The General Data Protection Regulation (GDPR) impacts not only European companies, but also most organizations outside of the European Union (EU) that collect personal data from people in the EU.
One of the goals of the GDPR, which goes into effect May 25, 2018, is to provide individuals in the EU with more control over their personal data. The GDPR is nearly 100 pages and comes with a long list of requirements. For example, under certain circumstances, people in the EU can request your organization provide a copy of the personal data you have about them. Similarly, people in the EU can request that your organization delete their personal data. GDPR also requires that data breaches be reported to a supervisory authority within 72 hours of when the organization becomes “aware” of the breach. Failure to comply with GDPR could result in an organization being fined as much as 4% of its annual revenue.
As a result, organizations with exposure to the GDPR have launched GDPR-readiness programs to assess their exposure, develop a road map to enhance privacy notices, update existing procedures, or introduce new procedures.
Navigant’s data privacy team, consisting of subject matter experts in data management, EU data protection, and information security, have worked on many GDPR-readiness projects. We have identified five keys to success:
1. Establish a Privacy Council
The GDPR impacts organizations far beyond their compliance departments. Companies are collecting personal data across functions, including recruiting, sales, human resources, finance, data security, and analytics.
Becoming GDPR-compliant therefore requires a holistic reboot of the methods organizations use to proactively manage their data across the entire organization. Our clients succeed in adopting this cultural shift by establishing privacy councils made up of representatives or champions from different functional areas.
Depending on structure, if your organization works as more of a decentralized collection of smaller subsidiary companies, it may be logical to have representatives for each subsidiary or geographic region on the privacy council. Whether our clients structure their privacy council by department or geographically, privacy champions recognize that they are not the sole person responsible for privacy within their group. Rather, privacy champions serve as the chief point of contact, sharing knowledge about new policies and procedures. The champions are also a funnel for stakeholders to provide feedback to the organization’s central privacy office.
A privacy council can serve multiple purposes, both short and long term, for a global privacy program. In the short term, privacy councils should meet regularly to receive updates on activities undertaken to meet compliance with the GDPR.
As the organization moves through its plan to adopt new policies and procedures, the drafts can be shared with the council to provide operational feedback. Once finalized, the council should be empowered to roll out these new policies and procedures to their teams.
Longer term, the privacy council will help maintain the program by keeping their teams accountable for updates, such as the data inventory and data privacy impact assessments.
As new privacy regulations are adopted across the globe, the privacy council will help bring functional and geographic cohesion through periodic workshops. This helps ensure that new compliance efforts are consistently adopted, allowing the organization to operate in a practical manner while minimizing compliance risks.
2. Choose a Provider with a Multidisciplinary Team and an Established Project Framework
Developing and supporting a successful GDPR-readiness program requires proper alignment and utilization of resources. The GDPR requirements can be complex, but they can be categorized into three main elements: data privacy, data management, and information security.
Through our project work, we have adopted and use a framework with over 50 privacy management activities, all of which tie back to specific articles in the GPDR. A framework is important and serves as the backbone of the project plan. Having a framework and project plan in place allows stakeholders to visualize the final state and monitor progress toward completion.
Data management pertains to the assessment and management of personal data holdings. It involves completing a data inventory register; facilitating data protection impact assessments (DPIA); and ensuring proper risk management is conducted on the personal data collected through the processing activities.
Information security requires the integration of data privacy risks into information security programs consisting of risk assessments, testing and security, and technical measures toward restricting access and responding to data breaches.
The three elements play an important part in adhering to the GDPR requirements. Therefore, it is crucial that the right consultants with expertise in these three areas form an organized, multidisciplinary team to address the framework of the GDPR. The effective utilization of this team will ensure the success of a GDPR-readiness program.
3. Ensure Continued Compliance
Organizations are likely caught up in the race to become GDPR-compliant. But it is important to be forward-thinking and recognize the need to assess and adjust their internal processes to ensure continued compliance.
For example, the GDPR requires organizations to maintain a record of processing activities. We have seen many cases where no such record of processing activities exists. As part of our project we institute a streamlined approach to ensure such records are kept and continually updated.
Using a register of processing activities as an example, there are a few general guidelines that apply regardless of an organization’s size, complexity, or nature when developing a streamlined approach.
We first identify and involve stakeholders from various parts of the business, such as representatives from the functional business area, privacy office, legal, procurement, contracting, compliance, and information technology.
Then we establish an assembly line approach that occurs each time a new processing activity is implemented. For example, each new processing activity triggers an entry into the data processing register, review for appropriate legal data transfer mechanism, and then screen for DPIA.
Finally, we ensure that the tool used to house the data register is appropriate for the volume of processing activities, and that auditing mechanisms are set up where appropriate. While the initial step of setting up a streamlined, assembly line approach may seem daunting, it will ensure consistent GDPR compliance and save time and money in the long run.
4. Create a Deliverable Approval Matrix
A deliverable approval matrix is a simple tool, but we have found it to be incredibly useful in creating a successful GDPR-readiness program and driving deliverables to completion.
The risk when preparing any procedure is that the deliverable is never implemented at the organization. It is all too easy for deliverables to get lost in email and never see the light of day.
As such, we have implemented two standard processes. The first is to build a library of privacy documents. Depending on the client’s infrastructure, we can build the library of privacy documents within the client’s intranet, SharePoint, network folders, or other secure collaboration tool. This library then allows for the GDPR consulting team and client to work from the same set of materials, and when the deliverables are finalized, they can be easily distributed broadly across the organization.
The second step is to create an approval matrix. In this, we recommend at least three levels of approval. The first level may be the stakeholder closest to the privacy management activity. For example, if we are updating the client’s incident response plan to include procedural steps to comply with the 72-hour breach notification requirement, we may work directly with an information security manager. The information security manger could be the first approver, the chief information security officer the second, and the chief information officer the final approver. The approval matrix not only ensures the appropriate positions within the organization are reviewing the deliverable, but it provides the GDPR consulting team a clear path to completion for each deliverable.
5. Show Measurable Progress
Now that we have a plan or framework in place to be GDPR compliant, how do we measure the success of the project and ensure the framework is executed to completion?
The management and tracking of progress through the GDPR framework and achievement is another critical factor toward GDPR readiness. For one thing, we need to be able to refer to your deliverables — whether it be policies or procedures — and implement them across your organization.
Additionally, if the data protection authority or another local regulator comes calling, we will need to help ensure the organization is prepared to provide relevant requested documentation and information.
Therefore, it is imperative to track your progress and communicate when a deliverable is completed. In our experience, it is beneficial to utilize two main tools: 1) A detailed project plan or tracker, and 2) a biweekly status meeting with project sponsors.
The project tracker used for your GDPR-readiness program can be as sophisticated as needed — as long as activities can be tracked toward completion. There are many planning tools applicable to GDPR; some have friendly user interfaces, whereas others provide a Kanban board or Gantt chart for tracking. We have found it is best to ensure deliverables are tracked by status, action steps, responsible person or resource, target dates, and any potential risks or issues.
When we have deliverable-status meetings, it is important to review the status of each deliverable and any roadblocks to completion. Through these status updates, we can clearly identify and measure our clients’ progress.
Meeting the Challenge
It is a challenge to be ready for GDPR. But through our projects, we identified five steps toward a long-term strategy for remaining compliant.
A thoughtful approach to GDPR — both internally and with the assistance of outside expertise — is part of a proactive strategy to allow an organization to reduce its risk while growing its worldwide business.