Global Preparation for the General Data Protection Regulation (GDPR)

A surprising number of company leaders seem to be taking a wait-and-see approach to the GPDR. They want to see just how the law’s provisions will be carried out in practice. That’s understandable, but it might not be wise. The GDPR isn’t just a toothless suggestion. It’s a serious directive, and avoiding its penalties, which can range as high as 4 percent of an enterprise’s worldwide financial turnover, is going to be an important objective for any business that does business in the EU or with EU residents.

As of May 25, 2018, any enterprise that handles the personal data of EU residents will face stiff penalties for data handling practices that violate the new law. The wide scope of the law may come as a surprise to business leaders and IT professionals outside the EU, even ones accustomed to dealing with local or national regulations of their own. The GPDR provisions make no allowance for where data is handled — inside or outside the EU. What’s important is that the subject of that data resides in (or is present in) the EU. This seems understandable enough, though many businesses worldwide are either unaware or only dimly aware of the upcoming law.

Until the new regulation takes full effect in May 2018, organizations are expected to make the preparations they need to meet the law’s demands. During this period, you should pay special attention to the preparations companies similar to yours are making for GDPR compliance. This can help you avoid being blindsided by enforcement actions.

Under the GDPR, personal information that your company might routinely collect, such as customer demographics, requires intense care if it can personally identify an individual. Preparation for GDPR compliance means, first of all, an enterprisewide assessment of the kind of data your organization collects or holds. You’ll need to distinguish EU resident data from other personal data or — perhaps the most efficient course — treat all personal data with the same heightened level of protection. The simplest course may well be to delete nonessential personal records entirely. Remember, the high price of noncompliance can turn unprotected personal records into toxic assets.

Under the GDPR, enterprises will need to carefully steward any information that could be used to identify a covered individual, including information such as:

• Name
• Unique identifiers, such as social insurance account numbers
• Location data that can be used to pinpoint an individual
• Email address and other contact information
• Characteristics specific to the individual:
  • Political Opinions/
  • Religion and Religious Affiliations
  • Physical Characteristics and Details
  • Special categories of data such as Genetic Information and Biometric Information

Organizations will also be expected to comply with requests to erase data belonging to individuals who do not wish for it to be held. This provision is officially known as the right to erasure (sometimes more colloquially called the right to be forgotten).

Preparing for GDPR compliance will take time, because the GDPR calls for accountability as well as compliance.

In fact, one of the most challenging elements of meeting the GDPR’s requirements is one of record keeping. Companies will not only have to be careful to store only appropriate personal information, but they will also have to document their compliance with the regulation. They’ll need careful record keeping so they can meet the requirement to notify affected data subjects in the event of a breach. The GDPR also requires that you maintain and enforce internal data policies — time frames for data retention, for example — and these should be articulated for all stakeholders.

Equally challenging for many organizations will be the adjustments they will need to make to their internal structure to meet GDPR mandates. Both personnel and practices will be affected. GDPR compliance, for example, may call for enterprises to designate a data protection officer to represent the interest of data holders in certain circumstances, such as where required by member state law or when processing special categories of data on a large scale.

Best practices can be hard to describe in depth when they concern a regulation that’s not yet in full effect. But the GDPR is concrete enough that some steps are easier to identify, for example:

• Work together. Make sure every part of your organization — from legal to accounting to sales to customer service — is aware of the implications of the GDPR and operates with the common goal of meeting its requirements.
• Assess the impact. Survey all data you hold (from customers, employees or other individuals) for all the kinds of identifiers the law affects, and make protecting them a priority. This also includes business contacts, not just consumers.
• Plan judicious data use and collection. Identify, as closely as you can, what data will be necessary for new and ongoing projects, and use the least amount of personal data possible. At the same time, test your procedures for meeting individuals’ requests for data access or erasure. Frugal use of data will help you avoid challenges to your data practices and help reduce the risk of a breach.
• Create a notification plan. In the event of a breach, the ability to contact the supervisory authority within 72 hours and notify affected data subjects is critical. If you don’t report the breach or can’t reach the data subjects, you may face fines and other penalties, even when the breach is no fault of your own.

As wide-sweeping as it is, the GDPR is ultimately a regulation that can be tackled like any other. We think the single best thing you can be doing about GDPR compliance is setting yourself and your team in motion rather than sitting on the sidelines.