GDPR is already in effect and will be officially enforced on May 25, 2018. Is your organization prepared for this new regulation?
The EU Global Data Protection Regulation (GDPR) is a new group of laws designed to standardize data privacy across Europe, including data that flows across national boundaries. If you operate or render services within the European Union and process ‘personal data’ on EU Nationals, you need to be ready for this significant data-privacy regulation. GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’) …”
This regulation should be viewed as a data-privacy evolution not revolution. Customers are more concerned with what is happening to the personal data you collect. Complying with GDPR will build a stronger trust between you and your customers.
If you’re not ready for GDPR, you’re not alone. A shocking number of organizations are not ready either, but that doesn’t mean you should follow their lead. With only a month and a half before enforcement hits, you need to act now to start the compliance process. In the event of an investigation from a supervisory authority, organizations will need to show they are taking appropriate measures to comply with the regulation which includes addressing risks and protecting the confidentiality, integrity, and availability of the personal data they process. This could help to reduce any fines. These fines (up to €20 million, or 4% of an organization’s worldwide annual revenue of the prior financial year, whichever is higher) are not worth the risk, right?
Tackle the Basics Immediately
If you are a nonprofit or association that has been avoiding GDPR compliance, you have less than two months to begin building your roadmap which will show you’re making a good faith effort to comply. If you’re in panic mode, here are some steps to take right now that will get you on the right GDPR path:
- Get Educated on GDPR. The GDPR contains 173 recitals and 99 Articles. The full regulation can be found here. Not all organizations have resources they can dedicate to fully understanding the regulation. The International Board of IT Governance Qualifications (IBITGQ) offers a practitioner certification program. If your organization does not have the resources to dedicate to understanding the regulation it would be a logical first step to reach out a GDPR Certified Practitioner to get a foundational understanding of the regulation.
- Asses your Posture Against GDPR. Companies such as Microsoft have been working with GDPR for about two years and have provided tools for their partners to assess your overall GDPR maturity level. Conducting a detailed assessment around your organization’s ability to Discover, Manage, Protect, and Report on the personal data you process is a key step towards compliance with the regulation. The result of this assessment will be a list of next steps and a roadmap with actionable items and timelines that will assist you towards GDPR compliance.
- Discover your Data. Understanding the type of data (e.g. name, email, address, biometric) you have in your organization, the format (e.g. hardcopy, digital, database) your data is stored in, the location (e.g. on-premises, cloud, 3rd parties) of your data, and the transfer methods (e.g. email, social media) and the destination (internal or external) is paramount to being compliant with GDPR.
- Determine your Lawfulness of Processing. All organization must be able to state how they are lawfully processing data, based on the criteria in Article 6. This includes explicit consent from the data subject, processing is necessary for the performance of a contract, or for legitimate interest pursued by the controller.
- Publish Privacy Notices. GDPR includes six principles relating to processing of personal data, which are listed in Article 5. The first principle states personal data shall be “processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).” Privacy notices are required for the transparency aspect of this principle. Articles 13 and Article 14 detail the information that should be included in your privacy notices. Once you understand the data you hold and how you are lawfully processing it, your next step should be to inform your customers on these two pieces of information as well as other information in your privacy notices.
- Know the Must Dos. GDPR is a compliance behemoth. There are some requirements every organization, regardless of its size, must be able to do.
- Get policies and procedures in place to be able to respond to Subject Access Requests (SARs) based on Articles 12 – 22 “Rights of the Data Subject”. You can learn more about these here.
- Formalize your incident response procedures and your data breach notification policies and procedures. Keeping in mind the 72-hour requirement from the moment the breach has been identified.
- Ensure all new systems, processing activities, or major changes to these are developed with data protection by design and by default as a core aspect from the start.
- Other Emergency, Quick Fixes. With less than two months to go before the May 25th enforcement deadline, there’s only so much you can do. Again, the key is to show the effort. Here are a few quick fixes that you can deliver on fairly quickly:
- Appoint a staff member as Data Protection Officer (DPO) or hire a Data Protection Officer as a Service (DPO - aaS) as soon as possible
- Revise your data processing agreements with all third-party processors to comply with GDPR. If you don’t have a data processing agreement in place, do it now
- Revise your consent forms to comply with GDPR or determine the other basis for lawfulness of processing using one of the options listed in Article 6. Again, if you don’t have these in place, you need to within the next month or so
If your organization is not ready for GDPR, you’re not alone. According to a Gartner report…”more than 50% of companies within the scope of the GDPR will not be compliant by the end of 2018.” That does not, mean, however, that you can wait until then to take steps towards greater compliance.
Get started now to show good faith effort and get on the road toward protecting your members and your nonprofit or association from the stiff penalties that could be levied on non-compliant organizations