The European Union’s General Data Protection Regulation comes into force in less than four months. Even with up to 70 percent of enterprises, globally, predicting they would be ready by the May 25, 2018, deadline, according to a study conducted by IAPP in late 2017, thousands of businesses, including many small-to-medium-sized enterprises, are still struggling to digest dozens of provisions of legislative text. Importantly, GDPR compliance is not a discrete point-in-time challenge, but rather an ongoing process that will occupy data professionals in companies all over the world, for many years to come.

In 2016, the Westin Research Center published the "Top 10 operational impacts of the GDPR." With more than 70,000 downloads in 2017 alone, this series has demonstrated great interest among professionals in a practical, tactical package of GDPR guidance. But spotting issues and analyzing gaps is just the start of the process. Inevitably, companies need to proceed to the implementation phase and devise practical operational responses. With companies caught up in a flurry of activity to get ready for the GDPR, or in full panic mode as they just prepare to launch their programs, we are now offering a companion series to the “Top 10 operational impacts," with our new “Top 10 operational responses to the GDPR" series. 

This series of 10 articles is based on our own research, on crowd-sourced information from our 2017 surveys of IAPP members, and, importantly, on interviews with leading global experts who volunteered from the IAPP’s Research Advisory Board. The articles are intended to reflect practical and real-world steps that data protection and privacy professionals are taking to help their companies, employers and clients prepare for the plethora of GDPR data protection obligations.

Top 10 operational GDPR responses

There is much to do to build programs compliant with what is undoubtedly history’s most comprehensive data protection law. With 99 Articles and more than 170 Recitals, the GDPR challenges even the most experienced data protection and privacy professionals with its sheer size, scope and complexity. Indeed, the top barrier to GDPR compliance according to the IAPP’s 2017 study is “complexity of the law.”

Giving up isn’t an option, of course, so here is the list of the top 10 operational responses identified by our experts as the best plan of attack:

1)    Conduct data inventory and mapping. This is where you start and is accordingly the subject of this first post.

2)    Establish a lawful basis for data processing and cross-border transfers.

3)    Build and maintain a data governance system, including establishing leadership (where appropriate, a data protection officer, setting forth policies and training personnel.)

4)    Perform data protection impact assessments, along with data protection by design and by default.

5)    Prepare and implement data retention and record keeping policies and systems.

6)    Meet information transparency and communications obligations.

7)    Configure systems and put in place processes to accommodate data subjects’ rights, including access, rectification, erasure, portability, objection to automated processing and revocation of consent.

8)    Prepare for security breach response and notification.

9)    Have a sound vendor management (processor) protocol.

10) Establish systems and channels for communicating with your data protection authority.

Data inventory and mapping

One can search the GDPR in vain for the terms “data inventory” or “mapping.” They are simply not obliged by the plain language of the law.

But unquestionably, the first operational response to GDPR, essential to building a program that aims to comply with the law, is a comprehensive exercise of data mapping and inventory. The terms may have slightly different meanings depending on whom you ask, but they involve at least the following:

• Understanding the definition of personal data under the GDPR.
• Determining what personal data is collected and used (“processed” in GDPR-speak) by the organization.
• Finding out where the data is stored, including what third-party systems might house it and where, geographically, the servers are located.
• Mapping where the data goes from point of collection throughout the organization and externally to vendors or other third parties.
• Determining how long the data is retained and in what formats. This includes having a sense of whether the data are “structured” (in relational databases) or “unstructured” (everything else, such as loosely organized systems, including paper files or PDFs, for example).

Without conducting the inventory and mapping exercise, a data protection professional cannot meaningfully build out a program that meets the GDPR’s many obligations, including establishing a lawful basis for processing, providing data subjects with transparency and meeting their other data protection rights, knowing when and how to gather and record consent, and the like. It is quite difficult, for example, to prepare a privacy statement or an internal privacy policy without understanding what data is collected, how it is processed, and with whom it is shared.

Importantly, data inventory is also the first step in complying with obligations to keep records of processing under Article 30. This pivotal provision of GDPR requires companies to maintain detailed records of their processing activities, including the purposes of the processing; a description of the categories of data subjects and of personal data; any recipients with whom personal data are shared, including their geographic location; any cross border data transfers and risk mitigation measures; data retention schedules; data security policies; contact details of a European representative and DPO, where applicable; and more.

Tools and methods

The best method to conduct data inventory and mapping will depend on an organization’s size and complexity, as well as the amount of time allotted to the exercise and the sophistication of the participants.

Many data protection and privacy professionals, perhaps assisted by outside counsel or consultants, begin with a questionnaire. Those with adequate time can engage in an initial discovery exercise to unearth their organization’s general personal data life cycles, followed by deeper-dive questionnaires and follow-up interviews, and even workshops.

Ideally, the inventory and processes created to support it allow – eventually, at least – the capacity to identify data location and storage information at the level of an individual data subject: What data do I have on Jane Doe, and where is it located? If Jane wants access to her data, how can I be sure to find it all for her?

Assigning a level of risk to distinct data categories is also important at this stage. After all, the GDPR fundamentally takes a risk-based approach to data protection. Is the information highly sensitive, falling within a “special category” as defined in Article 9? This would require a company to rely on a different legal basis than for regular processing. Would unauthorized access to data create high risks to the rights and freedoms of the data subjects? This would trigger a DPIA or require an individual breach notification.

For many, this information is currently tracked in home grown and adapted tools available through standard enterprise software products. In the IAPP-EY 2017 Governance Report, 45 percent of respondents reported they conduct data inventory and mapping informally, using manual and informal processes including email, interviews and spreadsheets; only 32 percent reported using commercial products developed exclusively for data inventory and mapping.

Over the past few years, a privacy technology industry has exploded in response to the GDPR and other privacy regulatory developments. Dozens of startups have emerged to provide solutions and tools for organizations working on data protection regulatory compliance, accountability, and risk mitigation, as highlighted in the IAPP’s annual Privacy Tech Vendor Report.

While less scalable than technological data mapping tools, traditional questionnaires have the benefit of being comprehensive and can be sent to many people within an organization, allowing for a potentially comprehensive and wide-spread investigation. Their risks, however, include the potential for weak or inaccurate responses, and misunderstanding on the part of those completing the questionnaire who make assumptions and do not or cannot get clarification before submitting their answers. The task of answering the questionnaire may be tasked to someone with inadequate knowledge or awareness.

Privacy professionals who are in a rush, then, may not be able to use a questionnaire followed by interviews. Instead, it may be necessary to jump directly to in-person meetings. This may take more personnel time – and at a higher level of management within the organization – but is likely the best way to get useful information about data processing as quickly, accurately, and efficiently as possible in the shortest time.

Thinking ahead

As the inventory and mapping process is conducted, data protection and privacy professionals should be thinking not only about (a) what types or categories of personal data are being collected, processed and stored, (b) by whom and where they are stored, accessed and processed, but also (c) what the reasons are for the personal data processing. Is it really necessary to have this information and why? Article 5 of the GDPR requires that personal data be processed “lawfully and fairly” and “collected for a specified, explicit and legitimate purpose.” Assigning such a basis at the inventory stage expedites compliance with GDPR’s core obligations.

Indeed, record keeping under Article 30 is often conflated with inventory and mapping, and although there is no reason they cannot overlap operationally they are not necessarily the same thing. Article 30 does not expressly require the record to demonstrate lawful basis for processing, and yet that is a core GDPR requirement. Best practices counsel in favor of assigning these bases and recording them at the inventory stage.

The next installment in this series will address the various lawful bases under Article 6 and how operationally to select – and appreciate the consequences of – lawful bases options.

Conclusion

Preparing for GDPR compliance requires starting with an inventory of the organization’s personal data processing practices, from collection and use, to storage, retention and deletion. While some technical solutions are being offered to help with this process, many practitioners are finding that self-service is still the norm. As long as this is the case, this process will for many organizations be labor intensive and perhaps more time consuming than ideal, especially given the looming May 25, 2018, GDPR-implementation deadline. Nonetheless, a careful inventory of personal data processing practices is a crucial first step in the operational response to the GDPR.

photo credit: Sieboldianus Animated Map of geotagged Flickr photos (Europe), 2007-2017 via photopin (license)