By: Mark Webber, US Managing Partner-Silicon Valley; Hannah Blake, Trainee Solicitor-Silicon Valley
OK, hands up if data mapping has left you feeling productive but secretly it's been you way of postponing the inevitable. Come on admit it! Well, even if we don't shame you, with the implementation of the EU General Data Protection Regulation (GDPR) less than a year away being 'GDPR ready' is a key focus for many organisations. But this task is one which extends beyond the privacy or compliance team, it requires the involvement and co-operation of the organisation to take compliance with the GDPR from theory to practice. Even those who've pushed through data mapping are starting to realise: it's one thing to have a core privacy team on top of GDPR, but a mammoth task operationalising the GDPR throughout an entire organisation. To help, here we provide the top 10 steps to operationalise the GDPR in your organisation.
1. Understand your organisation's governance - rally support!
1.1 Key stakeholders If the highest level of management within an organisation sets privacy as a key priority it will help to set the tone of privacy in your organisation. They could even go as far as to implement a privacy strategy or make a privacy mission statement. Involvement and support at this level will promote and push forward the compliance process, encouraging involvement and education of employees and assignment of tasks. Maintaining such a policy will dictate privacy's involvement in day to day operations. In other businesses we see other compliance champions. Sales guys love to sell and if they feel deal friction from privacy and Q2's figures are suffering because of Article 28 you can bet they want to smooth that process and perhaps even lead and sell with compliance. Seek out those impacted and build a coalition.
1.2 Key individuals In addition one of the first key questions your organisation should ask when looking at their governance structure is 'Does this organisation need a Data Protection Officer (DPO)?'. This is a key role under the GDPR and unless it is obvious that your organisation does not need to appoint one an organisation should document the reason for its decision. Everyone within an organisation has various specialisms related to privacy and responsibility should be assigned accordingly to create a network of people who manage the day to day impact of privacy within your organisation. A clear and coherent governance structure will ensure a smoother transition to GDPR compliance.
2. Understand your data and processing Despite our mockery, you may have been right! One of the first tasks you should undertake is a data mapping exercise in order to understand how data flows through your organisation. This includes the following key questions:
- What type of data is collected?
- Who is collecting or using that data?
- Where is that data being collected and used and where does it go?
- When is it being collected and used?
- How is it collected and used?
- Why is it being collected and used?
Once you know the answers to these questions you will understand your organisation's involvement in the collection, storage, use and transfer of data and not only can you then track the movement of that data, but you can also ensure that you correctly classify your data, keep a thorough record and notify the relevant authority. Understanding your organisation will also enable assessment of the legal basis for processing and ensure that the most appropriate processing ground is being used for each occasion. Think about the outputs here. Is the exercise realistic? Will it deliver your goals and can the maps be updated in the future. If you use a third party or third party tool have you got the rights or skills to adapt or reuse the maps? The third party tools emerging are amazing but they are tools and don't give answers so don't invest everything in them. Additionally, some businesses have invested in NIST's framework, ISO27001, ISO270018 or SOCII. If these frameworks have been implemented within your business what can you borrow from them to advance your GDPR plans. The GDPR is silent on technological and security solutions and this neutrality means you may still need to develop policy and practices for the organisation to work to. Why start again if you have something already?
3. Put privacy into your day to day operations The GDPR expressly introduces a legal accountability obligation to the law. This isn't easy as it means you need to demonstrate the processing occurs as the GDPR intends and you may be required to document decisions or processing activities. A key component of the GDPR is also privacy by design which means that privacy should be at the forefront of new technologies/products created and is why it is so important to have a specific policy in place, which requires designers and developers to assess the privacy impact on the creation, rather than on completion, of a new product. In particular this should reflect the need for a privacy impact assessment (PIA) to be carried out. Organisations that have a clear and coherent process in place will therefore benefit from the ability to assess and, if necessary address, privacy concerns early on. You need privacy and legal at the table when innovation or development decisions are taken. If you can't be everywhere, do the teams at least understand the privacy principles you need them to work to? To be "ready" for such accountability you need to take stock of the status quo. An organisation needs to review all its policies and procedures to ensure they reflect privacy requirements, and if they do not, that they are updated to be compliant. This means aligning all policies including, relevant contracts retention policies, marketing policies, cookie policies, employee privacy policy, advertising practices, BYOD policies, social media policies. But once reviewed and updated, how do you live these commitments across a global business?
4. Keep informed and inform others Training and awareness is important not only for the DPO. Organisations would benefit from creating a calendar of events which includes job specific training, legal and commercial updates and general privacy awareness. Organisations which have evidence of this will be able to show compliance with the training aspect of the GDPR as well as having knowledgeable employees who will have a competent awareness of privacy laws in practice. The DPO, if you have one, has an obligation to "awareness raising and training of staff involved in processing operations". If you signed up to Privacy Shield or have BCRs you have other obligations to train. Whilst the GDPR is prescriptive you can't teach every worker the law. Again, you may want to condense the GDPR down into a code with principles and a little emphasis on the moral compass for the business with emphasis on the respect and obligations that should go hand in hand with data processing.
5. Prepare for information security risks To prepare for and mitigate any information security risks all organisations should have an information security policy which is updated regularly. You should ensure that you have clear measures in place to protect personal data and prevent its loss. This can be through measures such as encryption, data-loss prevention strategy, restriction of access to the data. Organisations will also benefit from gaining certification such as ISO. If not yet mature enough to get certified, perhaps you can align with a recognised security standard. Many are designed to be technology neutral and their principles help with awareness.
6. Address third party risks from the start Organisations should ensure that data privacy requirements are reflected in all contracts with third parties and that due diligence is always carried out. In addition, to prepare for any issues, you should ensure you have a policy or procedure in place to address non-compliance with regards to privacy. Regular reviews and updates of third party contracts should be carried out to ensure they reflect compliance with current privacy laws. It's all too easy to talk about a privacy management programme here but, for many, this is merely a target or aspiration. The measures you take need to be proportionate and implemented in context to the data, kinds of processing and risks for rights and freedoms of individuals.
7. Give notice Organisations should carry out a review of their current communications with individuals and ensure that at all points where data is collected individuals are provided with appropriate notice and information as to the use of their information, including whether automated processing is used. If you rely on consent, assess how that is obtained and evidenced. You should check that individuals can easily opt out or unsubscribe to any emails or notifications, this includes checking that the unsubscribe link or method provided actually works. What's more this is one of the key public facing compliance steps you take. An ill thought-out or scant privacy policy may well be a flag for regulatory attention.
8. Know their rights The GDPR provides individuals with a number of rights which they are permitted to execute at any time during their relationship with your organisation. To prepare for this, you should understand what requests you could receive at your organisation and ensure there is a mechanism in place for dealing with such requests. You will want to ensure that individuals are aware of their rights and can easily request information from you. FAQs and a dedicated email may also be useful to ensure individuals are directed to the correct contact and will assist you in dealing quickly with requests. All too many CJEU decisions turn on rights and protecting the rights of individuals so data subjects should always be front and centre in any decision making.
9. Have a plan in case it goes wrong A breach management plan is key and having a breach notification system in place which works effectively, will benefit the organisation by ensuring that they stick to the time frames of reporting and also ensure that there is a clear record of the steps taken by your organisation. You should also keep a log of all breaches or suspected breaches and the investigation taken in each case, not only will this allow you to provide this information to the DPA, should it be required, but it is likely to be beneficial to investigate the cause of the breach, assist in preventing a reoccurrence and provide an assessment of how the breach plan worked in practice.
10. On-going assessment As mentioned above, the GDPR is about accountability. What's more, you need to continuously review and update and live these decisions on an ongoing basis. In a way, you are never fully GDPR compliant it's an ongoing living process which expects you to constantly review and update the way data is handled. Regular 'ad-hoc testing' of privacy policies will be key to ensuring that the procedures will work in practice, whether that's a subject access request procedure or a breach management plan. This could be through self-assessment or a third party audit but regardless of its origin, regular assessment will ensure that the policies remain up to date and GDPR compliant and will benefit your organisation should a policy or plan be actioned.
Operationalising the foundations of privacy and security There we have the top ten steps for you to operationalise the GDPR in your organisation and throughout any data management lifecycle. To help you meet these 10 steps take each in turn and apply the following method: IDENTIFY where your organisation currently is, data flows and what policies are already in place REVIEW those existing policies, notices, processing grounds ASSESS against GDPR compliance UPDATE policies, plans, procedures, training, awareness to meet that compliance TEST those policies through on-going audits and self assessments
A simple way to assist your organisation's journey to GDPR compliance.