Final Preparation for GDPR

The most sweeping data privacy regulation in a generation is finally here, with a compliance date of May 25, 2018. Although it’s been two years since the General Data Protection Regulation (GDPR) was adopted by the European Union Parliament on April 16, 2016, it would be a stretch to say that businesses worldwide are adequately prepared. In fact, the global implications of the regulation appear to be catching some U.S. companies off guard; it seems the EU’s industry-neutral data privacy regulation was not on the regulatory radar for many businesses used to following the rule-making of U.S. agencies.

Some public reports of preparedness paint a rosy picture. For instance, in a July 2017 global survey of Fortune 500 and FTSE 350 general counsel and chief security officers, 94 percent of respondents from the U.K. and 98 percent from the U.S. reported their company was on a strong pace to meet the regulatory requirements by this month. However, the first quarter of 2018 saw an exponential increase in webinars and seminars about GDPR, which suggests that some organizations are still scrambling to evaluate the potential implications of the new rules.

To wit, in an April 2018 survey of more than 1,000 companies in the United States and Europe, 40 percent of respondents said their organization will not be in compliance with GDPR as of May 25, 2018, and an additional 8 percent were unsure. Moreover, the survey found that 10 percent of respondents are unsure whether their firm is even subject to GDPR. That’s an alarming finding at this stage in the game, since executives who aren’t aware they’re subject to the rule cannot even start plotting a course on the roadmap to compliance.

Certain sectors are faring better than others. IT firms, in particular, stand to profit from an increased use in software and assessments to map GDPR compliance, which means they have invested significant resources into fully understanding the impending rules. Thus, many businesses in the tech sector are well-prepared to comply with GDPR. That contrasts with sectors in which companies are struggling to understand whether the regulation even applies to them, let alone what compliance requires.

GDPR compliance is a significant undertaking for any firm, in any sector. The GDPR requirements are multifaceted, spanning several departments, roles, and responsibilities. And, of course, the steep regulatory penalty for noncompliance—up to 20 million euros or 4 percent of global revenue—heightens pressure on executives to implement GDPR controls effectively. Key challenges for firms include building out the right project teams, managing vendors at different states of readiness, conducting data-mapping exercises, applying the principles of GDPR down to the level of the day-to-day, and seeing the big picture of compliance beyond May 25, 2018.

Here are five considerations corporate treasury teams need to keep in mind as they make final preparations for the new EU rule:

1. Change Management

The first step in implementing a GDPR readiness program—and, indeed, the capability to support ongoing compliance—is identifying the “who.” Successful compliance with GDPR depends on having a project team of internal stakeholders and external resources who can execute on the company’s GDPR approach. Any organization that has not yet assigned responsibility to a specific team is far behind the curve at this point. But even companies that are moving forward with GDPR compliance efforts may want to re-evaluate the makeup of their project team if they have concerns about the project’s progress.

Effective change management is always a challenge, especially for firms that lack a dedicated change management or project management function. These companies usually assign responsibility for initiatives to a senior employee with a proven track record in whichever business area is most impacted. This approach may cause problems for GDPR compliance projects. Depending on the company’s business model and the extent of its European touch points, GDPR compliance may require extensive collaboration and cooperation among numerous constituencies across regions, offices, and departments.

Many businesses are looking to outside service providers to augment internal capabilities, either by running the GDPR project on the firm’s behalf or by conducting the initial data mapping or risk assessment exercises. In the context of a GDPR program for a U.S. corporation, a trusted adviser needs expertise in issues relevant to treasury services, processes, and technology, as well as U.S. data protection law and, of course, the GDPR. Unfortunately, consultants specializing in GDPR risk assessments are likely to be booked well beyond the May 25, 2018, deadline.

In-house expertise may also prove to be difficult to come by, as job postings for data protection officers (DPOs) have increased 11 percent every month for the year ending March 2018. The GDPR regulation is simultaneously so vague and so expansive that assembling teams with the right expertise in both the regulation and the company’s industry is proving difficult. This is particularly true for U.S. companies, which are accustomed to a more industry-specific approach to rule making. Firms would be well-served to consider holding data privacy training for staff and/or reimbursing employees for continuing education in this space.

2. Data Mapping

Compliance with the GDPR requires a company to document all data that it is collecting, processing, and maintaining. It also must develop a clear understanding of where it stores the personal data of EU residents, how it collects that information, what systems and applications are involved, who has access to the data, and with whom it is shared.

Conducting a current-state analysis that accurately identifies these components involves identifying the categories of data each business unit needs to perform its role, whether the data currently collected from clients is necessary for that purpose, and whether the data includes any special categories of personal data enumerated under the GDPR. A current-state analysis should also document the physical locations where such data is stored on-site and in data centers, and with which parties the data is shared.

Documenting a full inventory of data intake and data flows is a laborious exercise and one that involves chasing a moving target as data continues to accumulate even in the midst of the exercise. A comprehensive current-state analysis takes time, which is in short supply as the GDPR compliance date looms large. It also requires a particular knowledge of systems architecture and business processes across an enterprise, and very tight coordination efforts across regions and offices.

Despite the time crunch, companies will find mapping of their current data processes to be well worth the effort. Many firms have simply been unable thus far to deploy the resources necessary to fix the plane while they were flying it, so to speak. They will find the insights that data-mapping exercises provide can help them identify the higher-risk areas of their business, those that need to be targeted for immediate remediation. At the same time, data mapping can provide valuable intelligence on processes, systems, and data flows that may be in desperate need of upgrade. A current-state analysis may uncover significant business improvement opportunities that the firm can tackle after completing the tasks that check the box on GDPR compliance.

3. Drilling Down to a Practical Plan

Identifying all the tasks required to bring a company into compliance is no simple feat. While the data-mapping exercise facilitates identification of the systems and business processes that touch affected personal data, a parallel effort must be under way to bring the text of GDPR down to the practical, everyday level.

Businesses small and large that are exploring the regulation face a myriad of questions. Some of them are seemingly simple, such as: Do we need to update our privacy policy? Should we have a separate EU privacy policy, in addition to our U.S. privacy policy? What other documentation needs to be updated?

Other questions are more complex, such as: Do we need to disclose that our organization is using cookies to track website users? What language should we use? Is there an exemption if we have just one item of personal data for a single EU data subject? And (for many companies) is our business in Europe valuable enough to risk noncompliance with GDPR, or should we consider focusing our efforts away from Europe to other regions of the world?

Translating the vague language of GDPR’s recitals and articles into tangible tasks and conclusions requires legal expertise and a fair amount of guesswork. When faced with the business reality of significant new operational costs, some companies that have only a handful of EU clients are simply choosing to terminate their EU clients rather than dedicate the resources to compliance—an unintentional yet understandable side effect of the regulation.

4. Managing Vendors at Different States of Readiness

Vendor management is another key component of a GDPR program. Vendors must be considered in the data mapping, business process development, and evaluation of GDPR readiness from a contractual perspective. Companies need to understand what personal data their vendors are collecting and storing for (or from) them. They need to know what safeguards the vendor is using to protect the data and whether the information is being forwarded on to a fourth or fifth party.

Many businesses have faced challenges with service providers’ readiness for GDPR. They may be relying on their service providers, particularly those with a strong foothold in Europe, to get insight into how contracting will work, the content of disclosures, and the type of due diligence that will be expected under GDPR. Specifically, service providers that transfer personal data will need to confirm that the receiving jurisdiction affords adequate legal protection for the data. There are several ways to accomplish this; the most common involves reliance on an intergovernmental framework such as the EU-US Privacy Shield, or the use of EU-preapproved standard clauses in contracts between the parties that cover specific provisions around the nature of data processing and the security in place. On the other side of the relationship, service providers are likely feeling the heat from any customers whose legal departments or procurement departments cannot provide a clear synthesis of their GDPR readiness.

5. Mind-set Shift Toward Proactive Documentation

The concept of accountability in GDPR’s Article 5 can require a mind-set shift for some. Data controllers must be able to “demonstrate compliance” with the principles of GDPR—namely, lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; and integrity and confidentiality. This concept is highly ingrained in some industries, such as financial services, where the U.S. Securities and Exchange Commission requires firms to store and save documentation evidencing compliance against certain parameters. For other industries, this notion is more foreign.

We highly encourage companies to train their employees on what documentation is required in every area of the business that may need at some point to demonstrate compliance with GDPR. We also recommend ensuring that GDPR project efforts are well-documented. Teams change, time passes, and documentation must be able to knit together the actions that were taken and the policies that were in place in the event such information is ever requested by a regulator.

Looking Forward

The GDPR compliance date has arrived, whether firms are ready or not. Risk managers who have not begun assessing their GDPR exposure are far behind and will almost certainly be out of compliance on the rule’s deadline date, though they likely will have plenty of company.

Whether or not your company is ready for GDPR, it’s important to keep in mind that May 25 is not a finish line. Risk managers will not wake up that day to a brave new world. Rather, that date is an incremental step toward a future in which all businesses are data businesses.

To position your organization to thrive in this new world:

• Ensure you obtain and maintain executive buy-in to a data privacy function, and invest in the requisite expertise (whether internal or external).
• Continue to critically evaluate your program, your people, and your providers in the same way you would monitor a revenue-generating area of the business.
• Consider revisiting your data-mapping exercise with an eye toward business improvement. Instead of a mad dash to comply, position this exercise as an opportunity to lower costs, reduce risk, and improve customer and employee experiences. Shifting the narrative is a luxury in the weeks leading up to a regulation go-live date with headline-grabbing fines. But it’s a necessity for the months (and years) ahead.

---

E.J. Yerzak is director of cyber IT services of the technology team at Ascendant (part of Compliance Solutions Strategies), which provides cybersecurity consulting services to Ascendant’s clients. In this capacity, Yerzak assists firms in assessing and managing their cybersecurity risk, from network vulnerability scanning and penetration testing to onsite cybersecurity assessments and assistance in implementing the NIST cybersecurity framework.

Kelley Merwin is director of content development for the Ascendant Compliance Manager (part of Compliance Solutions Strategies), a technology platform designed to enable compliance and risk officers to manage compliance programs more efficiently and effectively.