All things GDPR: 5 Things You Can Still Do For Your GDPR Compliance
We’ve all been hearing a lot about GDPR, the lawsuits, and consequences for the large companies that have failed to be fully compliant by the given deadline. Even though May 25 has come and gone, many companies are still struggling with this set of regulations. While we don’t have all the answers, we like to think we have most of them from our own research and preparations to be GDPR compliant – and we want to share them with you.
This is the third post in our series covering GDPR. While there will always be something for you to do with regard to GDPR compliance, this post takes a back to the basics approach to your GDPR efforts to help calm that post-May 25 panic of “Are we fully compliant?!”
1. Re-read the guidelines.
Yes, this seems obvious, but it’s worth the initial read, and hopefully this second pass through as well. We know it might be a bit dry, but there’s no better resource on GDPR than the regulations itself. While reports, white papers, and blog posts are certainly helpful for deepening your understanding, they’re still secondary sources.
You, or the relevant person in your organization, can read them here.
2. Know the statistics, and know you’re not alone.
A recent survey published a ton of great stats of where organizations are in relation to their compliance with GDPR by May 25, 2018. The report was compiled by Crowd Research Partners, these are just some highlights:
- Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater)
- 80% confirm GDPR is a top priority for their organization
- 60% of organizations are at risk of missing the GDPR deadline
- 7% of surveyed organizations say they are in full compliance with GDPR requirements today
- 33% state they are well on their way to the compliance deadline
- The main challenges for organizations:
- lack of expert staff (43%)
- lack of budget (40%)
- a limited understanding of GDPR regulations (31%)
- 56% expect their organization’s data governance budget to increase to deal with GDPR challenges
Hopefully, these stats are comforting in knowing that you’re not alone if you’ve missed the deadline. With stats like these, we’re not surprised that many companies are still scrambling with compliance efforts after May 25, 2018.
3. To Appoint or Not to Appoint a Data Protection Officer.
We mentioned this briefly in our previous post and, as promised, here’s some more detail on Data Protection Officers (DPO). To start, you should ask yourself “to appoint or not to appoint.”
“Under the GDPR, you must appoint a DPO if:
- you are a public authority (except for courts acting in their judicial capacity);
- your core activities require large-scale, regular and systematic monitoring of individuals (for example, online behavior tracking); or
- your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offenses.”
Once you’ve established that you do need to appoint a DPO, you’re tasked with finding a highly skilled individual with expert level knowledge in this new and emerging regulation. And of course, the requirements for this position are vague. Perfect.
“Importantly, the DPO:
- Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices
- May be a staff member or an external service provider
- Contact details must be provided to the relevant DPA
- Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
- Must report directly to the highest level of management
- Must not carry out any other tasks that could result in a conflict of interest.”
As we’ve pointed out, there are currently no certifications or qualifications for this position beyond general data protection experience relevant to the organization in question. (Do I have that? Sure. Do I think I’m qualified for a DPO position? Probably not!)
As time goes on, certifications may be developed for this position for small and large companies alike. Until then, if you’re looking for more guidance on appointing a DPO, the Information Commissioner’s Office has put together a helpful article elaborating on the dos and don’ts of hiring a DPO.
4. Update privacy by design.
While Privacy by Design has been around for a while, regulators have made it a legal requirement as part of GDPR.
“Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties… as well as limiting the access to personal data to those needing to act out the processing” (EU GDPR).
This may sound familiar – and it is. This goes back to one of the questions from our previous blog post – what information are you collecting and why? We were never sure why companies need to know our third maternal second cousin’s middle name.
5. Ensure your data is portable.
Data portability is introduced in GDPR and is throwing many companies through a loop. All it really is is the ability to provide an individual with the information you have collected on them in a “commonly used and machine-readable format”(EU GDPR).
Luckily, in this technological age, many programs have an export to a .CSV function that will likely be your first steps towards satisfying this aspect of GDPR.
Still have questions on GDPR? Ask them here and Tom Canfarotta, our head of Strategic Accounts, will answer them in his monthly column.
This is not legal advice for your company to use in complying with the GDPR. We insist you consult an attorney for advice on applying the law to your specific circumstances. You may not rely on this post as legal advice, nor as a recommendation of any particular legal understanding.