The Procrastinator’s Guide to the GDPR

12 Steps to Compliance

We all procrastinate. But when it comes to missing the May 25th deadline for complying with the GDPR, this is one compliance project that you need begin right away. Learn how the GDPR may impact your business and what you need to do to become compliant.

Why put off until tomorrow what you can do today? When it comes to the European Union’s General Data Protection Regulation (GDPR), many — even most — enterprises may be doing just that.

In one survey, most United States company representatives said they expect to be fined for noncompliance with the GDPR.

If so, let us hope they have budgeted accordingly. When the law takes effect on May 25, 2018, failure to comply can incur a fine of €20 million ($25 million, as of this writing) or 4 percent of annual revenues, whichever is greater.

Many enterprises simply are not ready for this game-changing privacy-and-security law — in spite of its having been adopted nearly two years ago, in April 2016.

Recently, PwC found that nearly one-quarter of U.S. multinational companies hadn’t even begun preparing for the GDPR, and only 7 percent had reached full compliance.

Procrastinators, take heart: It isn’t too late. May 25 is just around the corner, but even those organizations just starting now can still make the deadline.

What is the GDPR?

The first step toward following any rule is, of course, understanding it. Do you know precisely what the GDPR is and how it applies to your enterprise?

Put simply, the GDPR is the first-ever global privacy and security law. GDPR outlines new rules — 99 of them — for protecting EU citizen data. These provisions, among other things:

• Broaden the scope of the term “personal data”
• Grant EU citizens absolute rights over their personal data, including the “right to be forgotten”
• Set stringent requirements for how entities process, store and share citizen data
• Establish rules for securing EU citizen data, including privacy protections
• Set timelines and guidelines for responding to and reporting data breaches
• Restrict the collection and processing of specific types of data, including that of minors
• Require accountability for security breaches and data theft
• Require that privacy protections be designed into business operations
• Impose strict penalties for noncompliance

No matter where your business is located — inside the EU or elsewhere — it must comply with the GDPR if it collects, processes, shares or stores personal data such as names, physical addresses, phone numbers and email addresses of any EU resident citizens.

There is one exception to this rule. “Anonymized” data — that which is permanently encrypted or made anonymous so that its owner cannot be identified — is not governed by the GDPR.

A 12-Step Program

With so many provisions, it isn’t surprising to learn that some are putting off the inevitable task of compliance.

Those feeling overwhelmed can take heart, perhaps, from U.K. Information Commissioner Elizabeth Denham, who says there is no need to fear the new regulations.

“The GDPR is a step change for data protection,” especially for enterprises already in compliance with existing data protection laws, she told WIRED magazine.

Even conforming to a step change can require a series of steps, and the U.K. Information Commissioner’s Office has put together 12 of them for organizations to follow on the road to compliance. Recommendations include:

1. Increase awareness of the GDPR — what it is, and what it will require — throughout your organization.
2. Document the EU citizen personal data you now have, including where it is located and whom you share it with, perhaps by conducting an information audit.
3. Review and revise your privacy notices. The GDPR says these must be concise and clear: no more long, confusing goobledygook.
4. Know EU citizens’ rights. The GDPR gives EU citizens absolute rights over their personal data including:
   • to know how you will use it and to consent to those uses, as well as to be informed of changes;
   • to change their mind about what they will and won’t allow, to have their data returned to them if they ask (“data portability”); and
   • to demand that you and everyone you have shared their data with delete it from all databases (the “right to erasure” or “right to be forgotten”).

Do you and your teams know these rights, and where your gaps are?

5. Know your abilities. If an EU citizen wants access to their data, you must provide it within one month of their request. Could you do this now? If not, how would you handle these requests?
6. Cover your bases. The GDPR does not allow data processing, storing or sharing recklessly, but says you must provide legal bases for doing so. Do you know what yours are?
7. Check for consent. EU citizens must give consent and do so clearly and unambiguously for you to collect, process, store or share their data. Do your policies fill the bill? To help you assess, the ICO has compiled this consent checklist.
8. Remember the children. Under the GDPR, the rules will change for handling children’s information. You may need to get permission from their parents or revise your privacy policies so younger minds can understand them.
9. Prepare for the worst. The GDPR puts very specific policies in place for handling data breaches – among them requiring you to notify local authorities and, in certain cases, affected EU citizens within 72 hours of the breach. How will you comply?
10. Bake it in. Privacy can no longer be an afterthought after May 25; it must be designed into your systems from the very beginning. “Data protection by design and default” is a key GDPR requirement, as are, in certain high-risk instances, data protection impact assessments (DPIA). Who will conduct your enterprise’s DPIA, and how?
11. Designate an officer. Certain organizations, especially larger ones, will need to establish a Data Protection Officer to oversee compliance with the GDPR. Do you need one? Who will it be — someone already on staff, such as your Chief Security Officer, or someone new?
12. Think globally. If your organization has more than one EU office, you will need to establish one as the lead data protection supervisory authority — the primary location where decisions about data processing and GDPR implementation take place. Which location will you choose?

Ninety-nine provisions can seem a daunting number to fulfill, especially in the relatively short time remaining between now and May 25. As noted, however, companies now doing business in the EU likely already meet many of the GDPR’s provisions.

If you’re not in compliance with the GDPR, there’s no better time to start the process than now. As with any journey, the best way to reach your destination is one step at a time. What’s stopping you from getting there?