We have developed an essential guide to the GDPR which provides an updated phased approach to GDPR compliance. Download the Guide.
There are a lot of great resources out there summarizing all of the new requirements under the GDPR (see IAPP, other resources). But once you see the long and dizzying list of new requirements, it’s easy to get overwhelmed. Fear not, there are ways to tackle it one step at a time.
TRUSTe has developed an education series designed to provide you with a path to achieving GDPR compliance. This multi-part program provides both guidance on what to do, along with options for helping you get it done.
While May 25, 2018 – the compliance deadline – may seem like a long way off, many items will likely take your organization considerable time to implement so it’s wise to start the process now. Everything you put in place ahead of the deadline will enhance your overall privacy program and further your efforts to minimize risk, ensure compliance, build trust, and protect your brand.
Step 1 – Assess Readiness
The very first thing to do is Assess – Are you impacted? Where do you stand?
Are you impacted?
You may be thinking, I don’t need to worry about the GDPR because it doesn’t impact my organization. We don’t have offices or do business in the EU. But the GDPR includes a significant increase in scope over prior EU data protection law that makes it “extra-territorial” or beyond just being located or doing business in the EU.
This means, you need to take a closer look. Specifically, you should ask three threshold questions:
- Do you “offer goods or services to EU residents”?
- Do you “monitor the behavior of EU residents”?
- Are you a “Data Processor” (one who processes the data on behalf of the Data Controller) of EU resident “personal data” (any information relating to an identified or identifiable natural person (“data subject”)?
If you answered, “yes” to any of the above, then you’re impacted and need to start taking steps toward compliance. Some things to keep in mind:
- The GDPR protects the personal data of EU residents, which includes anyone physically residing in the EU, even if they are not EU citizens.
- By including the scope of the GDPR to include “monitoring the behavior of EU residents”, this makes the applicability net as wide as it can get. Practically every website and app out there tracks digital activities of its visitors. Even though you may not be actively targeting and monitoring EU residents, if you have a website or app that tracks who visits and an EU resident happens to find their way to your digital property from within the EU, you’re impacted. Moreover, monitoring of behavior can be applied more broadly and include profiling that leads to actions that analyze or predict personal preferences, attitudes and / or behaviors. Thus, the GDPR impacts targeted behavioral advertising and other data analytics.
- The GDPR now extends due diligence obligations and potential liability to Data Processors, not just Data Controllers. This has major impacts to cloud companies that process data on behalf of others, especially as the definition of “personal data” is now broadened and includes info like IP addresses, cookie strings, and mobile device IDs.
Where do you stand?
Now that you know that you’re impacted, you need a way to self-diagnose. You could leverage a controls checklist, build one yourself, or take advantage of a free easy-to-use online GDPR readiness assessment tool. Whatever self-diagnosis path you choose, you need to make sure it includes a fairly comprehensive list of the requirements so you have confidence that your assessment is thorough.
This initial GDPR assessment should guide you through GDPR operational requirements under the following areas, with particular emphasis on what’s new:
- Collection and Purpose Limitation. An assessment should check on whether the info collected is necessary and relevant, with particular scrutiny around information that is sensitive, involves criminal convictions or offenses, or is collection from children under the age of 16.
- Data Quality. This centers on steps taken to ensure accuracy of data and processes for deleting or correcting it.
- Privacy Program Management. This is a major area requiring a multitude of operational changes – e.g., documentation of your legal basis for Cross-Border Data Transfers, PIA Programs for new products or “high risk” processing, processing activities requiring the designation of a DPO, and due diligence obligations and contracts for Onward Transfers, to name a few.
- Security in the Context of Privacy. This includes requirements on the use of industry-standard encryption technologies for sensitive data, systematic destruction, erasure or anonymization of data, and documentation on security programs.
- Data Breach Readiness and Response. A documented privacy and security Incident Response Plan is essential, particularly because there are significant new data breach notification requirements (e.g., controllers must notify supervisory authority within 72 hours).
- Individual Rights & Remedies. The GDPR expands individual control with new rights, e.g., the “Right to be Forgotten” (data erasure), “Right to Data Portability” (to transmit data to any other controller), enhanced rights around processing (notice, access, rectification, objection) and filing complaints.
The GDPR Readiness Assessment, powered by TRUSTe Assessment Manager includes all of the above modules.
The result includes real-time findings to show what requirements you currently meet, a gap analysis to show what’s not yet covered, and operational recommendations to close the gaps. This gives you a solid handle on where you currently stand and is critical for the next step in the Path to GDPR Compliance … to be covered in our next blog post Step 2: Build Consensus.
Visit https://www.truste.com/business-products/gdpr-privacy-solutions/ for more information on TRUSTe GDPR Solutions.