October 16, 2017

The GDPR Countdown: How to Plan your Next 256 Days

In less than a year, any organization providing goods and services to EU residents will be within the enforcement zone of GDPR.

While the rhetoric online continues to push a frightening narrative, compliance is possible and GDPR does more than compel an organization, big or small, to adhere to its provisions.

If you have read previous posts or attended our recent webinar, which you can watch on-demand here, you are likely aware that we have laid out five key priorities or initiatives to get a jump start on the May 25, 2018 enforcement date. These priorities are listed below.

Now, you may be thinking “ok, that’s great insight, but we can’t do everything at once! Where do we start?”

We’re glad you asked. What follows is a timeline of these five priorities and how they fit into your preparation for the enforcement date. You may not need to hit every step or task, but this timeline can provide any organization with a road map to prioritizing the right tasks and the right people to ensure you reach your organizational goals.

October-December 2017 – Implement a Data Mapping Process and Conduct a Privacy Impact Assessment

The underlying principle of GDPR, and for many international regulations on or coming to the stage, is the need for data minimization or strategic data collection.

For most of us, that means shifting our perspectives, transitioning from collecting all that we legally can to only collecting the minimum in the right locales and for the intended need, nothing more.

To get there, an organization must perform a data mapping exercise. The steps to conduct your own data mapping have been outlined here in a recent post. Upon completion of this exercise, organizations will be able to delve into the Privacy Impact Assessment (PIA) and identify where privacy could be impacted in their environment.

January – March 2018 – Build Relationships with Third Party Providers

Organizations can feel free to meet with any third parties that handle their data in concert with the data mapping and PIA. In a lot of ways, this is an optimal strategy.

The intent is to establish an up-to-date inventory of all third-party data processors you utilize, the types of data these third parties handle and to begin discussions of compliance with GDPR.

Some vendors may not be confident they need to be in alignment and it’s your information and guidance that will ensure they are.

Overall, make sure to cultivate meaningful relationships with your processors. GDPR contains obligations for both the controller and processor, and building strong working relationships is advantageous to all parties.

January – March 2018 – Define Data Retention

As with a lot of these tasks, defining data retention can be performed in concert with others. Most organizations will be aware of what regulatory requirements they must meet for data retention and this is a great start.

For data concerning EU residents, make sure that each data subject is purged upon meeting any contractual or regulatory necessity.

March – April 2018 – Identify your Supervisory Authority 

GDPR may be the product of the long-term evolution to a unified data protection regulation, but that will come with new operational bottle necks for supervisory authorities and organizations. It is in your best interest to allow some of the details and processes regarding the supervisory authority to be fleshed out. As the enforcement date gets closer, we will all have more information to work with.

The objective of this priority is to identify and begin crafting relationships with your applicable authorities. This will help guide everything in your Global Data Protection Program’s life cycle.

March – May 2018 – Consider Certifications that Align with GDPR

There is mention of GDPR certification, but no details are forthcoming. Since GDPR is an international regulation, it makes sense to align with an internally recognized framework. We recommend ISO 27001 and ISO 27018. Certification can be a lengthy process and is not crucial for compliance or building your data protection program, but establishing your choice within the organization as you move toward alignment will make your program stronger and in unison with GDPR and other evolving regulations. Each time frame presented here is broad.  The length of time it will take your organization to complete is dependent on where you are in the process.

We recommend taking these steps piece-by- piece and being methodical about overlapping as applicable. Data protection is cross-functional by nature, so engaging all parties and establishing a top-down initiative to comply is advised. Take a look at our Privacy Tracker Tool that helps you stay up to date with every privacy regulation.

Always remember that GDPR isn’t only a regulation to comply with. It is the compulsion to set a new data protection standard globally. Organizations that push forward with that mindset will excel compared to competitors in the long-term. This is the strategic advantage.

Christina Whiting is the managing director of Compliance and Enterprise Risk at Tevora.

David Grazer is a consultant on the Compliance and Enterprise Risk Team at Tevora.