Finally, the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) is coming. Following a long lasting process of negotiations, two months ago the European legislator proposed the new privacy framework for Europe – and anyone doing business in Europe.
The clock is already thicking, and it runs fast. Consequences for not meeting the deadline and to get your compliance in line with the law may lead to significant fines, up to 4% of your total worldwide turnover (or up to 20 Million EUR, whichever is higher).
Now as we are clear on the fines and the deadline, the question remains what to do in the meantime. I do not want to bother you with the legal details, but with the big picture on the next steps to take.
The main message is: Start now.
Why start now?
This one is easy to answer. Many requirements of the GDPR like privacy by design and privacy by default are technical requirements which may have an impact on your developer road maps. So, if you start late your tech guys will likely come into trouble to build that additional tweaks in your products in time. In addition, budget planning for the next fiscal year will take place in September at latest, and you should already have a rough idea what you need – and it would be nice to let other departments know that they have to spend some money for your GDPR-project as well.
Where do I start?
Let me answer this question with a counter-question: Where are you in terms of compliance? The last years have been busy with expanding your business to Europe, the Middle East and South-East-Asia? No time to review everything in terms of privacy and data protection compliance? If you are still nodding, buckle up and start right away to get an overview of anything that is going on.
- The most important part of the following steps is to focus on the management and stakeholder (and other budget owner) to get them on board. You will not be successful with this project without them.
- The second important part is to know where you are in terms of compliance, and to let anyone else know that your company does a review of its compliance policies and processes.
- Third, know your business: What is your company doing all day long, and how does it afford your paycheck? This is important to prioritize each step in the project.
- Fourth, you need a timeline. While you are reading this, you should already have your schedule ready.
Got it. But I need more details!
Getting to know where you start your very own GDPR project means that you need to ask a lot of question. Usually, you have only a rough idea if anything in your company is still in compliance with the policies you drafted once. So focus on the status quo but take already into account what the GDPR will require.
- Who is handeling customer data, and in particular justification mechanisms?
- Is the process of collecting consent in line with the “transparency” requirements for “informed” consent in light of the GDPR?
- What about transfers of customer data, what is the legal basis for such transfers?
- Have your service providers signed a DPA which is already sufficient with the commissioned data processing as set out in the GDPR?
- What about your scorecards, playbooks or whatever your negotiations guidlines are named – is any of the core requirements of the GDPR subject to waivers?
- Is your privacy policy in plain language?
- …and is anyone taking care of your employee data?
- Do you have any monitoring software running?
- Your IPS or IDS will collect and process a lot of personal information – is that in line with the GDPR?
- Is your understanding of “personal data” the same as in the GDPR, including device IDs, genetical material etc?
And then?
You may have already noticed: There is a lot of possibilities for EU member states to sneak out of the GDPR, or the new European bodies will have to publish guidelines and policies how to comply with general rules of the GDPR. So, at some point you will have to either wait until everything from the legislators side has been published and discussed, or you will have to take some risk by implementing the GDPR “as is”.