This is my third blog post on the European Union’s General Data Protection Regulation (GDPR). For basic information about GDPR and why U.S. businesses need to watch out for GDPR, see my first blog post in the series. Or to see what GDPR says about information security requirements, see my second post.
What is the first thing your business should do in taking steps towards GDPR compliance? The short answer is you should assess your current privacy and security program.
More specifically, you will need to understand your organization, its business context, its culture, and the types of personal data it processes. You will need to understand in a detailed way what kinds of personal data the business is collecting and receiving, how it uses personal data, its practices in sharing and transmitting personal data, its retention of personal data, and its disposal of personal data. Your business should understand its entire personal data lifecycle and where personal data flow through your business’s systems. You need to assess the strengths and weaknesses of your current data protection program. Once you have made this assessment, you can plan future steps to enhance the data protection function within your business. You can then assess its effectiveness and make improvements.
What are the steps to effective data protection management?
I recommend following these six steps towards effective data protection management and compliance with applicable privacy and security laws. GDPR compliance should be one component of this process, but not the only one. The best strategy is to integrate GDPR compliance into an overall data protection management process.
Step 1: A data protection program begins with aligning your business’s overall strategy with its data protection strategy. With your business’s culture in mind, this step involves planning the strategic direction and commitment of your business to data protection. Your business will need to understand critical requirements and business imperatives that affect the program. Also, are there opportunities that dovetail with strategic initiatives of your business, such as positioning it in the marketplace as a leader in data protection for purposes of its overall marketing strategy? Finally, your business will need to allocate sufficient resources for the program.
Step 2: Your business will need to assess its current data protection posture. Most fundamentally, it will need to know what kind of personal data it is collecting and the flow of personal data throughout its systems during the entire data lifecycle from collection or generation to disposal or long-term archiving. It will need an understanding of all the information assets (its, customers, and vendors’ networks, sets of servers, workstations, mobile devices, and storage systems) within the scope of the program. Your business will need to understand the applicable laws creating data protection compliance requirements. For instance, you should determine if your business must comply with GDPR. You should also determine what other security and privacy laws apply as well.
Moreover, your business should conduct and update a risk assessment of the universe of potential data protection threats, the likelihood and frequency of these threats coming to pass, the impact of the harm from these threats, and the controls available to mitigate these threats or their impact. Your business’s risk management process should prioritize a set of controls to mitigate the threats analyzed. Inevitably, your business will identify gaps between its current data protection posture and its target (ideal) profile of its organization. Your business will need to prioritize the identified gaps and develop an action plan to address these gaps.
Step 3: This step consists of implementation of your data protection program. For instance, your business should implement its action plan to begin closing gaps in its data protection program. Your business may assign people to implement specific programs to improve its data protection posture. In addition, this implementation phase involves ongoing data protection support of day-to-day business line operations. For example, data protection attorneys may be involved in ongoing negotiations of customer and vendor contracts or mergers and acquisition activities, including the due diligence involved in these transactions. They may also work with cross-functional team to support new infrastructure, products, and services. They may be involved in advising clients on data protection issues that come up in operations, such as questions about implementing data protection instructions or advising marketing professionals about data protection in connection with advertising campaigns. Data protection attorneys may provide advice about specific customer or employee situations that arise. Litigation data protection counsel may be involved in defensive or offensive claims relating to breaches, defects in data protection products or services, or defaults in product or service agreements.
Step 4: Your business should take steps to sustain and manage its data protection program. It will need to monitor and provide day-to-day oversight over the implementation of the program to detect issues and violations, and report and respond to them. A key part of the oversight function is providing training of personnel to make sure they understand their data protection functions. Moreover, data protection attorneys should facilitate the process of holding personnel accountable for compliance with the program. For instance, they may promote the use of data protection goals and objectives during employment reviews or advise internal clients concerning disciplinary actions taken following violations.
Step 5: Your business should have a formal program of assessment and auditing of its data protection practices. Data protection attorneys may work together with internal and external auditors to assess and audit privacy and security compliance. Consultants may be of help in preparing for audits.
Step 6: Your business should periodically evaluate its data protection practices and make adjustments to its data protection program. In the GDPR context, member state laws may flesh out or expand on data protection requirements in the jurisdictions where the business is operating or collecting personal data. Accordingly, it should update its analysis of applicable law over time. Also, the business may need to make changes because of information gleaned from data protection impact assessments to upgrade certain aspects of the program, undertake new privacy programs, or acquire new security tools. Your business may need to integrate changes to industry practice into its compliance program and data protection controls. Changes in business models, technology, or security threats may call for other changes.
In following these six steps, your business will be improving its data protection program generally. GDPR compliance should be part of an overall compliance effort. If your businesses focuses on GDPR in isolation, it will likely duplicate efforts and spend more than it otherwise would if it integrated GDPR with other compliance obligations. By following these six steps, your business can effectively address GDPR and other applicable privacy and security legal requirements.
Stephen Wu has written or co-written seven books on data security legal topics, and leads the International Network of Boutique and Independent Law Firms’ global GDPR working group. For assistance to determine if you must comply with GDPR or regarding your GDPR compliance program, please contact Stephen Wu by completing the web form here.