How to Prepare a GDPR Compliance Roadmap

How to Prepare a GDPR Compliance RoadmapHow to Prepare a GDPR Compliance RoadmapToday, many U.S. companies that collect personal data typically look for ways to monetize their relationship with a customer or upsell additional products. There should be someone at the table with the knowledge and authority to ensure that privacy principles consistent with GDPR, a new EU data privacy mandate, are in place. The effective date for GDPR compliance is May 25, 2018.A new European Union (EU) General Data Protection Regulation (GDPR), aimed at protecting the data and privacy of its data subjects has in-house legal teams and the entire C-suite scrambling to meet compliance. Any company that does business in the EU is subject to the mandate, which takes effect on May 25, 2018. The rules are sweeping, and the consequences of non-compliance are severe, with administrative fines reaching 20 mio euros or up to 4 percent of a companys previous years annual revenue. Yes, this is real.While many U.S. c ompanies are not fully prepared to meet this compliance deadline, its not too late. The best way forward is to draw up a roadmap. And if youre just coming up to speed on GDPR, you should consider your next steps very carefully.GDPR compliance should be led by a champion - the president or a corporate data privacy or compliance officer, or the chief information officer. Ultimately, you may need to appoint a data protection officer, if you dont already have one in your organization and you fit within certain specified criteria. Establishing a steering committee is another matter of urgency, as this will ensure buy-in from business owners, from the C-suite up to the board of directors.GDPR explainedThe new regulatory mandate regarding personal data applies to companies established in the EU, or companies offering goods or services to data subjects in the EU. There is no citizenship requirement for data subjects (employees or customers) it applies to anyone who is situated in an EU cou ntry when the data is collected, and a potentially broader scope for companies established in the EU.GDPR is organized in a way that allows companies to divide compliance into practical work streams. A best practice would be to assign each of those buckets to an individual responsible for compliance, working with both IT and key stakeholders or business owners.Crucial principles that may be novel to U.S. companies fall under the heading Data Protection by Design and by Default in Article 25. Today, companies that collect personal data typically look for ways to leverage personal data to monetize their relationship with a customer or upsell additional products. There needs to be someone at the table with the knowledge and authority to insist that those discussions incorporate privacy principles consistent with GDPR.The U.S. has an opt-out business culture - companies assume customers agree to personal data collection, and they must deliberately opt out to be exempted from that pract ice. In the EU, however, companies typically will not collect personal data without asking customers first. GDPR writes this into the law and is consistent with previous privacy regimes and a general pro privacy culture.Steps to take to right nowA critical, early priority is conducting a personal data inventory - the exercise of determining what personal data your company has, where it is and who touches it. Its a discovery exercise, which could take two days or mora than three weeks, depending on the scale and complexity of the data.GDPR offers recommendations for compliance. For example, the mandate suggests encryption, pseudonymization or anonymization data protection strategies under Article 32, Security of Processing, but does not prescribe specific tools or approaches. With respect to notice, the statute is fairly specific. If you collect an individuals personal data, you have to tell that individual what youre collecting, why you collect it and how long you will retain it, a nd you must promise that you will retain it only as long as necessary for that stated purpose.Companies just getting started should focus first on applications with the most privacy-sensitive personal data (especially health-related data) and prioritize their 10 to 20 most sensitive applications. In the meantime, work with key constituencies, including general counsel, privacy officer, the compliance team and the chief information security officer, to set up a game plan to greifhandle the rest of your applications in order of sensitivity, with milestones, roles and responsibilities, achievable in a reasonable period of time.Potential roadblocksA novel GDPR requirement is the customers right to access data. In certain cases, it may be difficult to develop a process to deliver the requested data in a functional, portable format.Still more challenging will be compliance with the individuals right to be forgotten - to insist that data be deleted from company databases on request. The r ight to be forgotten is specified, but it is not absolute. It can be overridden by competing concerns, such as the existence of a compliance obligation.Additional challenges arise immediately in the event of a data security breach, which, once known, is like waving a red cape in front of a bull. Regulators will notice, and may see it as an occasion to audit that companys GDPR compliance.Resources at your disposalGDPR has been an ongoing concern of Legal clients for at least the last 18 months. Training customer-facing employees and making any design changes to a companys e-commerce site that might be required will take time. Our experts are on hand to help you reach your compliance goals. With the May 25 deadline for GDPR rapidly approaching, its imperative to start today.For more information about our GDPR services, contact Joel Wuesthoff, a managing director of Legals consulting solutions practice at (212) 399-8614 or emailprotected.