The General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. GDPR:
- Applies to any organization that offers goods or services to or monitors the behavior of EU residents
- Allows for significant penalties for violations—up to €20 million or 4 percent of global revenues, whichever is greater
- Places greater obligations on organizations to assure their boards, customers and regulators that their data consent, collection, retention and protection policies and procedures are appropriate and tied to a legitimate purpose
GDPR grants broad, specific rights to EU residents regarding use of their data, including:
GDPR challenges for technology companies
- The right to be informed
- The right of access to their data
- The right of rectification of data errors
- The right of erasure (the right to be forgotten)
- The right to restrict processing
- The right to object
- Rights in relation to automated decision making and profiling
While GDPR will impact a broad range of companies, technology companies will face some unique challenges. Tech companies access huge amounts of data from a variety of sources and therefore face significant data inventory challenges. They will need to be able to determine exactly where and how data was collected and whether appropriate consents have been received. This will not always be easy going forward and may be more difficult with regard to existing data. Alliances and agreements with third parties will need to be considered and may well have to be renegotiated in light of GDPR. Finally, a tech company’s role as either a Data Controller (DC) or Data Processor (DP) under GDPR will have to be determined.
Understanding the differing roles of DCs and DPs is vital as it determines an organization’s specific responsibilities under GDPR. A DC is the entity that determines the purposes and means for the collection and processing of personal data, while a DP processes that data on the behalf of the controller. For example, a manufacturer may decide to use an email marketing program to increase sales to customers, but contracts with an email marketing agency to run the program. The manufacturer would be the DC while the agency would be the DP. Tech companies may find themselves playing the DC role, the DP role or even both.
The following tips relate to selected areas that can help tech companies prepare for GDPR and comply with it effectively going forward.
Establish a privacy by design and default mindset
Most frequently, privacy issues have been considered late in the development process after products, services or processes have been designed. Companies finished the development process, then looked at complying with privacy requirements, tweaking things as needed to comply. Going forward, companies should treat privacy as a key feature to be baked into the design process.
Get the right DPO
Article 37 of GDPR requires all companies that collect or process data on EU citizens to hire a Data Protection Officer (DPO). The DPO is charged with a broad range of responsibilities, including:
- Educating the company concerning GDPR and ensuring appropriate training for staff
- Auditing data processing efforts for compliance with GDPR and correcting any issues, and otherwise monitoring privacy efforts
- Serving as the point of contact for GDPR supervisory authorities
- Maintaining records of all data processing activities
- Communicating with data subjects regarding data requests and GDPR issues
An effective DPO will need both a solid grounding in GDPR and other data and privacy laws and good working knowledge of your IT infrastructure and practices. Since this is a unique skill set and since GDPR will be creating significant demand for DPO candidates, tech companies that have not already retained the right DPO should do so immediately. Some companies are finding that outsourcing the DPO role is the right option.
Examine third-party agreements
Tech companies often retain, or are retained as, third parties in data processing relationships. Since third parties involved in data processing fall under the scope of GDPR as DPs, understanding and clarifying GDPR obligations under these arrangements is vital for both parties. Issues that should be addressed in these agreements include:
- Understanding that data should be processed only upon explicit instruction
- The DC’s right to audit DP activities
- Indemnity and liability issues
- Breach notification responsibilities
- Requirements to cooperate with investigations
- Responsibility for deleting or returning data at the end of a contract
- Limitations on onward transfer of data
Negotiating these issues will take time, so tech companies should start that process now.
Establish a solid data mapping process
In order to effectively protect data privacy, you first have to know what data you have and where it came from. That requires an effective data mapping strategy. For tech companies, it is not just customer production data, it may include areas like sales and marketing as well. Most companies follow either a top-down or bottom-up data mapping approach. A top-down approach is usually a manual approach that:
- Starts with practice areas or departments and identifies the business processes that collect, process, transfer and store personal data
- Identifies systems and applications that hold that data
- Develops data flow maps.
A bottom-up approach is usually an automated approach that starts with systems, databases and file repositories and scans them to detect personal data based on defined data classifications and elements
A hybrid approach can often work best and offers the benefits of both approaches. Start with a top-down process and then validate the results using a bottom-up approach.
Look for automation opportunities
Preparing for and then complying with GDPR is going to take considerable time and effort. One way to minimize demands on staff will be to automate where possible. One key area where automation could provide real benefits is in responding to data requests. Under GDPR, individuals have the right to request information concerning all data a company holds on them. Companies have 30 days to respond to these requests. There may be a significant spike in requests as GDPR goes into effect, so developing an automated system to address these requests could significantly reduce your GDPR compliance effort.
GDPR isn’t going away. If you pay attention to the news, privacy of data is a key focus of news outlets and legislators. Privacy shouldn’t be an inhibitor to innovation—companies should take this opportunity to embed privacy as a function of doing business. There are many additional requirements needed to achieve GDPR compliance that are unique to each organization. Companies should work with their compliance teams and service providers to understand what their compliance profile looks like and work towards a prioritized approach to get across the finish line.
Data privacy tops list of general counsel concerns
The EU raises the bar on data privacy: AIM for an integrated response
Check third party risk to manage your data vulnerability
Managing Director, Advisory Services
: +1 415 318 2240
Managing Director, Advisory Services
: +1 703 637 2830
Principal, Advisory Services
: +1 312 602 8940