Navigating GDPR Compliance Beyond the Deadline

On May 25, 2018, the Global Data Protection Regulation (GDPR) went into effect.  The GDPR gives the European Union (EU) individuals greater control over their personal data and imposes many new obligations on organizations that collect, handle or analyze personal data.  Along with the new regulations comes consumer confusion about the deluge of “Updated Privacy Policy” emails from a variety of services in their digital lives.  Consumers were not alone in their confusion as several marketers, a primary group that the GDPR would directly impact, were unsure exactly how this new regulation would affect their businesses and processes.

According to an Ensighten survey of 150 UK brand and agency-side marketing decision makers taken prior to the deadline:

  • “Just 26% of respondents said they felt “very confident” that their data governance procedures were robust enough to be classified as compliant by the looming 25 May deadline.”
  • “45% of UK marketers have said their business is setting money aside to cover any potential fines issued by regulators.”
  • “With less than one month to go until the Information Commissioners Office (ICO) starts enforcing the rules in the UK, 61% of marketers said that they would apply for an extension on the target date if there was an option to do so.”

In short, this means that companies still have a lot of work to do to ensure they are GDPR compliant.  However, like any company that is facing a regulatory change that impacts their core processes; they are facing significant challenges.  SEI has helped prepare numerous companies for GDPR. Here are a few of the key challenges we’ve observed.

Challenge #1: Notices & Consents

People who use Gmail, Snapchat, Twitter and other social media platforms have recently been ‘pushed’ notice and consent updates sent under a banner commonly seen as “Privacy Policy Updated”.  Did you read it?  It’s not easy to ensure that notices and consents are compliant with the new regulation.  Common GDPR challenges a company may face regarding the application of appropriate GDPR notices and consents include complexities in applying notices and consents to corporate websites in the appropriate languages and implementing consent tracking mechanisms that are not as simple as having a link in the footer of a webpage.

To address these challenges, companies need to undertake a comprehensive effort to map all pages on their websites, understand their purpose, determine if consent is required, and update the sites accordingly – and in the appropriate language.  Once complete, the challenge becomes how to remain compliant as new pages are developed.  It is critical that as companies implement their notices and consents, they include the implementation of good business processes that will ensure they remain compliant as new content, and potential products or services that require personal information, are added.

Challenge #2: Personal Data & Data Subject Requests

Should your company handle EU personal data, there needs to be fast, reliable answers to topics including the type of EU personal data your company has, and more importantly, what is happening with the data.  Also, should someone want to make updates to, or requests the deletion of, their data…is there a process in place to address?  But how is all this done?  Consideration should be given to gaining an understanding of applications/systems that might contain personal or sensitive information on an EU citizen and then identify a cross-functional team including Legal, IT, Compliance and Communications members to conduct a simulation on your organization’s readiness to understand potential gaps or areas for improvement in process and procedures.

Challenge #3:  Adapting to US-based and other Global Privacy Regulations – now and in the future

Below are a few current legislative efforts that have either recently passed or are currently being considered, which illustrate the imperative for an adaptive compliance model.

  • California Consumer Privacy Act of 2018: Companies that store large amounts of personal information will be required to disclose the types of data they collect, as well as allow consumers to opt out of having their data sold.
  • S. Res. 523 — 115th Congress: A resolution encouraging companies to apply privacy protections included in the General Data Protection Regulation was introduced on May 24, 2018 (one day before GDPR went into effect) encouraging companies to apply privacy protections included in the General Data Protection Regulation of the European Union to citizens of the United States.
  • 2179 — 115th Congress: Data Security and Breach Notification Act was introduced on November 30, 2017 to create the first-ever federal standard for punishing breaches where consumers have had their personal health care information, Social Security numbers, credit card numbers, and email addresses hacked

While GDPR specifically pertains to EU personal data, companies need to develop their data privacy programs so they are adaptable to future regulations and laws.  Failure to do so increases the risk of potentially spending significantly more time, money, and resources than would otherwise be necessary to comply with new legislation – or worse, incurring penalties and fines, which could be devastating to some companies. Don’t get caught off guard. Find the right partner to help you navigate your data privacy program to GDPR compliance and beyond.

 

Stephen Smith

About Stephen Smith