The clock has struck zero. GDPR is enforceable today.
As our inboxes implode with emails containing updated privacy policies and consent notices, it’s worth taking stock of a few practical actions – including an initial deep breath – we can take to ensure our client organizations are also prepared for the new privacy landscape.
A recent study showed that only 21% of U.S. companies have a GDPR plan ready. This is partially due to the intimidating, technical nature of GDPR, regulating the processing of personal data through the framework of data “controllers” and “processors.” Many U.S. companies also aren’t taking GDPR all that seriously because they are blind to their potential exposure to EU personal data traveling all over the internet.
The summary below is with the other 79% in mind. It’s based on conversations I’ve had with privacy lawyers, GCs and industry experts over the past several months leading up to the enforcement date, and contains both “traditional” legal solutions (i.e. contracts and policies) and advanced legal tech techniques. Both are critical components of any effective compliance plan.
Step 1. Get Dirty With Data
Every effective GDPR plan starts with data. Lawyers who want to properly understand their client’s handling of data under GDPR will need to roll up their sleeves and get their hands dirty!
This is one exercise where technical charts are definitely not optional. The more granular you get in inventorying your data, and documenting how your data flows across the organization, the better. Sadly, none of this is taught in law school. You may need to develop partnerships with product and engineering teams (or outside consultants) to get this right. Larger organizations with deep engineering departments may complete this initial “data discovery” process in-house. Smaller sized outfits may need to outsource this critical first step or bootstrap it.
Either way, the technical assessment must precede the legal one. Lawyers looking for GDPR compliance must embrace this opportunity to take on a pseudo lawyer-engineering role and get “under the hood” of their organizations data processes.
Step 2. Choose Your Partners Wisely
It’s an overlooked fact that Facebook’s recent privacy scandal did not originate with Facebook. It was largely due to a third-party player to Facebook known as “Cambridge Analytica.”
Ring a bell?
There is now expanded liability for both “processors” and “controllers” of EU personal data under GDPR. While contractual amendments known as “Data Processing Addendums” or “DPAs” are key defensive tactics, they are after-the-fact solutions at best.
You want to prevent breaches before they occur. To do that, you must learn to sniff out potential third-party risks before the contracting phase. Be specific with your partners and demand clarity. Is your potential partner a “processor” or “controller” under the law? What policies or certifications are in place? When were they last updated? Is there a concrete plan to deal with the enhanced “opt in” consent rules (more on this below), requiring controllers of personal data to establish a “lawful basis” before collection?
Be selective and avoid those who cannot produce concrete details around data processing activities and security policies.
Step 3. Repeat After Me: CMP
With all the acronyms flying around GDPR, what’s the harm in learning one more? Here’s one that will actually help: “CMP.” This stands for “Consent Management Platform.”
CMP technologies are popping up everywhere. They are designed to help the rest of us deal with GDPR’s crowning regulatory feature: the “opt in” consent requirement. You likely have already seen CMPs in action: “pop up” notices appearing before sites or ads load with clear and explicit language describing how your data may be collected, and most importantly, requesting your permission.
This is the EU’s grand policy objective manifested: to properly inform the public as to the types of personal data being collected in the EU and afford the individual with a degree of meaningful control.
Step 4. Consider A Data Privacy Officer or Service Provider
In addition to CMPs, there are also now DPOs. This refers to “Data Protection Officers.” DPOs are quickly becoming hot items in the new legal-compliance market.
GDPR will inevitably force an increase in investment towards additional compliance support. This is due to the “large scale” EU data processing requirement mandating appointment of a DPO (or similar service provider) to oversee data processing activities and assume responsibility for communication with relevant authorities.
Should you hire a DPO? That depends. It will take time and case law to fully understand the EU’s interpretation of the “large scale” requirement under the GDPR. In the meantime, for larger organizations with significant EU data traffic, the DPO is something worth thinking about making an investment towards.
Step 5. Befriend Your Marketing Department
After rolling up your sleeves, getting dirty with data, choosing your partners wisely, investing in a CMP to achieve “opt in” consent, and investigating whether to hire a DPO, it’s time to find a way to clearly communicate your GDPR compliance plan to your customers.
This final step cannot be be understated. If your customers cannot understand your compliance plan, how will the regulators? Failing to clearly communicate your GDPR plan presents both a marketing and legal risk to the organization. Communicating GDPR compliance requires somewhat of an “odd couple” – a strong partnership between Legal and Marketing.
As the lawyer responsible for compliance, you must be effective in getting your message to the market and out in front of the eyes of your customers evaluating your products and services. Marketing teams are also often responsible for the websites and apps where privacy notices are stored, as well as links to CMP integrations (see above).
This brings us back to language. If you are not clear in describing how you are handling data, and more importantly, how you are keeping it safe, it signals that your organization is not ready for GDPR.