Top Ten GDPR Predictions and Tips for 2018
1. PREDICTION: The European Union (EU) General Data Protection Regulation (GDPR) will necessitate managing retention and privacy policies together.
- The GDPR requires you to know why and how long to keep personal data, thereby necessitating managing your retention and privacy policies together. The GDPR provides no explicit rules for retention, just that you must keep information “for no longer than is necessary for the purpose for which it was originally processed.”
- A records retention schedule answers the question: “how long is necessary?”. To keep your retention schedule and privacy policies connected, it’s most effective to categorize privacy requirements in the same way you do retention requirements and store both in a centralized place.
- Transparency of what the laws and regulations say regarding retention provides a holistic picture of why you are obligated to manage different types of personal information, including how long you are legally obliged to keep it.
2. PREDICTION: People will realize a well-designed and executed retention program mitigates the risk of over-retaining personal data, reducing the effort of dealing with requests such as the ‘right to be forgotten’.
- Over-retention can lead to unnecessarily exposing information to cyber-attack and/or unnecessarily dealing with subject access and right to erasure requests. To help manage privacy obligations and requests, develop and implement a robust retention schedule, covering all areas of your business. This can be your defense against some individual requests for erasure of personal data, as the legal justification for retention can override the right to be forgotten. A well-executed retention schedule allows you to operate under the transparency principle of the GDPR.
3. PREDICTION: Companies will realize retention rules applied globally will no longer make sense for personal data because the GDPR will force companies to comply with more granular rules for retention and even-more granular obligations for privacy.
- Make sure you account for the different retention rules for personal data across different jurisdictions because with the GDPR in effect, you will not want to default to a global retention rule that is longer than the rule for an individual country.
- Pay close attention to the privacy obligations that vary depending on the specific type of personal data. For example, within the record class “Employee Records,” there are different types of personal data, some more sensitive than others. Employee bank details and health records need to be treated differently.
4. PREDICTION: Companies that have focused solely on the legal requirements of the GDPR (e.g. updating their consent and privacy policies and justifying why they are holding personal data) and not incorporating IG into their GDPR strategy will struggle with implementation.
- Not only should you focus on the legal requirements justifying why you have personal data, you also should focus on how you’re actively managing personal data and mapping it to your business processes.
5. PREDICTION: Visualizing how information flows in your organization will be the most effective way to gather and communicate the required information about your personal data processing activities to comply with the GDPR Article 30 requirements*.
- Create visual business process maps to translate the legislation into the way the business process owners inside your organization operate, so you can document how:
1. personal information flows through and outside of your organization
2. who has ownership over the data
3. who consumes the data
- A business process mapping tool makes it easier to gather the information from the process owner, show your compliance to regulators and easily search for information to respond to time-sensitive issues, such as data breaches, subject access requests, data erasure requests, audits and litigation. As a bonus, this documentation of your business processes is a great lens to underpin your digital transformation (DX) efforts to identify where you can improve business workflows.
6. PREDICTION: The GDPR will cause many companies to realize their efforts in DX have outstripped their current information governance (IG) practices, making it difficult to incorporate data protection by design and by default.
- Make sure to have an IG focus intertwined with initiatives to digitally transform business workflows and store digitally. Set up enterprise-wide IG steering committee and policies to effectively govern all information, especially personally identifiable information (PII).
7. PREDICTION: Companies that are mature in their IG and DX practices will not only be better positioned to comply with the GDPR, but will also more quickly realize the ongoing better business outcomes that come with high levels of maturity in IG and digital transformation.
- While GDPR efforts focus on applying good IGDX practices to personal information, there are business benefits to IGDX maturity in managing all types of information, including increased customer satisfaction, revenue and profit growth, to name a few. [see Enterprise Excellence through Information Governance and Digital Transformation (IDC InfoBrief, commissioned by Iron Mountain) for more information]*
8. PREDICTION: With increased demand for expertise around GDPR compliance, companies will need to think about outsourcing in new and innovative ways to meet requirements.
- Find a trusted advisor that can help you define and deliver your strategy for GDPR compliance. Start with an assessment of what you have and what’s missing from an operational and delivery perspective so you know what skills you’re missing. Examples:
1. Do you have a way to know how long you are legally required to keep information to comply with the GDPR storage limitation principle?
2. Do you have the right people in place to determine basis for which processing personal data?
3. Do you have a way to document a record of your business processes according to the GDPR Article 30 requirements?
4. Do you have a response plan for a data breach?
9. PREDICTION: Not everyone will be ready on day one when the GDPR goes into effect on May 25, 2018.
- There are things you can start to do now to prepare, which will put you in a much better position. Here are some things you can do to help your organization:
1. Find a trusted advisor – find someone who can help you objectively assess the challenges you have.
2. Assess – assess the entire organization to understand where your gaps are.
3. Educate – get senior stakeholders into a room and understand what’s coming & what’s needed.
4. Set Up a Steering Committee – if you already have an IG Steering Committee in place, use that forum. One of the most important things about GDPR is showing accountability across the enterprise.
5. Update your retention schedule – Consult other areas of retention law to know how long is legally necessary to keep it, as the GDPR does not tell you how long you need to keep information, just that it should be kept “for no longer than is necessary for the purposes for which the personal data are processed.”
6. Map your business processes that contain personal data.
10. PREDICTION: Complying with the GDPR is not a once and done activity.
- Many companies are focused on addressing requests from citizens looking to access their personal data, but there is evidence that this will not be a major issue in many industries. It’s important to address all facets of the GDPR and assess the real impact that you anticipate to your business, balancing the fact that the behavior of citizens and regulators is unpredictable. You need to be prepared to make good IG a continuous “business as usual” activity to show compliance, and you’ll need to be flexible to adjust to precedent from case law, enforcement and any additional advice from the regulators that originate post-May 2018. Preparing for the GDPR now will put you in a good position to comply with privacy regimes for other countries in the future.
- The GDPR Full Text: http://ec.europa.eu/justice/dataprotection/reform/files/regulation_oj_en.pdf
- Article 30 requires: Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
(a) the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
(b) the purposes of the processing;
(c) a description of the categories of data subjects and of the categories of personal data;
(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
(e) where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
(f) where possible, the envisaged time limits for erasure of the different categories of data;
(g) where possible, a general description of the technical and organizational security measures referred to in Article 32(1).