How to Accelerate Your GDPR Program to Ensure Compliance
Posted by Emily Dann on Jun 8, 2018 5:08:47 PM
The enforcement period for the General Data Protection Regulation (GDPR) began on May 25, 2018, bringing significant changes to organizations in the European Union and beyond. Though a piece of European legislation, the GDPR impacts any organization that processes the personal data of those who reside in the Union, regardless of geographic location.
On ConvergeOne’s recent webinar, our very own Joe Vigorito ran a poll to better understand the preparedness of organizations in light of the new regulations, and found that a staggering 62.5% of listeners said they did not feel ready to comply with GDPR.
What You Need to Know about GDPR
The GDPR is the most comprehensive data legislation to date. It was designed to create a standard for data privacy across all 28 members of the EU and impacts every organization that holds or processes EU residents’ personal data.
The regulation introduced stricter regulations on breach notifications, right to access, right to be forgotten, data portability, privacy by design, opt-in consent, and data transfer outside of the EU.
It’s important to note that GDPR’s provisions have been carefully designed and have far-reaching consequences for non-compliance. Companies, such as Facebook and Google, have already faced heavy fines for regulation infringements, but penalties can climb to up to 20 million euros or 4% of an organization’s annual global turnover if that percentage exceeds 20 million euros. Consequences may also vary depending on the seriousness of infringements.
However, with the right tools and knowledge, these penalties can be easily avoided. In the webinar, Joe outlined seven steps, which organizations can take to accelerate their GDPR programs and ensure full compliance:
- Hire or Appoint a Qualified Data Protection Officer
- Leverage Metadata
- Develop a Culture of Privacy
- Document and Record All Evidence
- Conduct Data Protection Impact Assessments (DPIA’s) and Gap Analyses
- Ensure Use of Data is Lawful, Fair, and Transparent
- Practice Consent Management
While Joe provided an in-depth action plan for organizations interested in preparing for GDPR compliance in the webinar, there are a few immediate actions your organization can take. It is imperative that you start implementing policies and procedures as soon as possible to better address overall data hygiene. This may include updating your organization’s privacy, data breach, and cyber-insurance policies to ensure GDPR compliance.
Your GDPR Questions, Answered
No one knows everything when it comes to GDPR. Below, Joe offers answers to three common questions we received following the webinar.
If a small trade association is US based and has a few EU members, how does the EU file a suit and collect fines, especially if the association does not have assets or operations in the EU?
Here are a few ways to handle this situation. First, ask for consent of those few members. That would obviate having a problem with their member states or the Commission. Second, look closely at whether you offer goods and services to people who are in the EU and if you monitor these individual’s personal data. You may not be targeting the EU market. Now, conversely, to your question, remember in Article 3, jurisdiction is less about location and legal form of your entity and more about the scope and location of the business activity. You should always connect with your legal counsel on it. Lastly, do keep in mind that GDPR applies where EU Member state law is enforced by virtue of public international law. The latter provision expands the territorial scope of the GDPR outside the EU.
You mentioned DPIA’s a lot. How do I know if I need to do one?
Article 35 outlines some situations in which a DPIA is mandatory. Such a case is when you are processing large scale of special categories of data, or any personal data that relates to criminal convictions. Also, if the processing is based on automated decision making, including profiling, then a DPIA is necessary. The last case outlined in Article 35 is when there is systematic monitoring of a publicly accessible area on a large scale.
However, if the processing is not likely to result in high risks to the rights and freedoms of individuals or if the processing has already been authorized under DPD or other ruling for very similar operations, you may not need a DPIA. Same goes when you have legal basis in the EU or Member State law. Start with answering some simple questions:
- What data do we have?
- Do we really need all this data?
- How are we using the data we have?
- What risks arise from processing this data?
- How can we lower these risks?
So, when is it required? Potentially, in many cases. For example, a hospital may since it processes health data and possibly even genetic data, it will need a DPIA. Companies that monitor their employees in the EU, including their work stations need to perform an impact assessment since they are processing data of vulnerable data subjects. If you gather social media profiles as data to be used by private companies, you will again need a DPIA.
In this case processing is considered evaluation and it will fall under the category of large scale processing of data. Other situations when you need a DPIA include international data transfers, the use of innovative technologies like a combination of finger prints and facial recognition. These are a handful of examples. More can be found in the EDPB guidelines.
Please also consult your legal counsel on such subjects regarding the needs for a DPIA.
I’m in state government, how do I know if I have data on people “in the EU”?
You may not need to know if you have data on people in the EU. Here is what you need to consider. If a US State Government is not targeting the European market with goods and services, they may not fall under the GDPR purview. For example, resident in Germany may own property in Miami, Florida and pay the fee to access their records online through the county’s website. In this particular case, Dade County is not “targeting” Germany’s residents or other European citizens to use the service. It just happens to have a website that can be accessed by German citizens and others throughout the globe.
However, if the state of Florida’s tourism department, for example, launches a promotional campaign to target residents living in Europe to come visit the Sunshine State, then any PII data collected on those German citizens by the state of Florida would likely fall under GDPR requirements. Always check with your legal counsel on this determination.
Watch the Full Webinar On-Demand
GDPR Enforcement Has Begun: Now What?
Topics: Security