Imagine your boss assigns you Tolstoy’s “War and Peace”, asks you to read it and tells you to prepare a concise work plan for the company to implement the lessons you’ve learned from it. This is how some general counsels and privacy officers feel these days as the looming implementation date of GDPR, May 2018, draws near. The GDPR, the European General Data Protection Regulation, is a massive piece of legislative reform that will be uniformly enforced throughout Europe nine months from now, in place of the 1995 Data Protection Directive. Unlike the Directive, the Regulation is backed by stiff fines that can reach tens of millions – or even billions of euros in some cases. Importantly, the GDPR will not only apply to companies in Europe but will also apply to any business that collects or uses personal data belonging to European people. Given that data knows no borders, it will really apply all over the world.
For small and medium size enterprises, the GDPR presents a formidable challenge. How do you take a 200-page document with 173 recitals and 99 articles, with more than 50,000 words, and implement it in a fast-paced business environment? Many law firms and consultancies propose their 10 or 12 step roadmaps to implementing GDPR. At Voyager Labs, we suggest three main steps to address the compliance challenge:
- First, understanding the new law’s scope of application. Does GDPR apply to you? The answer to this preliminary question is not so simple. It depends on whether your company processes Europeans’ personal data “in the context of the activities of an establishment” in the EU. Your company may have European entities or subsidiaries but conducts data processing that is not “in the context” of those specific entities. But even without a relevant European establishment, GDPR still applies to your business if it is “offering of goods or services to data subjects in the EU” or “monitoring their behavior which takes place within the EU.” A broad reading of this language implies that GDPR would apply to a very large number of international businesses. An additional baseline question is whether under GDPR, your company is considered to be a “data controller” or a “data processor”. In the past, the distinction between the two was simple – a controller was an employer, for example; a processor the IT company that processed the employer’s pay slips. Today, the distinction, which has significant implications for GDPR obligations, is murky, with data processors performing a wide variety of core business tasks (think Salesforce for example).
- Second, data mapping and devising an accountability plan. Before implementing a privacy management program, a business must do extensive due diligence on the ground to map its data flows. Personal data is part of many organizational processes. Where and whom is it collected from? Which systems and departments in the organization touch it? Which third party vendors are involved? Who is it shared with and for what purposes? Answering all of these questions is key not just as a level-setting exercise but also as part of compliance with the documentation requirements of Article 30 of the GDPR. Once data flows are mapped, you can begin to devise your accountability plan, which is really a nice word to describe the data protection compliance program. This may include an obligation – or voluntary choice – to appoint a Data Protection Officer (DPO). It also requires reviewing and possibly tightening the terms of engagement with third party service providers, vendors who access the organization’s data to perform various tasks. Where necessary, companies must perform Data Protection Impact Assessments, a comprehensive risk analysis of data activities in the context of new products or services or particularly sensitive data.
- Third, applying GDPR rights and obligations. Once a compliance structure is in place, the company can transition to applying the substantive provisions of GDPR. This means determining the legal bases for processing data, including consent, a legal obligation, or the legitimate interest of the controller balanced against individual rights. It requires implementation of the rules on profiling, including review of automated decision making and offering individuals opt out rights. And it involves understanding the new rights to be forgotten and data portability, as well as the obligations of data protection by design and by default. These requirements come on top of challenges already faced by privacy professionals for years, such as the need to devise solutions to restrictions on cross border data flows, including standard contracts or binding corporate rules.
Importantly, a General Counsel or Privacy Officer should ensure that throughout the company’s engagement with the GDPR challenge, senior management is on board. Avoiding compliance risks and reputational harms is obviously a key management interest. It means that employees throughout the corporate hierarchy should understand core data protection concepts and why new systems and services should be designed with privacy in mind. It may require budgets for introduction of data mapping software, hiring of lawyers and consultants, training and educating employees, and in some cases adapting products and services to comply with the new law. While on the plate of the General Counsel or Privacy Officer, an effective plan to minimize risk and maximize corporate value is something even Tolstoy would appreciate.