In our previous blog about GDPR we focused on this new EU Directive and what it means for your organization. With the launch date fast approaching, 25th May 2018, it is critical that compliance with this new EU Directive is not left to chance or the last minute.
Although GDPR is a large data management undertaking, it isn’t as huge a challenge as it sounds. We have put together ten crucial steps that all EU based organizations should consider to comply with GDPR from 25th May 2018:
1. Recruit a Chief Data Protection Officer – if you Don’t Have One Already
If your organization carries out regular or systematic data monitoring or if you process copious quantities of personal data, you will need to appoint a Chief Data Protection Officer. However, there is nothing to stop your organization appointing one even if you are not obliged to do so. The role of the Chief Data Protection Officer is designed to guide and support your organization through the minefield of data protection and the duties involved in this role could be attached to an existing employee or outsourced. However you choose to manage this key role requirement it is crucial that your Chief Data Protection Officer is an expert in data protection, is able to sit on your board of C-suite level roles and is able to liaise with regulatory bodies on behalf of your organization.
2. Undertake Staff Training
One of the biggest risks your organization faces when complying with the new GDPR Directive is people. If you train your staff about the changes it will help them understand the importance of GDPF compliance and will reduce the changes of them unknowingly doing something that will result in a data breach. Once you have trained their staff so they understand what they need to do your organization will be in a much better position to make sure that adherence to GDPR is built into your day to day tasks and processes, and is not seen as an additional workload.
3. Be Fair
Chances are you will need to update your fair processing and privacy notifications to your customers, clients and even your staff, and you will need to review whether the information you provide is sufficiently and explicitly clear. If you do something with others’ data which cannot be clearly understood from the information you provide then some changes will need to be made and your organization will need to inform them of these changes. A process should also be put in place for updating your fair processing information and it must show what you are currently doing on this, not what you did or were doing in the past.
4. With Your Permission
Customer or client consent is more critical than ever under the new GDPR Directive. This has always been important, but the new Directive has been designed to ensure that organizations gain consent for every purpose. Most importantly, consent needs to be opt-in and not opt-out and pages of unclear information cannot be presented to your clients and customers. Consent to opt-in must be freely given by your clients and customers and individuals have the right to withdraw their consent to withdraw from their opt-in at any time. You must stop contacting a client, customer or individual who withdraws their consent to be contacted unless you have a solid legal foundation on which you can continue.
5. Another Legal Basis
If your organization cannot rely on content for processing some or all of your personal data, another legal basis must be found on which you can continue your data processing. Apart from content, the new GDPR regulation sets out the following:
Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
Processing is necessary for compliance with a legal obligation
Processing is necessary to protect the vital interests of a data subject or another person
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject (unless you’re a public authority in which case you cannot rely on this condition).
Necessity of processing is a key theme throughout. Collecting and using nice-to-have or just-in-case information isn’t an option. The Regulation contains additional requirements if you’re processing special categories of data (see Article 9(2)(a) to (j)) of the new GDPR EU Directive.
If you fail to meet any of the above for the personal data your organization processes, then the activity you are undertaking has no legal basis and must cease immediately.
6. Privacy Impact Assessments
Privacy Impact Assessments (PIA’s) have been recommended by the Information Commissioner’s Office for many years, but they are now mandatory for processes and systems that process high risk data. One of the key ways of checking whether or not a solution or process will present a high risk to the freedoms and rights of data subjects is to carry out a PIA. Therefore, your organization should consider having a means of standardizing these into your assurance processes.
7. The Right to be Forgotten
The right to be forgotten (Article 17) is the data subject that is causing the most discussion right now. While it is extremely easy for organizations to collect data for individuals, it is not always so easy for them to go about “forgetting” someone. If your organization is asked to action a request for data removal under this right it is critical that this data is removed from all sources where it is held, including backups. It is therefore prudent to develop a process to ensure your organization is able to action these kind of requests.
8. Update and Review Agreements
Processing agreements and data sharing that your organization is party to is likely to reflect current data protection law, and the legal basis that is currently used for these may cease to exist or change altogether. Many agreements contain liability clauses designed to reflect the level of risk posed with storing and processing activities under current legislation. The agreements your organization have in place must be reviewed and be amended to reflect the requirements of the new GDPR Directive. If your organization fails to do this, there is a risk that data will be shared or processed illegally which means a significant financial penalty may be given to your organization.
9. Secure Your IT
Adequate protection for the data you process must be in place for compliance with the new GDPR Directive, and it is up to individual organizations to determine the level of what is considered adequate. Procurement and physical security controls will be just as important as technical ones.
10. Map Your Data Flows
If your organization doesn’t know what data is going where it will be a struggle to comply with the requirements of GDPR. If you map your data it will provide a clear picture of how data is travelling around and will help your organization identify any non-compliance with your policies and procedures, allowing appropriate steps to be taken to manage information risk.
While on the surface the changes required under the new GDPR EU Directive may look complicated, they are relatively straightforward if carried out by a Chief Data Protection Officer or qualified person. Remember, ignorance of the changes is no defense once the regulation comes into force on 25th May 2018, so the earlier your organization responds to these changes, the better.
About Corinium Digital
Corinium Digital offers digital marketing solutions made possible by our global network of emerging CXO roles. Our speciality is audience acquisition from cross- sector industries & a range of seniority from junior staff all the way to the decision-making C-suite (500,000+ global contacts). We provide multiple platforms to build relationships all year with our truly digital CXO communities. We will improve your lead generation, branding & content/ thought leadership. Advising on industry insights with dedicated editorial staff, online content specialists, digital marketing advisors & UX/ CJM manager, we can help create an integrated, digital strategy to increase your online presence. For more information visit www.corinium-digital.com.
Written by Lisa Ventura, Content Marketing & Editorial Manager – Corinium Digital.
The world’s largest community of C-Suite executives
Get access to ‘members-only’ content, VIP conference invites and other updates from the CXO Hangouts community.