The European Union’s (EU) General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. The regulation is specific to the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The regulation applies to any organization doing business in the EU or that processes personal data originating in the EU, be it data of residents or visitors.
The GDPR has made profound changes to the understanding of privacy, data protection and personal data in the EU and has wide-ranging effects on anyone processing personal data of data subjects of the EU. A data subject is defined as a person whose personal data is being captured and processed. If your organization captures just one record of an EU data subject, this regulation applies to you.
GDPR also changes the way that these laws are enforced and brings potential penalties that are significant in nature. Penalties for failing to comply with the articles of GDPR may subject the organization to fines up to €20m or 4% of the organization’s total global revenue, whichever is greater.
How We Can Help
Schneider Downs provides multiple solutions to help our clients achieve and maintain compliance with GDPR:
- Comprehensive compliance and gap assessment
- Data Protection Impact Assessment (DPIA) and Privacy Impact Assessment project management
- Data discovery and data classification programs
- Data Protection Officer as a service offering – a Schneider Downs expert can assume this required role for your organization.
- Guidance and implementation of erasure, or “right to be forgotten” programs
- Guidance and implementation of security measures, including anonymization and pseudonymization of personal data
- Developing and executing training and awareness programs
- Guidance and implementation of vendor management best practices for ensuring controls over data in the supply chain
- Policy and procedure development to bring current practices into compliance
Schneider Downs Approach to GDPR Compliance
Ensuring compliance with GDPR will not occur overnight. We recommend a multi-disciplinary, phased approach. These are the steps for GDPR compliance that we recommend (a high-level overview).
You should make sure that decision-makers and key people in your organization are aware that regulations are changing. They need to appreciate the impact that these changes are likely to have on your organization. In addition, line-level and larger scale training may be necessary for certain personnel within your organization who handle personal data on a regular basis.
2.) Document the Personal Information You Hold
You should document what personal data you hold, where it came from, what you do with it and who you share it with. We use data flow diagrams and business process maps for each of these processes.
3.) Communicating Privacy Information
You should review your current privacy policies, procedures, contracts and notices and put a plan in place for making any necessary changes to meet the GDPR deadline.
4.) Individuals’ Rights: Right to Be Forgotten, Transfer Data or Correct Data, etc.
You should check your procedures to ensure that they cover all the rights individuals have, including how you would delete any obsolete data (e.g., right to be forgotten), transfer data upon request or correct any incorrect information.
5.) Data Subject Access Requests for Data / Information on Data Handling
You should update your procedures and plan how you will handle data extraction requests to meet the 30-day requirement. Data subjects have the right to obtain confirmation from the controller as to whether or not personal data concerning him or her is being processed and, where that is the case, access to the personal data. They also have the right to inquire about the nature of further processing and treatment of their data while it was in the controller’s possession.
6.) Inventory Your Data
Identify all the data subjects for which you process or store sensitive data and determine whether GDPR applies to their country. Document the supervisory authority for each member country and identify the data controller for each process. You need to also determine who the lead supervisory authority will be based on your overall activities.
7.) Lawful Basis for Processing Personal Data
You should review your current practices and contracts and identify the lawful basis for your processing activity under the GDPR, document it, and update your privacy notice to explain it.
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consent processes now if they do not meet the GDPR standard.
9.) Data Breaches / Incident Response Plan
You should make sure you have an incident response plan in place to detect, report and investigate a personal data breach. The plan needs to be documented and tested.
10.) Security of Processing
You should ensure that certain technical safeguards are in place to ensure that risk to personal data is effectively mitigated. Your plan should include techniques such as the pseudonymization and encryption of personal data. Effective controls to not only ensure the ongoing security, but also the confidentiality and availability of personal data must also be in place.
11.) Data Protection by Design and Data Protection Impact Assessments
You should familiarize yourself now with the code of practice on Data Protection Impact Assessments as well as the latest guidance from the Article 29 Working Party, and decide how, when or if you need to implement these in your organization.
12.) Data Protection Officers
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organization’s structure and governance model. You need to determine whether you are required to formally designate a Data Protection Officer. If so, this position must report to the highest levels of management.
If your organization is late to comply with GDPR, please visit the Our Thoughts On...blog to read more about our recommendation on how to become compliant.