Start getting ready for Europe’s new data protection regulation today

Chiara Rustici, Independent Privacy AnalystYou are in charge of your organization’s security. Depending on how large and well resourced your business IT function is, your card might read IT director, CIO, CTO, or CISO. In all events, if yours is a EU-based company or a non-EU one that deals with personal data of EU citizens, the General Data Protection Regulation (GDPR) brings a new legal obligation that your organization has to comply with: when a personal data breach has occurred, you have to notify the competent data protection authorities within 72 hours and, if the leaked data is likely to impact the rights of the individuals concerned, let the individuals themselves know about it.

Data breach notification is no longer a media relations issue or opportunistic PR choice: it’s law, with fines for non-compliance amounting up to 4% of the organization’s worldwide turnover. The risk is now existential, and the financial impact of GDPR enforcement on businesses makes it imperative to escalate data protection issues to the executive board. This is a battle that you don’t have and shouldn’t have to fight alone.

Maybe your board has already dealt with the “privacy posture” issue. Perhaps your CEO has already consulted you and formulated a strategy, so now you have all of the following:

  • A budget earmarked for GDPR compliance
  • Buy-in from your Chief Marketing Officer
  • Buy-in from your HR
  • A roadmap, people and processes in place to ensure your whole organization meets the 24 months deadline.

If so, congratulations.

If not, you may want to take on the GDPR readiness initiative before it lands on your desk with only one month to go to the deadline. Now is the time to have the “privacy conversation” with your board.

This might be tricky if you have a CEO or board that have some notion of the new privacy laws coming into force in Q1 2018, but fail to grasp the extent of the impact of the GDPR on each and every function handling data within the business. They may often have even less appreciation of the timescale of the change programme and of resources required for compliance.

You may have already sat opposite the CEO, the board, and in-house legal counsel, who thanked you for raising the issue but then responded with a combination of the following:

  • We’re an SME, we are not held to the same standards as Facebook or Google; that’s who the EU is really after
  • We’ll get our legal team to redraft our privacy policies and consent forms. They are already onto it
  • This is about handling data of EU persons: we don’t have offices in Europe. We don’t do much business there, that’s not our core market
  • We’re fine – we’re not in the personal data business. The GDPR applies to businesses that collect personal data on a large scale.

But you know complacency is risky. You know all of the above are false assumptions and/or beliefs. Even though you can’t get the message through to the board, you cannot afford to give up. You are right to escalate the issue – the GDPR has catapulted data privacy to board level.

Just as it’s up to the board and CEO to decide what business model or revenue model the company has, so is the decision on what the right data model should be.

In practice this means that:

  • The decision of where to store data, for how long, and what to do with it, is no longer a back-office prerogative
  • The default practice of never deleting anything and storing large data sets to allow possible future predictive analytics is now a liability. Like all other risks, it has to be quantified, included in the risk register, minimized and reported on
  • The decision of whether the organization wants to play in the data analytics space and for what gains, vis à vis the likely costs of treating all of the data sets in a GDPR compliant manner, is now strategic rather than operational.

All of the above are board decisions.

Yet, some boards may not yet be knowledgeable enough about data and metadata to exercise judgement. They need your help in grasping the issue. Other boards may be overwhelmed by the need to prioritize cybersecurity and have only just started to resource and monitor that risk. Others still may be absorbed by the “we must do big data” mantra and are simply not ready to backtrack and reconsider the privacy implication.

A variety of reasons may keep GDPR issues at the bottom of the board’s list of priorities for most of the 24 months implementation time given by the EU legislator. Waiting for board go-ahead before initiating GDPR compliance may leave you short of time.

The bedrock of your compliance is mapping your data flows – not just mapping your data storage, but data in transit, too.

As well as visualizing where data comes into the business and where it leaves the corporate perimeter, it will help to create a visual representation of what day-to-day activities within the corporate perimeter amount to digital data manipulation. This will make it easier to explain even to the least IT-literate audience that the GDPR meaning of “data processing” also includes retrieving, consulting, organizing, structuring, aligning, combining, disseminating, disclosing by transmission or soft-deleting data as well as collecting, storing and destroying it.

The IT department has the most knowledge and grasp of the architecture and data flows of an organization and it’s worth building a tool that can be relied upon by every function of the business, using a good visualization method that works for all. What can be done straight away and requires little or no budget is to prepare the functional specifications of any such data map visualization.

The second building block of compliance is organization-wide awareness of data protection principles. On this, you may need allies in the HR or T&D department. Training budgets tend to be decided close to the start of the new financial year (mostly December or January) and they tend to be already entirely allocated by end of Q1. Get on their radar before the end of February. Have a conversation now about accommodating a campaign of privacy awareness within their existing initiatives throughout 2016. You may well need a whole year of campaigning to get everyone to begin to consider themselves as “data processors” and “data controllers,” your clients, suppliers and employees as “data subjects,” and any data set as potentially including “personally identifiable information.”

You then need the whole of next year to get the board and everyone else to agree on ways to turn from business-as-usual to business-that-is-GDPR-compliant, to implement the new data architecture, and to have everyone familiarize with it. So tell them right away that next year’s HR training budget will have to include GDPR preparedness as a standalone item.

Another question raised by the GDPR is whether your organization should hire a Data Protection Officer, also Privacy Officer, and whom the person in this role should report to.

In the battle for boardroom visibility you will likely witness many C-level executives claim this privacy role as one within their area of responsibility. CIOs, CTOs, CISOs, Chief Risk Officers and general counsel may all demand that the Privacy Officer report to them. Some board consultants advise making the role of Chief Privacy Officer an independent one, reporting directly to the CEO – a position not dissimilar to that of internal auditors.

Whichever turn internal politics take, it pays to designate someone in the IT department as a de facto DPO or shadow Chief Privacy Officer right away. This person should have in-depth knowledge of the organization’s architecture, people, and processes. They should be easy to work with and respected by those they have to collaborate with, as the road to compliance will be rocky.

When the company is eventually ready to hire a DPO, it will be a definite advantage to have ready-made talent for the role to choose from internally.