What to do if you missed the GDPR deadline

It is OK if you are not completely GDPR compliant after the May 25th deadline. In fact, Gartner predicts that by the end of 2018, half of all businesses affected by GDPR will not be fully compliant with its requirements. Bart Willemson, research director at Gartner says, “The GDPR will affect not only EU-based organizations, but many data controllers and processors outside the EU as well. […] Threats of hefty fines, as well as the increasingly empowered position of individual data subjects tilt the business case for compliance and should cause decision makers to re-evaluate measures to safely process personal data.” Despite the announcement of fines and legal action against non-compliant companies, the EU is not going to hunt you down guns blazing. What is most important is that you have taken some steps towards compliance. Having completed a GDPR Readiness Assessment or a Privacy Impact Assessment will greatly play in your favor in the eye of regulators. Elizabeth Denham, the Information Commissioner, stated she “prefers the carrot to the stick, and while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well suited to the task at hand and just as effective”.

1. Determine Your Role Under the GDPR

Any organization that decides on why and how personal data is processed is essentially a “data controller.” The GDPR applies therefore to not only businesses in the European Union, but also to all organizations outside the EU processing personal data for the offering of goods and services to the EU, or monitoring the behavior of data subjects within the EU. These organizations should appoint a representative to act as a contact point for the data protection authority (DPO) and data subjects. One method of determining if your organization falls under the scope of GDPR is to have a GDPR Readiness Assessment. These questions can help you determine if your organization needs to worry about GDPR at all. However it is important to know that the GDPR is the beginning of privacy laws for individuals and it is widely believed that the United States and other countries will eventually follow suit.

2. Appoint a Data Protection Officer

A data protection officer (DPO) is a security position tasked with ensuring that data management and handling are compliant with the European Union’s General Data Protection Regulations (GDPR). Most organizations must appoint a data protection officer (DPO) to be GDPR compliant. Simply appointing a DPO will reduce the scrutiny the EU regulations will place on your organization. You can appoint a DPO in-house or by using a third-party company (DPO as a service.) This not only helps with GDPR compliance, but will likely result in avoiding a hefty non-compliance fine, and improve your company’s overall security. The recent influx of data breaches from cyber attacks shows the importance of having a DPO. By adding this extra level of security, some large organizaions might have prevented these data breaches, such as those that occurred with Equifax and Verizon. Even if you come to the decision that you don’t fall under GDPR regulation, appointing a DPO should be something to consider.

3. All data activities must have a well defined and clearly understood process of operation going forward.

Very few organizations have identified every single process where personal data is involved. Access privileges, data quality, and data relevance should be decided on when starting a new processing activity. This includes all areas on your website were form fills or tracking resides (such as google analytics, mail chimp, etc.). Organizations must demonstrate an accountability and transparency in all decisions regarding personal data processing activities moving forward. Third party companies must also comply with requirements that can impact the personal data and processes in use. It is important to note that accountability under the GDPR requires proper consent during acquisition and registration from the user. Pre-checked boxes and implied consent are no longer acceptable forms of “Opting-in”. A clear and expressed action to obtain and use personal data of the subject is needed with the option to withdraw. If you need help designing such a procedure you can reach out to MDS for more information  via email.

4. DContPost Data-breach policy.

All organizations must report certain types of personal data breaches to the relevant supervisory authority. They must do this within 72 hours of becoming aware of the breach, where feasible. If the breach affects individuals’ personal data as well as rights and freedoms, you must also inform those individuals without undue delay. Organizations should have breach detection, investigation and internal reporting procedures in place as well as keep a record of any personal data breaches, regardless of whether they are required to notify. These are the aspects of GDPR that can accrue penalties and fines. One thing that people everywhere now know about the GDPR it’s that GDPR fines (administrative fines) can go up to 20 million Euros or 4 percent of annual global (note global) turnover, whichever of both is highest.  This is where most business have decided not to take any chance. With the increase of ransomware and phishing attacks, beefing up cyber security practice will pay off in the long term reguardless of these regulations.

5. Prepare for Data Subjects Exercising Their Rights

Data subjects have extended rights under the GDPR. These include the right to be forgotten, to data portability and to be informed in the event of a data breach. If a business is not yet prepared to adequately handle data breach incidents and subjects exercising their rights, now is the time to start implementing additional controls. Similar to the “opt-in” requirements for your website and email lists, you want to then give your data subjects the opportunity to “opt-out” of all communications. The data subjects should also have the ability to completely be erased from your database. This “Right to be Forgotten” is to protect the data subject in the event of a data leak, as well as give the data subject control over their personal information and how it is being used. If you complete these five steps you will be way ahead of the game when it comes to GDPR compliance. Please don’t hesitate to reach out to us for any help along your compliance journey.