During our recent webinar on GDPR compliance, one attendee plaintively asked the panelists, “Can’t you just give us a checklist?” Alas, complying with the GDPR — the first comprehensive overall of EU data protection rules in twenty years, taking effect on May 25 — isn’t that easy.
The challenge presented by GDPR compliance came through loud and clear at Are Your Priorities Set? Demonstrating GDPR Compliance on May 25 – And Beyond!, a panel I attended last week at the Global Privacy Summit of the International Association of Privacy Professionals (IAPP). It featured the following panelists:
- Paul Breitbarth, Director of Strategic Research and Regulator Outreach, Nymity, and former Senior International Officer, Dutch DPA;
- Peter Lefkowitz, CIPP/US, Chief Privacy and Digital Risk Officer, Citrix Systems; and
- Donna Stamp, CIPM, AVP, Global Privacy, Enterprise Holdings.
Although GDPR compliance can’t be reduced to a checklist, here are seven key takeaways from the panel discussion.
1. GDPR is not a “one and done” exercise.
And the first insight is on GDPR compliance is… sorry, there’s no checklist. Peter Lefkowitz said, “I’ve lost track of how often I’ve been asked, ‘When will we get our certificate of GDPR compliance?” — and his comment was met with knowing laughter from the audience. It would be like asking, “When will we get our certificate of law compliance?”
Complying with the GDPR is not a matter of conducting a one-off inventory, taking a snapshot of a company at a certain moment in time, or going through a tick-box exercise. Instead, this comprehensive legal and regulatory framework imposes imposes complex, ongoing duties upon companies — duties that will grow and change as individual countries enact their own GDPR-implementing laws. In other words, as discussed last week, GDPR compliance is a marathon, not a sprint.
Another reason that GDPR compliance can’t be reduced to a checklist is that it’s not a “one size fits all” framework. It often speaks in terms of broad standards rather than specific rules, requiring organizations to take “appropriate” measures to protect privacy — and what’s appropriate will vary from company to company, depending on what the company does with data, what resources it has available to it, and other considerations.
2. Take the approach of Structured Privacy Management.
GDPR compliance sounds… overwhelming. Where to begin?
Nymity, a major player in the GDPR compliance world (and sponsor of the panel), advocates adoption of Structured Privacy Management. This approach involves “embedding ongoing technical and organizational measures throughout the organization, resulting in the ability to demonstrate accountability and compliance with evidence.” It has three pillars:
(a) Responsibility: Appropriate technical and organizational measures have been identified and are implemented and maintained on an ongoing basis.
(b) Ownership: An individual (or function or business unit) is answerable for the management and monitoring of technical and organizational measures
(c) Evidence: Documentation is produced as a result of implementing technical or organisational measure and that can be used as evidence of accountability and compliance.
3. Know where you are relative to your peers.
For purposes of the Responsibility prong of Structured Privacy Management, how can an organization know what measures to implement? Here it can be helpful to know what one’s peer companies are doing. When complying with a sweeping new regulatory framework like GDPR, it might not be necessary to be the very best company (although that’s certainly nice), but it is important not to be among the worst — because the worst companies will be the ones that regulators make examples of.
Keeping in mind that satisfying the GDPR isn’t just a rote exercise in ticking boxes, here is a helpful list from Nymity, based on a survey of 46 organizations, of the top 10 measures that have been implemented for GDPR compliance purposes:
Let’s walk through a few of the key measures.
4. Establish your approach to data transfers.
The GDPR requires organizations to provide for an “adequate” level of personal data protection when engaging in cross-border data transfers. Measure #2 involves using Standard Contractual Clauses as a data transfer mechanism.
There are a variety of other methods, including binding corporate rules (BCRs), the EU-U.S. Privacy Shield, and the Cross-Border Privacy Rules (CBPRs). But contracts are the most popular method by far (perhaps because outside vendors can be hired to make contracts GDPR-compliant).
5. Conduct privacy training.
When it comes to GDPR compliance, the legal or compliance departments can’t go it alone. Instead, any department or employee at a company with involvement in processing personal data must be involved — and must therefore be trained appropriately about the GDPR (see Measure #6). This will typically involve developing training sessions, making informational resources available to employees for consultation on an ongoing basis, and more.
“Try to make the information resources fun and interesting if you can,” recommended Donna Stamp of Enterprise. “I come from a marketing background, so I tried to develop engaging, visually appealing posters addressing different GDPR issues.” For example:
6. Develop procedures for responding to data breaches.
Measure #7 entails developing a data privacy incident/breach response plan. This is one of the trickiest areas of GDPR compliance, especially given the short timeframe set forth in the GDPR’s 72-hour breach notification rule. In many cases, a company will still be trying to figure out the scope of a data breach and the appropriate response during the first 72 hours.
If your company is working with law enforcement in dealing with a data breach, can you delay the GDPR-required notification? Unfortunately, it’s not clear — which is why Peter Lefkowitz recommended that companies reach out to the local law enforcement officials who would be helping the company in the event of a data breach. Given the rapid response required, it’s best to have a preexisting relationship with law enforcement, instead of having to introduce yourself and your company while trying to contain a data breach.
“It’s not clear” — this is, for better or worse, the state of play surrounding many aspects of the GDPR. As one frustrated attendee vented to the panel during Q&A, “It’s so grey out there.”
“And it will remain that way for the foreseeable future,” said Paul Breitbarth of Nymity. “The GDPR is not black and white.”
David Lat is editor at large and founding editor of Above the Law, as well as the author of Supreme Ambitions: A Novel. He previously worked as a federal prosecutor in Newark, New Jersey; a litigation associate at Wachtell, Lipton, Rosen & Katz; and a law clerk to Judge Diarmuid F. O’Scannlain of the U.S. Court of Appeals for the Ninth Circuit. You can connect with David on Twitter (@DavidLat), LinkedIn, and Facebook, and you can reach him by email at firstname.lastname@example.org.