GDPR compliance: Last-minute checklist
In a few weeks, on May 25, the European Union’s GDPR (General Data Protection Regulation) goes into effect. You may think you’re ready for the new privacy regulations, but there’s a good chance you’ve overlooked something, given the maze of regulatory requirements and how deeply they’ll affect the way your company does business in the EU.
To help your company make the transition, we put together the following advice from experts on the last-minute things you need to do before the deadline, which includes performing a readiness assessment, educating customers and employees, and checking to see whether your company has any “dark data” that needs to be exhumed before GDPR goes into effect.
Get free advice from the source
How well do you really know GDPR? How long has it been since you’ve reviewed the regulation in detail? And what advice for compliance do the regulators themselves offer? With the deadline for compliance fast approaching, now is the best time to make sure you have that information, says Andrew Clearwater, director of privacy for OneTrust, a privacy management platform provider. He recommends going straight to the source to make sure you haven’t overlooked anything.
“There’s public guidance that regulators have shared, and the first thing on your checklist should be to review that right now,” Clearwater says.
In particular, Clearwater recommends three documents: “Getting Ready in 13 Steps” from Belgium’s Privacy Commission, “Preparing for the GDPR in Six Steps” from France’s National Commission on Informatics and Liberty (CNIL), and the "Guide to the General Data Protection Regulation" from the U.K.’s Information Commissioner’s Office. (Note: The documents from Belgium and France are in French.)
Clearwater also stresses the importance of the first recommendation offered by France’s CNIL: Make sure you’ve chosen a single person—referred to by the CNIL as the “pilot”—to serve as your company’s data protection officer and oversee GDPR compliance. Clearwater adds, however, that merely designating a person is not enough. You also need to make clear where the pilot resides in the organization’s hierarchy as well as the individual's specific authority and power. Beyond that, he says, it’s a good idea to make sure there are experts on GDPR not just within your security and privacy staff, but also embedded throughout the organization, because all departments are responsible for adhering to GDPR, not just the IT or security departments.
Build on the past
A common mistake companies can make in last-minute GDPR preparations is thinking they need to design an entirely new system for managing data privacy, says Clearwater. In fact, most companies already have systems in place, and they should build on those. Doing so, he says, can accelerate companies’ ability to adhere to GDPR guidelines when deadline pressure is looming.
“When you start out, you might think you have to start from scratch, but you may be able to import existing work, especially when it comes to data mapping and locating all the places where data resides in the company,” Clearwater says.
He suggests reusing work companies have done for adhering to ISO 27001, a standard from the International Organization for Standardization (ISO) that governs how information security can be managed in a company. Although GDPR goes well beyond ISO 27001, the ISO standard covers some of the same ground, including risk assessment and breach notifications. Healthcare-related companies should also look to the work they’ve done complying with the Health Insurance Portability and Accountability Act (HIPAA), which governs data privacy and security for healthcare records.
In these last few weeks before the regulations go into effect, Clearwater also recommends doing a final, overall readiness assessment to make sure nothing has been overlooked.
Take a step back before going forward
The final days before having to comply with the significant set of requirements of GDPR is likely to be frantic, with last-minute glitches and preparations likely taking up most people’s time. Alexis Trittipo, associate partner at McKinsey & Co., says this is the time for companies to “take a quick step back to assess gaps in order to leap forward by addressing the highest risk areas.”
That means you should “examine your short-term manual solutions for data requests and data breaches,” she says. “Will your resources cover that? Gauge the resources you’ll need by looking at the kinds of requests and breaches you’ve had in the past. Recognize the volumes are likely to be larger than historical. Staff up for that, but be flexible enough to transfer resources when necessary.”
Trittipo says many short-term manual solutions will eventually need to be changed to automated ones, so companies need to look now at how close they are to building automated systems and then create a roadmap on how they’ll switch over and create an implementation schedule. They should double-check that they’ve devoted enough staff and time to it, as well as outside resources such as consultants, she adds.
Finally, Trittipo notes, companies in highly regulated industries, such as financial services and pharmaceuticals, have developed a compliance muscle over time and are likely to be more prepared to respond as a result.
Take a look at “dark data”
Given that GDPR is so close to reality, companies have likely examined the information in databases and other high-profile structured data stores and made sure that the way it’s handled will adhere to the new regulations. But Felix Martin, security strategist at HPE Pointnext's Global Security Center of Excellence, warns that’s not enough. He says now is the time for companies to do a last-minute search for data they may have overlooked.
Martin notes that it’s important for companies to look at their unstructured data and files, such as email, social media, presentations, spreadsheets, and notes—so-called dark data. To comply with GDPR, this kind of data needs to be cleansed, analyzed, and purged. That means companies should do a top-to-bottom analysis of all the data they house, including unstructured data, and decide what they’ll do with each type in order to adhere to GDPR, he says.
Martin also warns that under GDPR, companies will be held responsible for data they’ve shared with third parties, so they must carefully vet what data they share and with whom they share it, and make sure those third parties adhere to GDPR as well. “You have to go beyond just signing contracts” about how the shared data will be handled, he says. Instead, companies should actively verify as best they can that their partners will adhere to GDPR with the shared data.
Doing that may be more difficult than companies realize, however. A 2017 study by the Ponemon Institute, “Data Risk in the Third-Party Ecosystem,” found that 57 percent of companies it surveyed don’t have an inventory of all third parties with which they share sensitive information, and 82 percent don’t know if their data is shared by the third party with a fourth or fifth party. And it found that 56 percent of companies experienced a third-party data breach in 2017. All this is problematic, because under GDPR, businesses can be held responsible for breaches or compromises in their supply chain. That’s all the more reason they need to carefully vet all third parties with whom they share data before the deadline.
Get your messaging down now
The way in which companies adhere to GDPR has consequences beyond possible penalties. It also has serious public image ramifications: Companies that are seen as not keeping data private as required by law can face serious penalties in the marketplace, notably a lack of trust from existing and would-be customers, which can seriously affect the financial health of a business.
Martin says, “In these last weeks before GDPR goes into effect, it’s important that customer-facing staff are properly educated and trained in dealing with privacy.” That’s important not just for complying with the law, but also so that customers trust that a company handles their data properly.
McKinsey’s Trittipo adds, “Everyone in a company should be aligned on the messaging to employees, regulators, and customers, from the CEO and CIO on down to customer service representatives. Businesses need to make sure that the message, and how it is delivered, is done properly and that people who interact with customers are well-trained.”
Prepare for the future
Trittipo warns that companies should keep in mind that GDPR may evolve over time, so they shouldn’t assume that once these last few weeks are over, their work is done.
“The GDPR regulations are different than many others in that they’re principal-based rather than prescription-based," she says. "This means that companies need to define their scope and recognize that the regulation may evolve to be more specific over time. It’s also important to acknowledge that new threats in the space are constantly evolving. As a result, companies will need to evolve the way in which they protect themselves against these risks.”
GDPR checklist: Lessons for leaders
- Check out public advice and resources from EU regulators on GDPR requirements and how to adhere to them.
- Build on privacy work you’ve already done, such as for ISO 27001 and HIPAA.
- Look for any “dark data” left out of your implementation plans, such as spreadsheets, emails, and presentations.
- Craft a message for customers and staff on how your company handles GDPR requirements, and make sure everyone is trained on it, from the CEO and CIO on down to customer service staff.
- Recognize that the GDPR deadline is a beginning, not an end. Your company will have to constantly evolve to meet its changing requirements.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.