Section 2

Building Your Foundation

MoreHide Arrow Down Icon Icon of solid caret pointing downwards.

Implement What You Know with Confidence

Discover action-based tools that provide simple steps for program improvement or robust plans for new ways of doing business. 

MoreHide Arrow Down Icon Icon of solid caret pointing downwards.

Your ethics and compliance program is an ecosystem of moving parts. New laws and regulations, new lines of business, new geographies, mergers and acquisitions become part of a growing enterprise that your compliance ecosystem must support. 

Effective compliance programs are able to deftly navigate these complexities because they have built strong foundations that were developed with the nature of the compliance industry in mind.

This section will give you the expert advice and programmatic best practices to ensure the first steps you take to develop your program are in the right direction. Or if your program is more mature, these resources and insights will give you the necessary guidance to course correct and improve your program’s foundation at whichever stage it is in. 

 

How to Survive General Data Protection Regulation (GDPR)

Chapter 9 of The Worst-Case Scenario Survival Guide for Compliance Professionals

Learn how to survive the General Data Protection Regulation (GDPR) with Tom Fox.

Tom Fox 03/21/2018

Chapter 9 of The Worst-Case Scenario Survival Guide for Compliance Professionals

Learn how to survive the General Data Protection Regulation (GDPR) with Tom Fox.

You receive an email from your European operations asking if you, as the CCO, are also the company’s Data Privacy Officer under GDPR. You look up this acronym and learn it stands for General Data Protection Regulation and that went live on May 25, 2018.

While your company has a data protection and data privacy policy applicable under relevant U.S. law, the more you look into GDPR, the more requirements you see in the regulation which are not covered or even addressed in your corporate data protection and privacy policy. What do you do now?

How to Survive

Get to Know Your Regulator

Under the new rules, national independent regulators will remain in place. GDPR does not create a centralized EU regulator. A key component of GDPR, however, is that a company only has to deal with one data protection regulator, which is called a “Supervisory Authority” under the new rules. This Supervisory Authority will act as the lead in situations where data-processing crosses the border of EU Member States.

Companies will have to deal with one supervisor, but this supervisor may well be interfacing with other EU watchdogs. This approach is a welcome step forward in terms of simplifying compliance and ensuring consistent application of the new rules by regulators.  

 

Get a Handle on the Data You Process & Control

Companies that are data controllers and data processors in the EU, or with EU data, will have more accountabilities and requirements under GDPR. Data processors and controllers must now maintain records of processing activities, according to detailed criteria set out under the new rules, which must also be made available to the Supervisory Authority upon request. Companies that are data controllers must implement technical and administrative measures to demonstrate that the processing of personal data is performed in compliance with the new rules, including the implementation of data protection policies.

As every compliance professional is aware, the three most important parts of any compliance program are the following: Document, Document, Document. This is equally true for GDPR compliance as the documentation of data processing activities, due diligence on suppliers and data processing provisions in contracts will have to be demonstrated.

 

Create New GDPR Specific Policies & Procedures

Companies that control data must implement more rigorous privacy measures for data processing. A new key requirement (and just a great word) is the requirement for “pseudonymization.” This refers to the processing of personal data in a way that the data can no longer be attributed to a specific individual without the use of additional information. Further, data controllers will have to implement appropriate measures to ensure only necessary personal data is processed for each specific purpose. Such requirements would include the amount of personal data collected, the extent of processing, the period of storage, and its availability. A company is now also required to ensure that personal data is not made available without that person’s approval.

Simply having a U.S. compliant data protection and privacy policy is no longer sufficient, as all of these rights created under GDPR will require the implementation of new internal policies and procedures.