Cramming for the GDPR in 90 Days: Is it Possible?!
So, you haven’t done much regarding the GDPR? Perhaps business has been crazy, customers unusually demanding, and fires have consumed everyone’s attention? You’ve probably intended to better understand the GDPR, aware that time is running out. Now your question is this: Can the GDPR be “accomplished” in 90 days?
The answer: maybe…. or maybe not—it depends on many factors. The biggest hurdle is that you only have 13 weeks. Thirteen. Second, you probably do not have anyone available that really understands the GDPR.
This article is written for those organizations that want to know if it’s possible to tackle the GDPR in just 13 short weeks, and what that herculean effort would entail. The project plan outlines what it will take to align your enterprise with the GDPR by 25 May 2018.
Week 1: Get Expert Help, Immediately
I’m not calling you a procrastinator; maybe you’ve been unusually swamped—for a year. But it’s time for tough love: you’re not going to accomplish GDPR by yourself. If you could, you wouldn’t be in this situation. You need an expert GDPR team that knows exactly what to do. And I mean: Exactly. What. To. Do. If you’re not willing to employ an expert GDPR team for three short months, then don’t worry about reading the rest of this article.
Most people have heard that the General Data Protection Regulation can issue severe penalties for non-conformance amounting to 20 million euros or 4% of annual global turnover, whichever is higher. Don't mess with the GDPR; procure a proper team of GDPR experts.
Week 2: Generate Awareness and Conduct Training
Yes, generating GDPR awareness and administering training is a requirement of Articles 39 and 47. Ensure your company’s leadership and key individuals are fully aware of the law’s new requirements. Role-based training for those whose roles have unique processing requirements may have to wait towards the last week or two of this programme, but general organisation-wide communication and training can happen now.
Your GDPR team will have helpful templates to use to set expectations and explain the impact. But be sure to identify and organise a GDPR task force, with representation from key areas of the company.
Week 3: Perform a Personal Data Audit
Perform an audit of the personal data held by your organisation. Document where the data is located, how it is used, by whom it is used. Consider your employees' data as well as your customers' data. The GDPR requires each company to document the results of this discovery exercise, something your expert GDPR team is well-equipped to do. (Did you acquire an expert GDPR team?!)
Week 4: Generate GDPR Communication
The GDPR requires you to provide specific information in your company’s privacy notice, such as your identity, how to contact you, why information is being collected, the type of information being collected, with whom information may be shared, the data retention policy, and more. The GDPR also requires your company to determine and document the legal basis (called “lawful basis”) for processing data, something your GDPR team should be able to do. Your GDPR team should review your company's website to ensure the privacy notice is updated to reflect the GDPR. Your marketing practices must also be updated.
Week 5: Support Individuals’ Rights with Policies and Procedures
Your organisation is required to support numerous rights in your written policies and procedures. These rights include:
the right to be informed;
the right of access;
the right to rectification;
the right to erasure;
the right to restrict processing;
the right to data portability;
the right to object; and
the right not to be subject to automated decision-making including profiling.
Do you have procedures to support a request when someone asks to have their data erased? Would you be able to locate and document the process, retaining evidence of practice? Your GDPR experts will help to ensure your policies and procedures are updated to reflect the required changes.
Week 6: Write Procedures to Support Access Requests
Your GDPR team should write procedures to support access requests, and the procedures should take into consideration the systems and platforms that hold applicable data. Can you validate the request is valid and should be processed? How long do you have to comply? Can you charge for this activity? Can you refuse to comply with a request?
Your GDPR team will understand the regulatory landscape and help to guide the process with the right internal key stakeholders.
Week 7: Identify the Lawful Basis for Processing
This activity is critical. Under the GDPR, data cannot be legally processed unless its lawful basis has been identified, documented, and explained in the privacy notice.
According to Article 6, processing “shall be lawful only if and to the extent that at least one” lawful ground is:
identified because consent has been given by the data subject;
identified through contractual terms that permit processing;
identified for compliance with legal obligations to which the controller is subject, such as disclosing personal data to comply with a court order;
identified to protect the vital interests of someone’s life, such as disclosing personal data when admitting someone to the hospital with a life-threatening condition;
identified for official authority or for public interest, such as a utility company carrying out a public task of public administration; and
identified by legitimate purposes such as fraud prevention, intra-group transfers, IT security, and many other possibilities.
Be absolutely certain to document the lawful basis for processing; this should be done for every type of data discovered during week 3’s discovery activities.
Week 8: Obtain Consent
The GDPR sets a high standard for consent; do not underestimate this! You must review how the organisation manages consent. Do processes already exist? Do the processes comply with the GDPR?
Offering consent means extending genuine choice and control, requiring positive opt-in measures with each person’s data. Ensure your company is not using pre-ticked boxes by default, and keep your requests separate from other terms and conditions.
Your GDPR team will help communicate clearly and concisely, naming all third parties who rely on the consent. Your team will also help make it easy for individuals to withdraw consent, keeping evidence of who, when, how, and what was told to them.
Week 9: Verify Individual’s Ages to Check for Children
Do you have systems in place to verify the age of a data subject? Do you have processes and procedures for obtaining parental or guardian consent? The GDPR will be employing special protective measures for children’s personal data, especially related to commercial internet services. Be very certain to think carefully about whether your systems might ever contain the personal data of children.
Week 10: Create a Data Breach Playbook
Data breaches are serious. Consider Equifax, and the length of time it took to report the breach. Breaches are bad enough without additional fumbling and mismanagement during the crisis; that adds reputational damage to financial damage.
What are your contractual obligations for reporting breaches? In what timeframes must notification be made, and to whom? Consider the authorities or media that may need to be notified when thresholds are crossed.
Your GDPR team will prepare a breach notification playbook, including written procedures to spot and investigate data breaches, with templates prepared for streamlined communication to every appropriate party.
Week 11: Implement Privacy by Design
Implementing data privacy protection by design is a key legal requirement of GDPR, starting with the privacy impact assessment. Performing a data privacy impact assessment is mandatory in some circumstances, such as when new technology is being deployed, where a profiling procedure is likely to affect individuals significantly, or where processing on a large scale occurs.
Will you be deploying any new technologies this year? Be certain to document the data privacy impact assessment for each implementation. Overall, your GDPR team will ensure privacy by design is core to your company's compliance, including conducting the data privacy impact assessment and maintaining evidence of this practice.
Week 12: Determine Responsibility for Data Protection Compliance
Does your organisation formally need a data protection officer (DPO)? Designate someone if applicable. You are required to have a data protection officer if your organisation undertakes regular or systematic monitoring of individuals on a larger scale, or if your organisation undertakes large scale processing of interesting data, such as healthcare information.
The DPO plays a core role in GDPR compliance, end-to-end. The DPO’s high level objectives are to:
collect information to identify processing activities;
analyse and check the compliance of processing activities;
inform, advise and issue recommendations to the controller or the processor;
provide advice on issues such as whether or not to carry out a DPIA, the methodology to follow, the safeguards to apply to mitigate risks, and more.
ensure safeguards are enabled to permit the DPO to perform tasks independently and without a conflict of interest.
Your GDPR task force may designate someone to fill the DPO role, but remember, the DPO must work independently and cannot be held responsible for non-compliance; sometimes it’s worthwhile to outsource the DPO role per the allowance permitted by WP29: “the DPO can be external, and in this case, his/her function can be exercised based on a service contract concluded with an individual or an organisation” (Article 29 Data Protection Working Party 2017, 22).
Week 13: Consider International Matters Like Cross-Border Processing
Have you determined your lead data protection supervisory authority and documented it? This becomes applicable if your company operates in more than one EU member state, and if your company carries out cross-border processing of data. Be certain to workflow where your more significant data processing activities and decisions take place, as that will help to determine your main footprint in determining your supervisory authority.
Summary and Final Advice
For most companies, performing all of these activities in 13 weeks meets the definition of “cramming”. But is it possible? It’s the law, so delay no more; assemble an expert GDPR team, cancel any holidays until June, and get started. It can be done, barely, if you start right now.
About the Author
Rebekah Allendevaux is the founder and senior partner of Allendevaux & Company; she oversees the regulatory compliance practice for data privacy and information security. She also specializes in modeling and implementing compliance frameworks such as ISO 27001 with codes of practice such as NIST, ISO 27002, 27017 for cloud security, 27018 for securing PII in the cloud, and others. She may be contacted at firstname.lastname@example.org.