GDPR: Key considerations and 6 steps to take for compliance

Zach Porter, Risk & Business Advisory Senior
May 1, 2018

General Data Protection Regulation. If you or your business operates within the European Union, chances are you have heard of it already. But what is it? What does it mean for you? How do you prepare for compliance?

What Is It?

The General Data Protection Regulation, or GDPR, is a regulation in European Union law on protection and privacy of data held by organizations related to EU citizen “data subjects”. A “data subject” is a “natural person whose personal data is processed by a controller or processor”. GDPR replaces the Data Protection Directive 95/46/EC, adopted in October 1995, to more closely reflect today’s ever-evolving, data-driven world. This regulation is intended to give citizens of the European Union (EU) tighter control over their personal data, as well as standardize data protection regulations throughout the EU. The compliance deadline for GDPR is set for May 25, 2018; organizations in non-compliance by that date may face substantial fines.

What Does It Mean?

GDPR does not only apply to organizations physically located within the EU; it also applies to any organization with custody of the personal data of European citizens, regardless of that organization’s nexus. GDPR applies to both data controllers and data processors; a data controller determines the purposes and means of processing personal data, while a data processor processes personal data on behalf of a controller. Organizations found in violation of GDPR can be fined up to 4% of annual global revenue or 20 million euros, whichever is greater. Lesser fines may be assessed at the discretion of individual member state supervisory authorities.

Consent

Requests for “consent” to allow data controllers or processors to use data must be communicated to data subjects in an intelligible, easily accessible form, with the purpose for data use attached to that consent. For example, the acceptance of ‘Terms of Service’ should no longer be pre-ticked box; consent requires a positive opt-in. It must be as simple to withdraw consent as it is to grant it; individuals must be told how they can withdraw consent, and withdrawals must be acted on as soon as possible.

Breach notification

Timely breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. The previous Data Protection Direction did not contain a specific breach notification directive.

Right to Be Forgotten

An interesting aspect of GDPR is the concept of a “right to be forgotten”, providing data subjects the right to have the data controller erase his or her personal data, cease further dissemination of the data, and take “all reasonable steps” to inform any third parties that may have been given access to the data, and require them to comply with deletion or removal. The data must be deleted and or removed “without undue delay”, and with some exceptions, within one month.

Data Protection Officers

For many data controllers and processors, the appointment of a Data Protection Officer (DPO) will be mandatory.

The DPO must possess expert knowledge on data protection law and practices. The DPO is responsible for educating the organization and its employees on compliance requirements, training any staff involved in data processing, and conducting regular security audits. The DPO also serves as a point of contact between the organization and any authorities that oversee the activities related to data processing.

GDPR does not define any specific liability for the DPO; the data controller or processor is ultimately responsible for demonstrating compliance with GDPR. The DPO is not personally responsible for any non-compliance, and further, should not be terminated or penalized by the data controller or processor for performing their duties.

How Do You Prepare For Compliance?

A recent study conducted by the International Association of Privacy Professionals (IAPP) and Ernst & Young estimates that the Fortune’s Global 500 companies will spend approximately $7.8 billion to implement GDPR. IAPP also estimates that the global reach of the regulation will require the hiring of at least 75,000 data protection officers.

Becoming compliant with the GDPR is a full-fledged organizational effort. Here are some tips on how to prepare yourself for the impending rules:

  1. Ensure that key people in your organization are aware of the new regulation, and that they can effectively understand and communicate any upcoming changes to the relevant parties.
  2. Become aware of the types of data your organization holds, the source of that data, and with what partners and clients you share that data.
  3. Ensure you have detailed procedures in place to monitor, detect, report, and investigate a data breach.
  4. Evaluate your current methods of obtaining and recording consent, and determine whether changes are necessary to meet the GDPR requirements.
  5. Review your data retention and disposal policies to verify that they contain adequate procedures to ensure data subjects’ “right to be forgotten”.
  6. Determine whether you are required to formally designate a Data Protection Officer (DPO). Even if not required, consider designating someone to direct data protection compliance initiatives, and determine where this role with fit within your company’s organizational structure.

It is not a matter of if the GDPR is coming, it is a matter of when: May 25, 2018. With the compliance deadline fast approaching, it is critical for organizations to determine how the new regulation will apply to their business operations, and what steps are needed to achieve compliance and avoid hefty fines. The world of data privacy is not going away any time soon, and neither are the strict laws associated with it.

If you would like to discuss this matter further, contact Patrick Morin, principal and director of BNN’s Risk & Business Advisory Practice, at 800.244.7444.

Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.