In case you’ve been living under a rock and haven’t noticed the calendar change, it’s 2018! That means the EU’s General Data Protection Regulation (GDPR) is closer than ever and it’s only a matter of months until it takes effect on May 25, 2018. With this new and sweeping global regulation straight ahead on the horizon, we’re on the precipice of major data protection law changes that will impact not only Europe, but well beyond.
Let’s recap. In my previous post, I discussed three critical challenges that legal teams in the US face as they prepare for the GDPR. The GDPR requires companies across the globe to dramatically alter the manner in which they access, use, collect, and transfer personal data. It’s applicable to the personal data of anyone who resides in the EU, and it aims to return control of that personal data directly to EU citizens.
In the legal and information governance world, this has clearly caused a conundrum on how to handle data privacy and retention across borders, especially with the GDPR’s overall threat of debilitating fines for those who fail to prepare and comply. Meanwhile, the overarching challenge for international litigation is how the GDPR will create even more discrepancies between US and European data protection laws.
It can be difficult to know where to start when attempting to comply with such a broad regulation like the GDPR. One simple way is to break down your process into smaller steps and create a roadmap for compliance. Let’s look at four important steps that should be at the top of your roadmap so you can solve the critical challenges and get your organization directly to the finish line of GDPR compliance.
1. Establish a Cross-Functional Team & Understand the Law - Before you proceed, or even if you’ve already done a lot of work towards compliance, it’s critical to look at your organization and put together a cross-functional GDPR team who know and understand the law. With key people in place and the team assembled, you’ll need to define your objectives, the scope of your goals, and key milestones, the same as you would for any other type of internal initiative. Legal teams across corporations and firms will be impacted differently by the GDPR, so it’s imperative to look at what changes will be applicable to you, and which areas present the biggest risk. Keep in mind while setting up this team, that approval and buy-in from senior leadership is critical so that all involved are committed and share responsibility for your overall GDPR roadmap.
2. Hire a Data Protection Officer & Project Owner - Hiring a data protection officer (DPO) who can also be designated as the project owner might be the best decision you make. Even if it’s not a GDPR requirement for your specific situation, having a DPO could be the fastest route to GDPR compliance. The regulation specifies that DPOs should have complete autonomy and report to the top level of management. This way they can operate independently and allow for the most effective interactions as possible with the heads of legal, the chief information security officer, etc. With this structure, data protection responsibilities can be achieved more quickly.
3. Create a Data Map & Know Which Data is Regulated - With the complexities of the GDPR, it’s vital to create or update your data map so that you know what you have and where exactly it resides. Begin by creating a detailed questionnaire that you can send throughout your organization, and use that newly gathered knowledge to create a full record of where personal data lives, what’s done with it, what lawful grounds exist for processing it, and precisely who that data is shared with. This reaches beyond simply creating an inventory, but helps to build a full record of personal data. It’s also a good time to set up processes that will keep the inventory continually updated so you never have to go back and recreate the wheel. As a bonus, once your data map and processes are set up, you’ll have a much better idea on what risks exist as far as GDPR compliance.
4. Utilize Experienced Privacy Consultants - Finally, if you’re one of the many organizations who have been slow to prepare for the GDPR, another good course of action could be to hire a consulting firm or specialized privacy consultant who has already become an expert on the GDPR during the years leading up to and throughout the drafting of the regulation.
With personal data becoming such an integral part of today’s global operations, the GDPR offers a compelling opportunity to make sure your organization is prepared for the rapidly expanding digital world.
If you have questions or would like to learn more about this topic, please get in touch with us at firstname.lastname@example.org.