5 Questions to Make Sure You’re GDPR-Compliant by May 2018

It’s no secret that data analytics has become increasingly important in the corporate world over the course of the last decade. Marketers, IT professionals, cloud experts, and regulatory teams all rely heavily on the availability of data on a near-daily basis. And while some of that data is within the walls of the organization, much of it is compiled from outside sources—which is often taken and used without permission.

Enter the General Data Protection Regulation (GDPR)—a regulation developed to strengthen and unify data protection for all individuals within the European Union. The legislation was first called the Data Protection Directive in October 1995 and has been amended several times since January 2012, when an update to the original bill was proposed. Three years later in 2015, European officials agreed on a final product and have since adopted it, requiring every organization across the globe that collects or retains personal data from individuals in Europe to comply by May 2018.

And yet, according to a recent survey conducted by Spiceworks, less than half of U.S. and European businesses are informed about GDPR’s impact. The study found that while 43% of IT professionals in the U.K. and 36% in the rest of the EU said they are informed about GDPR and how it affects their business, a mere 9% of IT pros in the U.S. claim to have an understanding of what the regulation entails. If that’s not alarming enough, only 2% of IT pros in the U.S., 5% in the U.K., and 2% in the rest of the EU. believe their companies are fully prepared for GDPR.

With less than a year to get compliant, those who have yet to begin the process are already behind. The regulation contains 11 chapters and 91 articles outlining all of the requirements for compliance, such as how to process and store personal data, how to obtain consent, how to make data anonymous to protect privacy, how to report data breaches, and how to safely transfer data across borders—to name a few.

This is quite an abundance of content to sift through, and organizations that have not yet started their compliance plans must begin immediately if they want to be compliant by the May 2018 deadline. Failing to do so could mean penalties as severe as having to pay up to 4% of their global revenue depending on the nature of the violation, potentially costing an organization millions of dollars. This is a stark difference from the fines related to violating the Data Protection Directive, as supervisory authorities (SAs) now have greater authority and power to enforce the law—including being able to issue warnings of non-compliance, carry out audits, require specific updates and timeframes for compliance, order erasure of data, and suspend data transfers to third countries. Based on the severity of the punishment for non-compliance, it’s clear that there is very little room for interpretation on GDPR guidelines.

Here are five questions organizations should ask that will make the process easier and give them insight into whether or not they’re on track to be GDPR compliant by spring 2018.

Does the entire organization understand what GDPR is and its impact?

While the IT department will likely be leading the charge on ensuring the organization is on track to be GDPR-compliant, it is essential that all departments understand what GDPR is and how it could impact the ways they work. The ripple effect of GDPR hits on every aspect of an enterprise’s business objectives and departments, and it’s up to the leaders of the organization to articulate and emphasize this impact.

For marketers—whether B2B or B2C—becoming GDPR-compliant means conducting a full audit of the current use of personal data. Though a tedious process, consumer data is a huge portion of marketing activity, and once GDPR goes into effect, it won’t be as easy to access without obtaining full consent. And yet, a survey conducted by the U.K. Direct Marketing Association (DMA) in February 2017 reported that a quarter of businesses are not ready for GDPR, with B2B marketers being the farthest behind.

Not surprisingly, legal departments will also have their hands full ensuring their organizations are compliant—reviewing security controls and identifying where there may be holes in compliance. With the auditing power given to the GDPR SAs, legal teams will need to double- and triple-check that processes related to obtaining, using, analyzing, and storing data are within the regulation’s standards. While this preparation may seem daunting and overwhelming now, putting in the bulk of the work at this stage means that legal departments (as well as other teams) will prevent headaches brought on by processing the fines the organization is likely to incur if it doesn’t meet the deadline to comply.

Keep in mind that the reach of GDPR compliance stretches far beyond the walls of legal, marketing, and IT. If the remaining departments in the organization aren’t aware of what they need to do yet, they should proactively reach out to their CEO for details on changes they should be making.

Has the organization hired or appointed a data protection officer?

The GDPR mandates companies that process or store large amounts of EU citizen data, regularly monitor data subjects, or are public authorities appoint a data protection officer (DPO). For those that don’t fall into these camps, appointing or outsourcing a DPO could still prove extremely beneficial in helping the organization become (and remain) compliant.

For many organizations, the DPO likely already exists—often filling chief security officer (CSO) or director of security roles. If not, organizations should make hiring one their primary objective, knowing that this individual will manage GDPR-compliance processes from start to finish—ensuring that the organization continues to be compliant after the deadline. The DPO will be responsible for tasks such as creating access controls, reducing risks, responding to requests, and reporting breaches. This individual should also have a deep understanding of how each department will be impacted, so that they can customize their processes to operate most efficiently and effectively.

With this in mind, organizations should consider the following qualifications when appointing or hiring a DPO:

  • An understanding of how to build, implement, and manage data protection programs
  • Expertise in national and European data protection law, including an in-depth knowledge of the GDPR
  • History of high professional ethics and integrity

What are the organization’s shortcomings?

Using the insights from the security controls, meetings with auditors, and conversations with each department, executives should be able to identify which of their processes need more work. Ideally, the DPO (or whoever is managing the GDPR-compliance process) will be able to pinpoint these areas on an ongoing basis, giving the entire organization an understanding of what they must continue to improve and what seems to be on track. Is a department that collects data not asking for permission from the source? Is data being defined correctly—whether it’s personal, anonymous, pseudo-anonymous, etc.? Do employees understand and know to flag security threats as they arise?

That last question in particular is one that could result in costly mistakes and set an organization back several steps in the GDPR process. Any holes in security must be filled quickly—especially given that, in 2016, 60% of all cyberattacks were carried out inside an organization, whether maliciously or inadvertently (according to IBM’s 2016 Cyber Security Intelligence Index).

How can those shortcomings be resolved (and how quickly)?

Given that time is of the essence, an efficient and effective solution to those holes is essential. Executives must work with the DPO, department heads, and auditors to come up with a plan of attack that will keep the organization on track for the May 2018 deadline. If needed, organizations should consider holding company-wide meetings to educate employees on best practices for mitigating and preventing security risks (including how to identify a phishing scam from a real email). They should also come up with a standard for categorizing data, and ensure every individual is following that set of rules. Depending on what missteps need to be solved (and how many there are), organizations should consider filling those gaps the utmost priority.

Are the organization’s partners compliant?

As if it’s not enough to ensure internal teams are focused on becoming GDPR-compliant, businesses must also audit the practices of every organization they work with—including partners and vendors. If one of these entities is not compliant and provides an organization with personally identifiable data that was obtained without consent, both businesses would be faced with penalties from the SAs. The GDPR has strict rules about the sharing of data—particularly across borders—and has given SAs the ability to trace the origin of the data back to the original source, making it all the more necessary for every stakeholder to be 100% compliant. At the risk of being fined for conducting business with a non-GDPR-compliant entity, organizations should ask partners and vendors to provide proof of how they obtain, store, use, and protect personal customer data.

Next steps

For organizations that have not already started preparing for the impending GDPR, they’re truthfully already behind. Executives should lead the charge on compliance procedures, articulating to everyone in the organization—from the top down—what GDPR is, how it will impact their work, and what they need to do in order to ensure they’re actively preparing for its rollout. Then it’s up to the DPO and department heads to oversee that compliance is met—both internally and with external partners.

The five questions above should serve as guidelines for organizations that want to hold on to that 4% of their global revenue in 2018.