GDPR Readiness: What, Why, and Who
What is GDPR?
The European Union’s General Data Protection Regulation (GDPR) is not just one of many other data protection frameworks or requirements. GDPR is the top regulatory focus of 2018, even among US companies, and is considered to be one of the most significant information security and privacy laws of our time. The applicability of the law follows the data, rather than following a person or location. The scope is big and the sanctions are even bigger. Born out of cybercrime threats, technology advances, and concerns about data misuse, GDPR will require all data controllers and data processors that handle personal data of EU residents to “implement appropriate technical and organizational measures…to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.”
What is My Role?
GDPR requirements depend on roles, so determining what role your organization plays sets the groundwork for determining which GDPR requirements apply to you. Is your organization one of the following?
- Data Controller: The person or organization that determines the purposes and means for processing personal data. How much authority and decision-making over personal data does your organization have? The greater the authority, the more likely it is that an organization is a data controller.
- Joint Controller: Multiple organizations having authority over personal data. The purposes and means for processing personal data are jointly determined and the requirement is to clearly define the responsibilities among joint controllers. The organizations must share authority over the data, not just share a data pool. For example, if a few organizations make an agreement to collect, use, or combine personal data and have mutual authority over that data, you might have a joint controller relationship.
- Data Processer: The person or organization that processes personal data on behalf of a data controller. Data processors cannot process data without the authority of the data controller. They must notify the data controller of any breaches or using/changing of sub-processors. Data processors must provide sufficient compliance guarantees to the data controller.
- Controller-Processor: You can have situations where a person or organization is both a controller and a processor. A SaaS provider could serve as a data processor based on the data they receive from their clients, but they could also serve as a controller based on the fact that they’re an employer that has EU citizens as employees. Two sets of data exist, and the SaaS provider has difference authority over the two sets.
- Data Protection Officer: An individual that has expert knowledge of data protection law, is independent from an organizational reporting perspective, cannot be told how to do their job, and cannot be penalized for their job. This could be a person who’s also fulfilling other roles within an organization (without a conflict of interest), but it could also be an outside contractor.
- Supervisory Authority: Independent, public authorities for each EU member state. Supervisory authorities are responsible for monitoring the application of GDPR and addressing non-compliance. These are the government organizations that you will be interacting with and they have the authority to create additional GDPR compliance.
We know that determining your role can be confusing; there’s a lot of overlap and a lot of questions. Here’s one more example to consider: a manufacturer of shoes. The data controller is the manufacturer. Whenever they sell a pair of shoes, a customer fills out a form that obtains their name, physical address, and other personal data. Now, the data controller (manufacturer) must decide what to do with that data. A data processor, in this situation, could be a marketing company that produces marketing materials on behalf of the shoe manufacturer. The marketing company has the control over color, font, images, or marketing channels to use, but they wouldn’t necessarily have authority over what data to use or who to market to. This makes the marketing company a data processor.
Where Do I Start?
Have you been wondering, “Where do I start with GDPR? What’s my next step?” but you can never get a straight answer? Well, here’s ours: start with data mapping. Consider where personal data enters and exits your organization, even if it’s somewhere that’s not a part of your core services. Who has access to that data? What controls surround it? Be thinking about customer satisfaction surveys, messaging forums, talent acquisition, your HR department, and other areas where personal data could enter your organization. Data mapping helps you to find areas where personal data resides, but you might otherwise overlook.
Another first step towards GDPR compliance is determining what your organization’s posture is under the law. Do you know if you’re a controller, processor, or a joint controller? If you’re a processor, do you use other sub-processors? Do you have legal basis for all of your methods of processing data? Do you have valid transfer mechanisms for international transfers?
Another practical implication to think about is change management. When considering GDPR, you must ask if you have to conduct a Data Protection Impact Assessment. Is a change going to require the use of one or more new processors, new consent from data subjects? Is new technology or a new service going to change the way you facilitate data subjects’ rights? We recommend that you create some type of decision-tree that outlines what the downstream impact of changes are.
Because GDPR law does not go into effect until May 25, 2018, we don’t have enforcement action yet to give us case studies or tell us what is compliant and what isn’t. In this pre-implementation phase, it’s crucial to monitor regulatory developments as they come out.
Listen to the full webinar to learn about industry-specific issues and hear Q&A from Regulatory Compliance Specialist, Mark Hinely. For more information on GDPR readiness, contact us today.