A summary of what you (and your Third-Parties) need to do.
On April 27, 2016, the European Parliament, the Council of the European Union, and the European Commission approved a new regulatory framework for personal data that will take effect on May 25, 2018.
Intended to give European Union residents and citizens greater control, the General Data Protection Regulation imposes strict rules on the nature, security, application and accessibility of personally identifiable information (PII); under GDPR, the EU’s data protection obligations extend to all foreign companies that collect, store and/or process EU citizen/resident data. It includes:
- “Fair and lawful” processing of personal data limited to specified, explicit, and legitimate purposes, and only for as long as necessary.
- The right of EU citizens to access their data, to obtain information on how and why their data has been collected, and most importantly, to object to the processing of their data.
- Data collectors must inform citizens of the release of their data to third parties for the purposes of direct marketing (with opt-out opportunities).
- All transfers of personal data from a Member State to any non-EU countries must guarantee an adequate level of protection.
All of the above could require many significant changes to Firms’ existing systems. Failure to properly comply with the requirements can be very costly. For example – GDPR clearly states the heavy penalties for non-compliance: After an initial warning for first and non-intentional failure to comply, the penalties include a first fine up to 10,000,000 EUR or up to 2% of an enterprise’s annual worldwide turnover the preceding year, whichever is greater, and a subsequent fine up to 20,000,000 EUR or up to 4% of an enterprise’s annual worldwide turnover the preceding year, whichever is greater.
Also – penalties may be applied to firms whose third-parties are found to be in breach: “Enterprises are responsible for the EU personal data managed by their own third parties, and can be subject to penalties for their vendors’ violations.”
According to the EU’s GDPR website, personal data is: “Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
Worse, enterprises are not only on the hook for their own management of EU citizen’s personal data; they are responsible for the personal data managed by their own third parties, and can be subject to penalties for their vendors’ violations. Firms need to determine an easy and repeatable way to determine whether they and/or their third parties have any data that falls under the GDPR. This initial risk assessment needs to answer only two questions:
- Do you or your vendors hold personally identifiable information?
- Does any of the PII belong to EU citizens or residents?
The assessment method may be as simple as a brief questionnaire. But to be effective, it must be distributed among every potential data holder to ensure that no potential reservoir of personal data is overlooked. In particular, be sure to include:
- All of your internal systems and/or data silos. The larger the enterprise, the greater the likelihood of multiple systems each with its own data sets.
- All of your third parties who may hold customer and/or employee data.
- Any new third parties you engage.
- New technology acquisitions: Pay special attention to new technology initiatives that could involve sensitive data.
- Data collection points: Examine every interface where data may be gathered, from internal human resource files to e-commerce platforms, to cast the widest possible net for EU citizen personal data.
If no applicable EU data is found, your GDPR compliance journey may be complete – for now. Moving forward, you should conduct periodic risk assessments of internal systems and third parties to identify any emerging capture and/or retention of EU PII data. For each instance where EU citizen personal data exists, you need to advance to the next step and apply a deeper assessment to gauge the extent of your exposure.
In every instance where EU PII has been identified, you will need to conduct an in-depth “data privacy impact assessment” to determine what types of personal data you and your third parties have, how that data is collected and used, and what controls are currently in place. Typically, you’ll need to conduct two assessments:
- An enterprise assessment (to be completed by internal staff.)
- A vendor assessment completed by external third parties.
The assessment, typically a mix of open-ended questions and check-off lists, should address (but not necessarily be limited to) several areas of inquiry. One is data issues – what types of personally identifiable information are stored (i.e., names, photos, contact information, tax identification numbers, etc.), where the data stored, how it is used, and when and how it is disposed of.
Another concerns access – who has access to the information, what systems use the information, and how it is used. Still another is control – is there an assigned “Data Protection Officer” accountable for compliance, current policies and procedures for data collection, use, and compliance, identification and correction of data vulnerabilities, and test and documentation of controls.
With all of that, you should be able to identify the gaps in your and your third parties’ data practices, and these gaps should become the target of the policies and procedures you create next.
How will authorities audit data holders and hold them accountable?
With an effective implementation date of May 25, 2018, there is no history of regulatory action upon which to model enforcement behaviors. So that begs the question, how will authorities audit data holders and hold them accountable? Great question.
Based on previous experience with regulatory bodies, it is reasonable to believe that your ability to demonstrate good faith efforts at compliance will go a long way toward building favorable regulatory relationships.
Therefore, enterprises need to document intent by creating and enforcing data policies and procedures for themselves – and for their partnerships with third parties. So components to your GDPR compliance program should include a few important things.
First is personnel – You must create and/or sustain a distinct data compliance (or comparable title) role responsible for data monitoring and enforcement, and you have to identify comparable roles among your third parties(!) You’ll also have to establish a means of regular communication/reporting among these folks.
Second is policies – First, create and document GDPR-related policies, including procedures for addressing EU citizen data requests, and for addressing potential policy breaches. Establish workflows among responsible monitoring and enforcement personnel. And don’t forget to review third-party policies for conformance to GDPR.
And finally, monitoring – Establish regular procedures for monitoring data activity, and document monitoring of both internal and external (third-party) data activity. Perform “read & understood” certification activities to educate employees and third parties and document your communications. You should make and record periodic assessments to track potential policy or personnel changes, made internally or by third-party providers, that could affect GDPR. And for high-risk activity, conduct controls testing for internal data sources, and onsite reviews of third parties with access to sensitive data.
GDPR may not have yet begun, but you need to start now.
The newness of GDPR creates uncertainty that, while real, should not inhibit enterprises from acting immediately. Moving forward, your organization can do two things:
- Perform the assessments recommended in Steps 1 and 2, and implement the policies you need to address any possible compliance gaps you may have identified.
- Watch and learn: Follow the EU’s GDPR activity carefully to learn how its regulatory bodies will enforce GDPR and dispense fines/penalties, then adjust your policies and compliance programs accordingly.