By now, you may have heard about the European Union General Data Protection Regulation (GDPR) that is rattling companies from technology titans like Facebook to small businesses with a website. In short, the GDPR is a legal framework that sets guidelines for the collection and processing of personal data of individuals residing in the EU. The new policies set by GDPR and the ePrivacy Regulation are some of the most significant changes in data privacy regulations in 20 years and will dramatically change how organizations worldwide collect and process data.
If your organization works with data on EU residents, you will be required to comply with GDPR once the regulation goes into effect on May 25, 2018. Non-complying organizations may be faced with fines of up to 20 million Euros or 4 percent of total yearly revenue per incident.
The main purpose of this historic regulation is that GDPR grants consumers and individuals a range of data subject rights. With significant data breaches and other data scandals such as Cambridge Analytica, Equifax, and, most recently, MyFitnessPal, continuing to make headlines, organizations are being pressured to treat data privacy as a right.
GDPR will have strongly affect how your organization processes data, regardless of which side of the Atlantic you are on. By complying with GDPR, your organization shows that you prioritize your members’ and users’ trust.
Ten Steps to Embracing Privacy by Design at Your Organization
1. Educate your staff, and get buy-in from your top stakeholders.
Don’t be mistaken — GDPR is not solely an IT issue . Whether they work in accounting, membership, or government relations, your staff handles a great deal of data.
Educate your staff on personal and sensitive data , and have everyone, from your leadership team to your boots-on-the-ground staff members, make privacy compliance and data governance a priority in your organization. Privacy by design and default is a key part of data protection. Make it a point to regularly discuss data protection at senior management meetings to maintain staff awareness.
2. Appoint someone on your staff to be the Data Protection Officer (DPO).
While your organization might not be legally required by the GDPR to appoint a DPO, we recommend having someone — or even better, a group of staff members — in your organization to be your internal advocates for data protection.
These people should be well-versed enough in your organizational structure and IT infrastructure to help internal staff understand data protection as it relates to a staff member’s tasks and goals. They should also maintain records of data processing activities, and lead regular audits to ensure privacy compliance and proactively address potential issues.
3. Comprehensively assess your data.
One of the best ways to prepare for your transition to privacy by design and solid data governance is to understand your organization’s data inside and out.
The more honest, transparent, and comprehensive your data audit is, the easier it will be to identify ways to change your business process to ensure GDPR compliance.
When reviewing your organization’s data, think of the 5 W’s:
- Whose data is being collected, processed, and stored?
- What data is being collected, processed, and stored? Of the data you collect and process, what is personal and what is sensitive?
- Where is data being collected, processed, and stored? Remember: Excel workbooks also count!
- When is data collected, processed, and stored?
- Why is data being collected, processed, and stored?
4. Review how you are getting data and consent from your users.
In addition to answering the “5 W’s” in your data audit, make sure you are also taking note of how you are gathering data and getting consent from your users to gather, store and process their data. Under GDPR, user consent must be explicit, freely given, specific, and unambiguous . This means that users must not be required to hand over their information to use a service, nor should they be automatically opted-in for emails and communications upon signing up for a service.
Be sure to take note of all your organization’s methods of data collection, including member registration, newsletter subscription, and meeting registration forms and well as any cookies and tracking pixels installed on your web properties.
5. Review your third party vendors.
Under the new data protection regulations, any third-party data processors that you use is legally obligated to be compliant with GDPR. This is the time to take stock of any third party vendors that process information on your behalf, and note whether they are GDPR compliant, or if not, what steps they are immediately taking to be GDPR compliant.
Common third-party vendors that associations use include:
- AMS or CRM
- Web Analytics Software
- Email service providers or marketing automation platforms
- Meeting planning or registrar services
- E-Learning services
6. Review your data policies and procedures.
Although your third-party vendors are required as data processors to make their software GDPR-compliant, they are not responsible for your internal policies and procedures. Take stock of your organization’s policies and procedures on how you collect, process, and store data.
While reviewing your organization’s processes, make sure that you are answering these four questions that relate to several key principles of GDPR:
- Does your organization have data retention policies? Do you have a process for data deletion, if the individual makes the request?
- How does your organization evaluate and assess new data sources, technologies, or business processes?
- Does your organization have an internal process and communication plan in the unfortunate event of a data breach?
- Does your organization have a legal basis or ‘legitimate interest’ in the data that is being gathered and processed?
7. Understand Individuals’ Data Rights under GDPR.
One of the most significant changes that GDPR brings is that the regulation grants ownership to an individual’s data to the individual, not to the organization.
The GDPR introduces these eight data rights for individuals.
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
The Information Commissioner’s Office (ICO), the UK’s independent body to uphold information rights, created a Guide to the General Data Protection Regulation that goes more in-depth on these new individual data rights, and what steps your organization to ensure the individual’s data rights are protected.
8. Perform a Data Protection Impact Assessment (DPIA) to minimize privacy risks.
GDPR recommends risk assessment be an ongoing and continuous process. Your first GDPR risk assessment will go a lot smoother if you have done a comprehensive data audit.
The ICO also created several checklists to evaluate your organization’s data protection compliance and also suggests actionable steps to improve your GDPR compliance.
9. Create an action plan to improve your organization’s data governance.
Once your data audit and risk assessment have been completed, create a roadmap to plan any necessary data migrations, consolidations, and policy and process changes.
Latest posts by Christi Liongson (see all)
- GDPR or: How I Learned to Stop Worrying and Love Data Protection - April 5, 2018