LAS VEGAS — If this is the first time you’ve heard that as of today, the European Union will begin enforcing the General Data Protection Regulation (GDPR), take a brief moment to freak out.
Now take a deep breath and know that you’re not alone in being behind on preparation. Despite having two years of warning about coming into compliance with the new privacy requirements that shape how data must be responsibly transferred and stored, most businesses in North America aren’t ready. Gartner has estimated that more than half of organizations won’t be ready by the end of the calendar year, let alone as of today.
GDPR means stricter data protection frameworks, stricter penalties for misuse of personal data, and stronger enforcement of such regulations protecting EU citizens, explains Janet de Guzman, director of the compliance group in product marketing at OpenText. Enforcement of GDPR in Canada and the U.S. will be assisted by cooperation of local authorities that are duty-bound to uphold international laws.
It’s a good bet that EU regulators will go after a large multi-national company to make an example of for GDPR – Google is an example of a firm that’s already been fined billions by EU enforcers for regulatory transgressions – but that doesn’t mean that a long list of companies that aren’t up to snuff on GDPR will be hit with big penalties in the early days, de Guzman says.
“The authorities want to see that you have a plan and you’re working on it, and you’re not giving up or saying ‘it doesn’t apply to me,’” she says. “Data privacy is grounded in good information management, so get started there.”
Now that you’ve exhaled, here are 10 things you should be doing to prepare for GDPR starting ASAP. de Guzman recommends these based on the GDPR’s text, and presented them at OpenText Enfuse on Tuesday.
1. Figure out how it applies to you
There are different responsibilities under the new regulations depending on how you touch the data of EU residents. If you market or sell into the EU, have employees in the EU, or collect and monitor data of EU residents for any business purpose, then you must comply with GDPR. There may be be slightly less onerous requirements if you’re a smaller organization, but de Guzman stresses that these are best practices that are a good idea to follow anyway. In fact, there might even be some benefits.
After complying with Canada’s Anti-Spam Legislation (CASL), de Guzman saws that the open rates on OpenText’s e-mail newsletter, Information Matters, went up in Canada. That’s because only engaged recipients that opted-in were receiving the email.
“The good news is that your database will be the people highly engaged with your company,” she says.
2. Obtain executive sponsorship
Most often companies are appointing a chief legal officer or a CIO to take the lead on GDPR. The legislation requires appointing a data protection officer that’s responsible for compliance, but that doesn’t mean the role has to be dedicated to that job alone.
CIO is a good choice, de Guzman says. “They’re already responsible for complying with information security standards. Privacy and security aren’t the same, but they are sisters.”
3. Assemble your cross-functional compliance squad
Any department in your organization that touches customer or employee data must be involved in your compliance plan. That includes legal, marketing, sales, HR, and so on. Marketing is “probably the highest risk area,” de Guzman says. Because once customers opt out of receiving messages from your company, they’re more likely to be irate if you contact them again.
4. Identify all processing activities and create a register
GDPR specifically requires a Register of Processing Activities (ROPA) to be kept at companies under compliance. “It’s the need to be documenting all the ways an organization records personal information,” explains de Guzman.
Look to processes like employee administration, supplier screening, account management, and email marketing campaigns. The records of these activities should contain the name and contact details of the data controller, the purpose of the process, a description of the categories of data, how long the data will be stored for, and a description of the security measures.
5. Don’t forget data managed by third parties
If you’re collecting data from customers and then using third-party providers for cloud services or data processing of any kind, you’re still responsible for your customers data when its in the hands of your partners. Look for GDPR certification from your providers and have conversations with your vendors about how they view compliance. Good examples of what to look for in a GDPR commitments are available from OpenText’s website and Microsoft Azure.
6. Classify personal information
Not in the sense of making it top-secret. But in the sense that data should be tagged as containing personally identifiable information. This data should be organized into categories based on type, and those categories should have guidelines for when data should be deleted.
7. Conduct a data clean-up
A key concept of GDPR is data minimization, meaning that data should be deleted if it’s not serving any purpose. But de Guzman warns that GDPR requirements don’t override other regulations that require your company keep records for a certain length of time. For example, financial organizations must keep data on hand to comply with know your customer (KYC) regulations. That doesn’t change.
8. Understand the recording requirements
Collecting consent from your customers and proving that you have it will be a big part of GDPR. You may have noticed on Thursday that just about every web service was updating its privacy policy or terms of service, and asking you to acknowledge you read them. That was an effort to prove it’s made an effort to inform its users of how it handles their data.
Also keep in mind that you’re now required to track any events that may be considered data breaches. You must also notify affected customers of data breaches within 72 hours of decking them. “This is giving a lot of organizations some heartburn,” de Guzman says.
9. Review and update policies and procedures
As with any changes to regulation, you should update your privacy policy and records management policy to reflect GDPR compliance. The policies should contain many of the specifics of how a user’s data is collected, stored, and deleted. Outlining why you’re collecting user data in the first place is important too.
“It can be paralyzing just because there’s so much work to do,” de Guzman says. “Just have a plan and focus on that.”
At OpenText, its policies were recently updated to require that any time it evaluations software for internal use, it must have embedded privacy by design.
10. Formalize education and awareness
All of your employees will have to be familiar with the new data protection policies at your company. Formal education around this should be mandatory for all your staff. Depending how much the new regulations impact their day-to-day operations, the training length and depth will vary. Make sure that you’re at least raising awareness of the new compliance requirements and how important it is to take it seriously.
One more bonus step: Meet with the experts. Even lawyers are asking for help from legal counsel that are more specialized in privacy law. But the risk advisory consultants out there and the technology vendors that you have good relationships with can help with advice as well.