The EU’s General Data Protection Regulation (“GDPR”) will take effect in a little over ten months. Compliance with the GDPR is likely to be a key project for many companies, especially the far reaching nature of the requirements under the GDPR and potential fines for non-compliance of up to 4% of annual worldwide turnover. At Sidley Austin LLP we have been advising clients in the financial services, life sciences, payment services, telecoms, technology and other industries on how to comply with the GDPR before it becomes law on the 25 May 2018. Many of these clients are now engaged in standalone GDPR projects and have created internal project teams to ensure they are ready once the GDPR comes into force.
The term “GDPR project” is very broad and may cover a variety of different approaches in preparing for the GDPR. There is no “one size fits all” approach to a GDPR project, although typically there are specific phases that projects tend to include and key steps they address.
Phase 1 – Data Mapping
In this phase, the relevant individuals in key departments at an organisation, such as HR, IT, Marketing etc. typically receive tailored data flow questionnaires that are designed to determine the key data flows for an organisation and the main activities where personal data are processed.
Based on the responses to the questionnaires a data map can be prepared that serves two important purposes: (i) it creates a basis on which to carry out a gap analysis of requirements under the GDPR that the business needs to deal with as part of the project; and (ii) it can form the basis to satisfy the requirement under Article 30 of the GDPR to record different types of data processing activities.
Phase 2 – Identify Compliance Gaps and Solutions
Following the Data Mapping Phase, an organisation will typically conduct a gap analysis to compare the business’s current privacy compliance against requirements under the GDPR. There are, of course, many ways to carry out such an analysis, but a good approach may be to create a GDPR Project Report that builds on the findings of the Data Mapping and importantly sets out key actions for the next phase of the GDPR Project.
In order to manage the crucial final Implementation Phase of the GDPR Project, it may be helpful to have a practical project management tool such as an implementation table and/or a Gant chart which sets out the priority, timeline and responsibility for each of the GDPR Project actions.
Phase 3 – Implementation
The final phase of a GDPR project is the Implementation Phase, which often is the longest and most challenging phase and requires careful project management to ensure all key actions to meet requirements of the GDPR are implemented before May 2018.
The steps an organisation must take to implement the GDPR will vary depending upon its data flows the current status of its data protection compliance program. However, given the transformative nature of the GDPR almost all organisations will likely need to take at least some key implementation steps, including for example: (i) identifying which Data Protection Authority (“DPA”) in the EU will be the lead DPA that the business will need to deal with based on where the business has its central place of administration in the EU; (ii) determining if a data protection officer will need to be appointed under the GDPR; (iii) carrying out privacy impact assessments in certain circumstances; (iv) amending information notices and consents to meet GDPR standards; (v) revising internal privacy and other policies, including data breach incident response plans; (vi) reviewing data retention practices to meet the data minimisation requirements; (vii) implementing privacy by design and by default standards; (viii) dealing with new data subject rights, such as the right of erasure and the restrictions on profiling; (ix) ensuring that contracts with vendors contain GDPR compliant data processing provisions; and (x) reviewing transfers of personal data outside of the European Economic Area to ensure such transfers are done in compliance with the GDPR.
The number and scale of these tasks and the other actions required to be GDPR compliant may at first be overwhelming for some organisations. However, the Implementation Phase can progress more smoothly when organisations prioritise implementation steps and focus on the most critical and time intensive steps first.
There are now fewer than ten months left before the GDPR takes effect and time is running out. Organisations which have not already started their GDPR project should do so now in order to ensure they are compliant by May 2018. By adopting a phased and structured approach, it should still be possible to deal with the many requirements of the GDPR before this deadline.
By William Long, Partner at Sidley Austin
Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.
Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.