The General Data Protection Regulation, which saw the light of day in spring last year, is set to apply from 25 May 2018.
This means that businesses and organizations of all shapes and sizes need to prepare themselves to comply with the new set of data protection rules. However, this preparation is easier said than done.
The GDPR focuses more heavily on effective day-to-day compliance with data protection obligations than its predecessor, which kept everything a bit more administrative, somewhat less enforceable and less practical. This is evidenced by the fact that the GDPR not only demands strict compliance with its rules through high fines, but supports those demands by requiring that compliance is demonstrable. In other words: compliance with data protection rules must not only be done, it must be seen to be done.
GDPR compliance must not only be done, it must be seen to be done.
Sometimes the perception exists that the GDPR is solely concerned with personal data processing via hardware and software applications, hence compliance is a problem for the IT department. It cannot be denied that your company’s or organization’s IT department has an important role to play, but it would be a big mistake of thinking it is the only relevant department.
The GDPR is concerned with more than just a business’ or organization’s IT systems and applications, but looks also at administrative procedures, operational practices and supporting documentation.
This essentially means that compliance with the GDPR is a problem of your entire business or organization, and your voyage towards compliance should be captained by the senior executive.
If you are an existing business or organization, you have been processing personal data for a while, maybe even for years. You have organized your processes and procedures in the best way possible to drive your business activities, supported by information processing systems that are most suited to this purpose. And personal data has been flowing through it all as a necessary informational resource. Now this new chunk of legislation comes along and requires you to reassess those processes, procedures and systems against quite detailed (and sometimes rather cumbersome) rules and obligations. Moreover, the GDPR does not exempt processing activities because they are only ancillary or accidental, but on the contrary takes a very comprehensive and detailed approach.
All of this might make the task of becoming compliant seem almost insurmountable. However, with a solid understanding of what is required and by relying on a tailored step-by-step approach backed by a tested methodology, anyone can become compliant in a timely, cost-effective and pragmatic manner.
It takes, however, a good understanding of current practices as well as the ability to differentiate between what is high priority and what can be parked momentarily.
The importance of prioritizing between data processing activities, issues, gaps, risks but also possible compliance actions should not be underestimated. For most businesses and organizations it is not possible to tackle everything at once, nor should you want to. Your GDPR compliance exercise is not the only thing you’ve got going, so you should not start throwing all of your available resources at it. Also, it is necessary to be thorough, and doing everything at once will only force you to take shortcuts where you shouldn’t take them and miss elements that you shouldn’t miss.
A compliance exercise necessarily starts with determining where you are now. You must somehow make a snapshot of the current status quo.
However, even businesses and organizations that operate B2B, are less data driven, and are involved in e.g. manufacturing, assembly, distribution etc. will process personal data on a larger scale than one might initially presume. There are always ‘hidden’ personal data processing activities, activities that are a necessary by-product of a perhaps very un-personal business process.
Starting to uncover these activities is a necessary part of making your snapshot, but may also lead to quickly losing perspective and overview. Again, this underlines the need for prioritization but also the need to have a plan, a roadmap towards compliance linked to a feasible yet ambitious timeline.
Many businesses and organizations are composed of more than just one entity, some of which may be located in different jurisdictions. Between entities it is not inconceivable that certain IT resources are shared, e.g. a common ERP software suite or specific datawarehouses. It is also possible that different entities perform distinct tasks within a single business process. An entity receives data from another, processes and possibly transforms or adds to it and then sends it onwards to the next entity.
All of these data flows may include personal data, which necessarily implies that any comprehensive GDPR compliance exercise should cover the whole group, not just headquarters. Indeed, the processing practices and systems may differ significantly from one entity to the next, hence compliance issues and likely solutions will differ as well.
The necessity of covering the entire group does not mean that you should do everything as one. Since certain decisions will most likely be made by the parent company and then pushed down to all subsidiaries, it seems logical to start your compliance efforts at the parent and then work your way down. In the end you should have a snapshot of the whole group, allowing you to an extent to centralize and coordinate compliance efforts, not just until May 2018 but also beyond.
As demonstrated above, executing a GDPR compliance exercise in a cost-effective yet thorough manner requires specialized knowledge and expertise.
International law firm time.lex has extensive experience with European data protection law and has supported multiple large multinationals and organizations with their GDPR compliance exercise. We offer a full service package allowing you to maximize your compliance pragmatically and with respect for your business.
If you also would like to benefit of our knowledge and expertise, please contact us for a non-committal introduction.