There’s this thing called the General Data Protection Regulation or GDPR. Perhaps you’ve heard of it?
Few regulatory changes have inspired more anxiety or frenzied activity than the EU’s new privacy rules. Scheduled to go into effect this May – only about four months from now – the rules require just about any company that does business with European consumers to institute a laundry list of measures designed to protect any information that can be defined as “personal data.”
From a corporate general counsel’s perspective, this is huge. Under GDPR, privacy by design is the new norm, and to a certain extent we GCs are the designers.
What Do I Need to Do for GDPR in the Legal Department?
General counsel may not know a lot about server architecture or software engineering, but we do know all about assessing and controlling risk. And GDPR, with potential penalties running up to four percent of global revenue, presents a potentially crippling risk for companies that fail to get into compliance now.
But how does a non-technician get a handle on this wriggling mass of loose ends? The same way lawyers handle any other issue: By identifying threats, setting priorities and asking questions. As Matt Kelly explained recently, we need a GDPR compliance checklist to ask the right questions and be able to confidently answer them.
- Do you understand all the ways your company handles personally identifiable information?
- Do you have compliance systems in place to disclose a data breach within 72 hours?
- Can your employees fulfill other GDPR requirements like obtaining parental consent for personal information about minors?
- Does your ethics and compliance program train employees to understand the full breadth of issues raised by GDPR and properly assess the risks facing each business unit that handles personal information?
Drilling Down Deeper
To answer these questions confidently, a general counsel needs to awaken their inner designer and aggressively map data touch points across the organization. This is the only way to live into the “privacy by design” parameters. By data mapping, I mean tracing who collects personal information (and why), how your organization is using it, how it’s stored on your computers, and where it goes after you’re done with it. Remember: “Personal data” includes everything from date of birth and driver’s license numbers, to purchase histories, to social and ethnic identifiers.
Proper data mapping gets us to another set of questions:
- Are outside vendors processing personal information you collect? Are you processing theirs? Are there subprocessers?
- How is data destroyed, and are your vendors following the same procedures?
- Which cloud systems are you using and what information is flowing to them?
- How good are your data security measures? Do your vendors meet the same standards?
None of us have the luxury of unlimited time or budget to accomplish everything we’d like to. In the realm of GDPR compliance, do not let the inability to accomplish it all be an excuse to not start on the path to compliance. GDPR is a compliance regime, meaning I believe EU regulators will give credit to actual, honest attempts to comply with the rules as opposed to paper programs without substance. If you can’t answer the questions above, you’ve likely got a paper program, based on empty promises without verification.
You’ll Feel the GDPR Pressure Sooner or Later
If you are a GC, in the legal department or touch the realm of compliance in some way, you’ll soon become accustomed to the sensitivity the surrounds the new privacy regulations. As a provider of highly sensitive services to many of the world’s largest corporations, NAVEX Global is squarely within the reach of GDPR and we’ve asked these questions of all our employees and vendors. More importantly, our customers and partners are asking us. I’m probably getting a half-a-dozen IT questionnaires a month from companies that understand the full ramifications of GDPR.
It's much better to have these conversations internally with your colleagues impressing upon them that compliance isn’t voluntary rather than a later conversation with your board about why European regulators are putting up to four percent of your organization’s global revenue at risk.
If we’re getting this many inquiries, so are your vendors and clients. Anyone out in the stream of data commerce has been asked these questions many times already. So don’t settle for anything less than complete answers. If you get significant pushback, that’s a warning sign you are not dealing with the right people. They will become the weakest link in your GDPR compliance chain, and if you share sensitive data with them, you will become the weakest link as well. And I understand your marketing and sales teams are going to, if they already haven’t, tell you how hard it is going to be to comply and the amount of leads and sales is going to dramatically decline, etc. We all have quotas to fill and top line revenue numbers to meet. It's much better to have these conversations internally with your colleagues impressing upon them that compliance isn’t voluntary rather than a later conversation with your board about why European regulators are putting up to four percent of your organization’s global revenue at risk.
This time next year – or, really, at this time in June – you don’t want to be saying to yourself: I had the good sense to ask, I got answers that were troubling, and I didn’t do anything.
By then it will be too late.
Top 10 Trend: Data Privacy Has Become a Bigger Blip on the CCO Radar