed for all processing activities to ensure that evidence is maintained that it was performed?
The rollout of GDPR is the perfect reason to assess your current privacy program or initiatives and ensure they are current with your business objectives and are aligned with privacy best practices. While regulations with looming deadlines can easily lead to privacy by default, a privacy impact assessment (PIA) presents an opportunity to shift towards enhancing the practice of privacy by design.
Your PIA should be designed to help you assess the privacy risks associated with the handling of personal data through your services or product offerings. Your PIA should include procedures on:
- Evaluating the collection, use, and storage practices for alignment with regulatory, legal, and policy requirements
- Identifying the privacy risks and potential impact to the organization
- Identifying and evaluating procedures and safeguards that are implemented to mitigate privacy risks
So, in short, you most likely don’t need to perform retroactive PIAs. But it is important that going forward, you perform PIAs in a way that allows your organization to understand the privacy risks around the collection, use, and storage of personal data, enabling you to make informed decisions prior to introducing the risk into your organization.
While regulations with looming deadlines can easily lead to privacy by default, a PIA presents an opportunity to shift towards enhancing the practice of privacy by design.
Question 5: Is there a report or certification we need to get from third parties that handle data on our behalf to ensure they are following the GDPR requirements?
It has been confirmed that there will be a certification for GDPR compliance; however, it is still being defined by the regulatory body. At this time, we’re not sure what standards it’ll be tied to, but we’re closely monitoring all relevant communications. In the meantime, requiring an ISO certification or a SOC 2 report as part of vendor risk management may provide the level of comfort you’re seeking.
Implementing GDPR is a daunting task that requires enterprise-wide coordination and efforts. However, with proper planning and smart delivery, implementation by May of 2018 is not impossible. Check out our latest, on-demand webinar for more insights into how to build a tactical, achievable GDPR plan.
Want 30 minutes with a GDPR expert? Drop us a line and we’ll set up a free consultation.