‘Twas the night before GDPR….
May 25 feels like a holiday of sorts. Not because there’s anything to celebrate or honor, necessarily, but because preparing for it was much like getting ready to have guests visit the house. Guests one really wants to or needs to impress, moreover, like the in-laws or the boss.
For many of us — those who haven’t been subject to extensive privacy regulation already — this means cleaning the house because it isn’t always spotless. Sure, we keep it tidy enough for ourselves but not ready for inspection! And while getting ready — moving the clutter to a proper storage spot and dusting in places that tend to get neglected — it’s inevitable that one will discover a few things that need fixing or that can be discarded altogether.
This DPO Confessional takes the holiday spirit — and the bustling preparations that go into it — and discusses them as two preparatory phases (although many occur simultaneously). First, many data protection officers have prioritized preparing for the EU General Data Protection Regulation by doing the things that are most visible to customers and regulators — clearing the clutter and scrubbing the surfaces. Second, they have also tackled the harder projects that take more time, and are not as obvious to outsider observers. Both will require regular and ongoing upkeep.
The visible preparations
Appointing a DPO
One of the first and most publicly visible tasks an organization can take for GDPR Day is appointing a data protection officer or someone with equivalent expertise and responsibilities. We’ve written about DPOs extensively, but in brief this is a position — mandated for certain organizations under Article 37 of the GDPR — that is responsible for overseeing the firm’s compliance with the Regulation. Regardless if the DPO is mandatory, many organizations are appointing one anyway. This step is especially crucial for organizations that are unaccustomed to being regulated for anything, let alone privacy.
The DPO is like a professional house cleaner — he or she will know where to spot the issues that others have overlooked. It’s in the process of discovering all the nooks and crannies where data are processed that the expert will provide the most value over the long term. Indeed, it’s one of the reasons being “100 percent compliant” by May 25 is unrealistic. The preparations for the day are part of discovering all the work that needs to be done, systematically and persistently, into the future.
Updating the privacy notice
Privacy notices have adorned websites for many years, so there won’t be much need to draft one from scratch. But the GDPR requires not only that an organization’s data processing practices be made easily accessible in clear and plain language, it also spells out specific items that must be provided to data subjects at the time their data is collected. The privacy notice is one of the few places where these myriad items can appear together. It’s also a highly public statement of internal privacy practices as well as an opportunity to force decisions around an organization’s lawful basis for processing data. Anyone doing a spot-check to see if a company is aware of the GDPR, let alone working toward compliance, may start by reading the privacy notice.
Consent is one of the lawful bases for processing personal data enumerated in Article 6. Although there are several other important bases, consent is perhaps the most visible because the request for it must be “presented in a manner which is clearly distinguishable from other matters.” Consent has become all the more visible lately because of the inundation of “reconsent” emails pouring in to mailboxes. The necessity and prudence of these emails has been questioned, but their inspiration is undoubtedly a good-faith interest in accommodating customer preferences and some fear that consent for direct marketing communication may not have been properly recorded initially. This latter concern arises out of the ePrivacy Directive, as implemented by the EU member states, which is getting another day in the sun thanks to the GDPR.
Data subject rights
Data subjects have had rights under the EU Data Protection Directive to access their data, correct it, have it deleted, and object to its use for certain purposes (automated decisions and direct marketing among them). The GDPR is forcing many companies to comprehend these rights and respond to them perhaps for the first time, largely because of the expansive jurisdictional scope addressed in Article 3.
The transparency obligations described above require that data subject rights be spelled out clearly to data subjects, so they are also among the more “visible” data protection tasks to be completed before the big day. At the IAPP, we’ve already been fielding subject access requests on a rather regular basis. If we weren’t able to respond, people would notice. (And they would talk!)
Deeper cleaning and organizing
Data processing inventory
Getting under the cushions doesn’t necessarily follow the surface-level cleaning; it often happens in conjunction with carrying out the more visible GDPR tasks. For example, as noted in the Top Ten Operational Responses to the GDPR, one of the first items on the GDPR check list — truly required for all the other operational responses to be meaningful — is to inventory the organization’s data processing activities. But this activity is not one-and-done. Through the course of conducting all the other tasks — for example, performing risk assessments on a new processing proposal, evaluating a potential new processor, or deciding how to manage direct marketing consents — the DPO will learn more about the organization’s data processing than the initial mapping exercise may reveal.
Risk assessments and vendor management
GDPR compliance requires ongoing attention to data processing, and conducting risk assessments and DPIAs will happen regularly after May 25. The DPO’s job is to build a process for conducting them and recording them, and (in the case of DPIAs) seeking review from the supervisory authority. This is behind-the-scenes work that customers never see. Even regulators would not know if it hasn’t been done, until there is a complaint or a breach or another incident that rouses their attention. And yet, it’s a must.
Vendor management is slightly more visible because controllers are demanding their processors and co-controllers sign data processing agreements under Article 28 and standard data protection clauses for international data transfers, thereby shining a light on commercial partners who are ready for GDPR and those who remain unaware. As Omer Tene has written, however, consumers will remain largely oblivious to this behind-the-scenes flurry of digital supply chain management.
The GDPR requires nothing new that hasn’t already been best practices for information security. And yet, the exercise of appointing a DPO, taking inventory, and otherwise thinking more deeply about data processing practices invariably causes many organizations to take another look at their security infrastructure. Pressure comes not just from data breach concerns and the brand damage it would bring, but also the onerous expectations controllers place on their processors and co-controllers in Article 28 agreements. Security audits are inevitable. DPOs should be connecting with the security team on a regular basis, working closely on updating incident response and data breach notification plans, ensuring that the edifice itself is sound.
Privacy and security training
Privacy and security responsibilities fall on many shoulders within an organization because so many people interact with and have access to personal data. Awareness training is difficult because it requires so many people to devote time to it — the DPO cannot just take care of it on her own. It’s also not necessarily obvious to customers that staff have been trained, so it is easy to put off in favor of making the GDPR house look nice on the surface. And yet, privacy and security training is a crucial preparatory step as well as one that should be repeated regularly. At a minimum, staff need to be able to spot a data protection or security issue, and know to contact the DPO or the security team. This piece is hard to rush, so if it isn’t done by May 25 it should go on the priority list. Training, like many of these pre-GDPR Day tasks, really requires ongoing maintenance and housekeeping well beyond the big day.
Unlike this list — which is non-exhaustive — I am a bit weary. Like many of you, I’ve perhaps neglected some personal maintenance in the rush to get ready at work. But I take the long view: It feels good to have things more-or-less in order and to greet May 25 with open arms. Who doesn’t enjoy a cause for celebration?
Happy GDPR Day to all.
If you want to comment on this post, you need to login.