With the compliance deadline now passed for the European Union’s new all-encompassing privacy legislation, the General Data Protection Regulation (affectionately known as the GDPR), organizations around the world are still considering whether they need to comply and if so, how.
In some cases, the decision affects whether the organization will continue to accept customers or establish employees in the EU (and may even affect revenue tied to current customers in the EU).
In other cases, the question is focused on how the organization can comply in ways that both regulators and customers expect. Regardless of the business pressures, it is a complex set of considerations. However, setting up a framework for thinking about the GDPR can help an organization navigate these choices. Then, creating an actionable roadmap can help move the organization towards compliance, step by step.
First, it may be useful to understand a little about what the GDPR is and how it applies to organizations.
About the GDPR
The General Data Protection Regulation replaces Directive 95/46/EC (the “Directive”), and was adopted in May 2016. It applies in EU Member States and began being enforced in May 2018. The regulation gives increased rights to individuals and increased obligations for organizations processing personal information.
Even though the GDPR continued many of the rules already in effect in the EU, there are some important changes. Perhaps most importantly, there are changes in scope that mean some organizations that previously did not have to comply with EU privacy rules now must do so. Specifically, there are GDPR-driven scope changes for non-EU businesses, and for vendors of companies handling EU residents’ data.
- Non-EU Businesses – The scope of the Regulation expands to include entities that either “offer goods or services to EU residents,” or “monitor the behavior of EU residents.” Many businesses not currently subject to European data protection law will now need to comply with the new Regulation even if they don’t have any presence in Europe.
- Data Processors – EU privacy law has always thought of data processing roles in terms of “controller” and “processor.” At a high level, in the EU a “controller” is the organization that makes important decisions about how data are handled and used. A processor typically is a vendor to the “controller” and only handles/uses data at the direction of its “controller” customer. In the past, most privacy rules have applied directly to the “controller” organization. Now, though, the GDPR imposes direct compliance requirements on data processors in addition to data controllers. These requirements potentially include appointment of a DPO, requirements for Data Protection Impact Assessments/Privacy Impact Assessments (DPIA/PIAs) and compliance with cross-border data transfers. Data processors are directly liable for fines and claims from data subjects. (Articles 26, 27, 28.)
Quick sidebar: “Controller” means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by EU or Member State laws, the controller (or the criteria for nominating the controller) may be designated by those laws. Art.4(7)
“Processor” means a natural or legal person, public authority, agency or any other body, which processes personal data on behalf of the controller. Art.4(8)
Framework for Considering the GDPR
So how to think about compliance with the GDPR? I would suggest that consideration of the following questions can help:
- Does it apply to my organization (now, or in the future) and if so, how?
- If it does, what are the requirements?
- How can I comply and what resources are available?
Does It Apply, and How?
Before an organization can make an informed decision about whether they need to comply and if so, how, it is critical to have a clear understanding of how exactly GDPR affects the business and for which types of data and business processes.
Common ways in which the GDPR applies to organizations include:
- The organization has employees in the EU – typically acting as a controller for HR data.
- Some or all of the organization’s business involves customers (business or consumer) in the EU. In some cases, an organization may collect business contact information for its business customers, for which it acts as a controller. Additionally, an organization may handle its business customer’s data as part of its service, some of which may be personal information. In these cases, the organization may be a vendor in the traditional sense and operate as a processor, or it may make important decisions about the data in collaboration with its customer and be a co-controller.
- The organization also may use vendors in the EU – typically as a processor, though there are some exceptions.
Some things to remember when thinking through these and other possible applications of the GDPR:
- The GDPR covers “personal information,” which may include business contact information of individuals (such as for vendor and business customer contacts) and IP addresses, as well as personnel information for HR/payroll purposes.
- Citizenship is not a factor in whether the GDPR applies to an individual’s personal information. For example, the GDPR would apply to personal information of a US citizen who resides temporarily in the EU.
What Are the Requirements?
Unfortunately, there is no short cut to understanding the requirements. It involves either working with an expert to assess and explain the specific requirements, or doing the research yourself – or possibly both. Fortunately, there are resources available to you, however you decide.
That said, here is a high level summary of some key types of requirements that may apply. Be aware that this is not an exhaustive list. Rather, this is intended to give you an idea of the principles that the GDPR expects organizations to apply as they handle personal information.
- Transparency – The GDPR expects that data subjects are adequately informed of what information is being collected, how the organization is using and sharing the information, and how to exercise their choices and rights.
- Consent – Under the GDPR, data subjects have the right to choose, to some extent, how their data are used (and not). In order to be valid, consents must meet certain criteria.
- Collection and Purpose Limitation – Organizations are expected to collect only the personal information necessary to fulfil disclosed purposes. Additionally, organizations are expected to limit uses of personal information to necessary purposes as disclosed in notices.
- Individual Rights – Since privacy is a human right in the EU, much of the GDPR legislation is dedicated to ensuring that organizations address data subject rights, like data access and data deletion.
- Privacy Program – The GDPR also expects that organizations will need to establish a strong privacy program in order to meet privacy requirements. In some cases, organizations must appoint a Data Protection Officer, and there are record keeping requirements that apply to both processors and controllers.
- Security for Privacy – Without adequate security, no organization can successfully reach good outcomes for personal data. The GDPR requires that organizations establish strong security measures to help ensure good privacy.
- Data Breach Readiness – Though many organizations have incident response and breach notification policies, the GDPR expects notification to occur within 72 hours in certain instances. Most organizations will need to enhance even the best incident response processes to accommodate this time frame.
- Quality – Data that are not accurate, timely, and complete may have negative impacts on data subjects. With this in mind, organizations are expected under GDPR to take measures to help ensure data quality.
How Can I Comply and What Resources are Available?
As a first step, it may be useful to understand where there are specific, current compliance gaps. This insight can be gained through a GDPR readiness assessment, which compares current business practices against GDPR requirements. The gaps, should there be any, lead directly to an actionable remediation plan.
Consulting services, such as TrustArc’s GDPR Strategic Priorities Assessment, can give you this help. There are also technology tools, like TrustArc’s Assessment Manager, that help organizations do this assessment themselves.
It can also be helpful to understand – at least at a high level – steps that an organization might take towards GDPR compliance. Below is a general roadmap of activities that a typical company might take to comply with the GDPR. Of course, if your organization has done a Readiness Assessment, it may be clear that your organization has already accomplished some of these activities.
All things considered, the GDPR question is answerable if taken in small chunks.
First, I propose that it’s useful to determine whether the GDPR applies to your organization, and if so, exactly how – as a controller, processor, or both?
Second, if the GDPR does apply to your organization, a good understanding of the requirements is invaluable. A gap analysis of current practices against these requirements will provide a clear picture of where any gaps might be and how to fill them.
Creating an action plan from there is straightforward, and there are lots of resources available to help.