How to Make Sure You're in Compliance with the GDPR (article)
One of the biggest stories in cybersecurity over the past year is the European Union’s new data protection measures. The General Data Protection Regulations (GDPR) took effect on May 25, 2018, and applies to any company that collects and/or processes data from individuals residing in the EU. GDPR comes with steep penalties for noncompliance, including fines of up to 4 percent of global revenue, or sanctions preventing companies from continuing associated operations. Following the guidelines in the GDPR has understandably been a top concern for many organizations.
There are a still a large number of hold outs, however, even with the effective date nearly six months past. One survey found that more than 56 percent of respondents who were subject to GDPR said they were far from compliant with the standards or would never fully comply. Translating the new requirements from law into action items is no easy feat, and the challenge of parsing out what needs to be updated may prevent some companies from meeting all the GDPR requirements. The following GDPR to-do list may help guide your compliance efforts. It is broken up into discrete action items, qualitative changes, and provisions that may not apply to your operations.
Assess the Tangibles
Several administrative functions need to be in place for GDPR compliance, and it’s recommended that companies start their compliance efforts there. Regulators will want to see the following:
Inventory of Data
Collecting an inventory of your electronic data helps you keep track of the information that your organization collects, processes, and stores. In the GDPR realm, this will be where you determine what data is subject to the GDPR requirements. It’s also a required step under GDPR Article 30.
Draft Your Privacy Notice
Companies are required to issue an external facing privacy notice. The privacy notice outlines your data collection activities to your customers and clients. If you have a primarily web-based business, it is required as part of your efforts to provide notice and transparency to your clients under GDPR Articles 12 and 13.
Appoint an EU Representative If Operating Remotely
If your company does not have a physical presence in the EU but conducts business there, you will need to appoint a representative for GDPR compliance. The EU representative helps align your organization with a local Data Protection Authority (DPA), the agency that will mediate issues or complaints about data use from EY residents. Note that the EU representative does not necessarily need any power or authority within the organization.
Define Your Data Protection Impact Assessment (DPIA)
Now that GDPR is in effect, companies will need documented assessments on how changes within the organization will affect data privacy. This is especially important for companies undergoing a major transaction—such as a divestiture or acquisition. DPAs have provided frameworks and templates for the DPIAs, which companies should evaluate when documented their DPIA process.
Many of the provisions in the GDPR are conceptual and will require a broader, qualitative discussion around data collection and approaches to securing valuable information. The legal text is not very prescriptive when it comes to understanding what evidences these tasks have been met, so the following is a list of some considerations:
Draft Data Protection Policies & Procedures
One of the ways that companies can operationalize data and information security best practices is through policies. Information security policies and procedures demonstrate to regulators that the company understands the risks to its data and has taken steps to secure and monitor it. Policies also provide structure to information security efforts and should detail out the personnel who will be charged with making sure the policies are followed.
The GDPR provides some recommendations for policies. Incorporating the following will help your organization meet its compliance requirements:
- Data collection policy
- Subject access request policy (GDPR Articles 15-22)
- Data retention policy
- Breach assessment and notification policy (GDPR articles 33 & 34)
- Data transfer policy
- Processing on consent policy
- Information security policy
- Change management/SDLC with privacy by design incorporated (GDPR Article 25)
Training & Governance
In addition to providing formal frameworks, it is also important to demonstrate support of those frameworks through the company culture. This means providing training to employees on privacy regulations and initiatives. Demonstrating governance initiatives means having privacy and data risk management committees that are actively evaluating the current culture and compliance status. It also means constantly evaluating the ability to operationalize the policies, and finding ways to aid the data protection process.
Tasks That May Not Affect You
Some provisions in the GDPR only affect a handful of companies. After the significant tangible and qualitative tasks have been tackled, check-in with the following to see whether you need to take any additional action.
Elect a Data Protection Officer
The GDPR requires companies to designate a Data Protection Officer (DPO) in certain situations. Whether you are subject to the DPO requirement depends on the types of activities that you conduct. For example, companies that undergo regular and systematic monitoring of their EU individuals’ data are required to designate a DPO. If your company handles certain types of personal data, including processing of information for social welfare programs; medical data; or data necessary to collect because of substantial public interest, it will also need to appoint a DPO.
Even though the DPO position is only required in certain circumstances, many organizations are choosing to appoint one—75 percent of respondents said they had one in a recent survey. The DPO must have an extensive understanding of the GDPR and fulfill the roles and responsibilities for the DPO outlined in the standards.
Update Existing Contractual Agreements
If you have third-party arrangements with data processing, you may need to update contracts with processors and subprocessors to ensure steps are being taken to protect that data. If you are a data processor working with a controller, that agreement may need to be revisited to ensure it meets GDPR standards.
Start Your To-Do List as Soon as Possible
Enforcement of the GDPR has been relatively quiet in the months since the effective date, but regulators will likely be cracking down on requirements in the coming months. Organizations that are making a good faith effort to protect their data and follow the standard may be able to buy themselves some additional time to get into compliance.
To learn more about how GDPR may apply to your organization, please contact us.
Copyright © 2018, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).