With only 100 days to go until the General Data Protection Regulation becomes enforceable on May 25, it is increasingly imperative for organizations that process information relating to an identified/identifiable European person to have a firm grasp on what the regulation entails, as well as any associated impacts on business that can be reasonably expected. Here are seven key questions to ask yourself, your team, or your project manager, to gauge how prepared your organization is to meet the requirements under the GDPR.
Has our data been inventoried and mapped, such that we have a complete understanding of our data flow?
An essential prerequisite to developing a GDPR compliance plan is to have a detailed understanding of the lifecycle of the personal data processed by the organization. It is impractical to implement a reasonable GDPR compliance plan if the organization does not thoroughly understand the personal information it processes, how it was collected, where it is stored, and where and to whom it is transferred. The GDPR identifies specific categories of information that it expects organizations to keep records on, with respect to data processing.
When personal information about people is collected indirectly from third-party sources (e.g., public databases, social media, event registration forms, prospect lists, etc.), have we verified that the data source has collected and transferred the data to us in compliance with the GDPR? What do we do to inform the people the information is about?
The GDPR makes no exception for data collected through third-party sources. Any personal data processed by the organization, regardless of the source, must comply with the GDPR. Broadly speaking, this means that an organization’s data source must have been processed lawfully (i.e., received the person’s consent) when it was originally collected. Additionally, the data source must have informed the individual(s) that their information may be transferred on. Assuming the data source’s collection and transfer of the personal information was GDPR compliant, the organization must also have a basis to lawfully process the personal information.
When sourcing data from third parties, this typically means you need to have a “legitimate interest”—as defined by the GDPR— to process the person’s information. So far, European Union guidelines have recognized the following situations as comprising a “legitimate interest” under the GDPR:
- When the processing takes place within a client relationship;
- When it processes personal data for direct marketing purposes; or
- To prevent fraud or ensure the network and information security of your IT systems.
Finally, once your organization has determined it is processing European personal information lawfully, the GDPR requires you to notify the individuals that you have processed information about them within a reasonable time (but no more than the lesser of your first contact with the person, or 30 days from first processing).
When we collect personal information directly from people, what do we tell them? Do they have any choices?
The GDPR requires a complete inversion of the predominant, default U.S. view that “we can do anything with your information unless you expressly object.” Instead, barring another lawful basis for processing information, the GDPR requires organizations to obtain clear, express “opt-in” consent in order to process personal information. Importantly, pre-ticked consent checkboxes, and/or even an opt-in consent form buried at the bottom of long pages of legalese, will not satisfy the GDPR’s consent requirements. Another important feature of the GDPR is the restriction on “bundling” consent for processing that is necessary for the core purpose an individual is providing his/her information with those that are unnecessary. For example, the GDPR likely requires shoppers be given a choice to provide their email address for the purposes of fulfilling an order without needing to consent to receive marketing material from the organization unrelated to their purchase.
Is there any personal data we currently process that, while nice/convenient to have, is not strictly necessary for our business?
An overarching theme of the GDPR is the concept of “data minimization.” In other words, when processing personal information on EU citizens, best practice will be to err on the side of processing as little information about individuals as reasonably possible.
For example, if your organization has information about birth dates, could it achieve the same result with processing an approximate age? Instead of someone’s full address, could the organization achieve its targeted marketing goals by processing only the information about the person’s approximate metropolitan area? Data minimization is a central feature of the GDPR, so your organization should be thoughtful in its data-processing approach and ensure that it has a legitimate reason to collect each data point.
If people have complaints or want more information about the information we have on them, do we have reliable response procedures in place?
The GDPR expressly affords Europeans rights related to their ability to control their personal information. Organizations are required to advise individuals of their rights under the GDPR and provide user-friendly means to exercise those rights within a reasonable time (at the latest, within one month of receiving a request).
Do we need to appoint a data-protection officer? Why or why not?
If your organization processes sensitive/personal information on a large scale, you may be required to appoint an individual—a DPO—dedicated to ensuring ongoing GDPR compliance. While the DPO can be an existing staff member, the GDPR requires s/he be qualified, free of conflicts of interest between their duties as a DPO and other duties, and well supported in terms of access to management and resources within the organization. If your organization needs a DPO, this person should be identified well before the GDPR goes into effect in May.
What are we doing to ensure our vendors are prepared for the GDPR?
Accountability and transparency are the cornerstones of the GDPR. As such, it is important that your organization be appropriately policing any vendors that will have access to personal information regulated by the GDPR. This means ensuring that your vendors are GDPR compliant, and that they sign off on appropriate data-protection addenda and model clauses requiring they meet their obligations under the GDPR.