Since then, your company has likely focused on making sense of the
For example, an email address meets the definition of PII. If an individual from the EU downloads one of your content marketing pieces or a trial version of your software and gives you their email address, then you’ve just collected their PII. Congratulations – you’ve already been captured by this new regime!
GDPR Compliance is a Journey
Don’t be overwhelmed by the implementation of the GDPR. We’ve broken these new regulations down to identify the challenges and
Primarily, remember that the path to becoming GDPR compliant is more than just a project – it’s a journey.
Just as you cannot climb a mountain in a day, you cannot revise your internal practices with a single exercise. Instead, your path to becoming GDPR-compliant involves a determined, step-by-step approach.
The GDPR comes into force on May 25, 2018, and while I don’t believe the examiners will hit the streets on that first day, I recommend completing your Privacy Impact Assessments and audit plans early (hopefully you’ve completed them by now). The regulators have not provided guidance to an audit strategy, so I also recommend getting guidance from internal and external auditors.
Focus on the key articles affecting your business processes
By now you should have reviewed the GDPR in detail and identified key articles. I see organizations spending most of their time on the following articles:
- Articles 12-23 – Rights of the data subject
- Articles 24-43 – Records of processing activities; Controller and Processor; Data Security; BCRs, etc
- Articles 44-50 – Transfers of personal data to third countries or international organizations
Use the comment box below to share your thoughts on which GDPR articles are affecting your organization.
Working to map these requirements to your internal practices will present some challenges, as discussed below.
CHALLENGES
Reviewing the GDPR rules, there are four key challenges that jump out at us.
Challenge # 1 – Breach Notification
The GDPR requires businesses to notify the authorities of any data breach within 72 hours.
As business leaders, we know that notification is the proper thing to do. Admitting your faults may sting a little, but taking responsibility and being transparent goes a long way towards fixing the problem, advancing your long-term credibility, and recovering your customer’s trust.
Companies should have a breach management protocol as part of their incident management system. Nevertheless, 72 hours is a short window.
Any leader who has been through a breach will confirm that even with a robust incident management process in place, at the 72-hour mark your team is still scrambling to answer basic questions.
What happened?
How big was the breach?
How many people were affected?
Should we stop doing business?
In major cases, such as Equifax or Yahoo breaches, months after the incident, the companies in question are still parsing the facts, still trying to determine what had happened. Under the GDPR regime, it will likely play out that the initial notification happens within 72 hours, but the discussion and updates will be ongoing.
Challenge #2 – Meeting your Third-Party Arrangements
The GDPR requires you, as a “controller” of personal data, to ensure that third parties, such as your suppliers who process PII, comply
It’s a challenge, as changing existing contracts can be tricky. Agreements may have to be revisited, and those changes will require input from your legal counsel, Chief Privacy Officer, business units, and often other stakeholders.
The third-party requirement has the potential to draw your company into long, drawn-out
Challenge #3 – Individual Rights and Consent
The GDPR gives individuals of the EU some significant rights.
These individuals will have the right to rectification, or the ability to demand that their data be kept up-to-date, as well as the right to erasure, enabling them to ask your organization to “forget” them by erasing their data.
It sounds straightforward enough, but most organizations have multiple systems; from HR to customer accounts, and sales prospects to marketing campaigns. Updating, revising, or deleting across many systems is challenging.
Challenge #4 – Governance
Even the best regulations sometimes run into problems with accountability. Who on your team is responsible for compliance? GDPR tackles the accountability problem by requiring some companies to appoint a Data Protection Officer (DPO).
The DPO sets the internal policies, manages third-party vendors, responds to inquiries, educates the business units, and generally handles all issues required for proper data management.
If your company requires a DPO, do not let that person flounder in a solitary existence. Establish a steering committee in which the DPO works directly with the business units on data privacy priorities. At each meeting, the DPO should help map the internal processes, share the company’s metrics, and identify areas for improvement. Perhaps most importantly, the DPO can have the final say on third-party contracts, putting pressure on those relationships to raise privacy standards.
