GDPR is Here! Now What?
The deadline for complying with the new European Union privacy law, the General Data Protection Regulation (GDPR), has come and gone, and even companies that met the deadline are wondering what comes next. While in many cases we will have to wait and see how the data protection supervisory authorities in the EU begin enforcing the new regulation, there are steps all companies can take to help minimize GDPR risks.
1. Evaluate Your Weaknesses
Regardless of your level of preparedness for GDPR, every company should evaluate its GDPR compliance efforts to identify program weaknesses. For companies in full or partial compliance with GDPR, conducting a risk assessment can provide an objective, measurable analysis of potential vulnerabilities or areas where a compliance failure can escalate quickly. The results of the risk assessment can help identify areas of focus for continued compliance efforts or process improvements.
For companies in the early stages of GDPR compliance, conducting a gap analysis to measure current data protection and information security processes against the GDPR requirements provides insight into areas with the biggest compliance risks. This will also highlight internal processes where you may be able to achieve quick wins by tweaking what you already have in place.
2. Prioritize Your Next Steps
The results of your program assessment will help you identify your immediate, as well as long-term, next steps. When prioritizing areas for improvement, consider focusing on the most significant compliance risks to your organization. Some compliance activities may provide an outsized return on investment—or in the case of GDPR, a significant risk reduction for the investment.
You may also want to prioritize “low hanging fruit,” or compliance activities where you can quickly meet your obligations. Often, such activities are areas where you can adapt existing internal processes, business operations, or compliance efforts to meet your GDPR obligations.
3. Plan Your Long-Term Strategy
Your prioritization of compliance activities should be reflected in your GDPR compliance plan, including the long-term strategy of your data protection and information security efforts. For companies with established data privacy programs, including full GDPR compliance, consider creating a long-range strategic plan for the continued development and maturation of your program. Such a plan should map to the overall strategic plan of your company and identify privacy program developments, technological improvements, and resource investments that may be required to support the future objectives of your company in a manner compliant with GDPR and other privacy requirements.
For companies still working toward GDPR compliance or at developing a privacy program, use the results from your prioritization exercise to develop near-term objectives to meet full GDPR compliance, as well as future long-term goals for your privacy program. Additionally, identify resources that you currently have, both internally and externally, to help meet your near-term objectives, as well as potential resources you may need in the future.
4. Measure Your Progress
Develop metrics to measure your progress against your privacy program strategies, including evaluating progress and effectiveness of your efforts. Compliance activities that fail to meet objective measures of success can be added to a strategic plan or reprioritized to ensure compliance efforts enable you to meet your obligations under GDPR.
5. Repeat Your Efforts
The work of privacy compliance is never done, and you should develop a process to review your progress on a regular basis. This includes repeating an evaluation of your weaknesses and working through your prioritization, planning, and measurement of compliance efforts.
Aren’t Sure if GDPR Applies to You?
Many companies without established business operations or direct customers in the EU often wonder if GDPR applies to their operations, as failure to adequately comply with GDPR can result in fines up to 4 percent of global revenue or 20,000,000 Euros. In general, companies must comply with GDPR if they are established in the EU, offering goods or services to data subjects in the EU, or monitoring the behavior of data subjects while in the EU.
It is common for U.S. companies to assume that without customers in the EU, particularly individual consumers, GDPR does not apply to them. However, many such companies are unaware that they may need to comply with GDPR given the nature of their business operations.
For example, if you answer “yes” to any of the following questions, you may need to comply with GDPR:
- Are you a company that collects and stores business contact information of EU citizens in a contact database, including in an e-mail client contact list?
- Do you have business relationships, including partners, subsidiaries, independent contractors, agents, employees, or distributors, in the EU?
- Do you provide an app or website that does not restrict access, including viewing, providing data, or placing an order, from individuals while they are in the EU, even if they are merely traveling to the EU?
- Do you provide business services to companies that require you to process data provided by the company, which could include data from EU data subjects?
- Do you collect personal information from EU nationals to sponsor visa applications?
There are many other circumstances in which GDPR could apply to a company, even without direct operations in the EU. Companies should carefully evaluate their business practices to determine what, if any, data is processed from the EU.
If you have questions about complying with GDPR, or whether the regulation applies to your company, we welcome you to contact our Data, Privacy and Cybersecurity team.