With under a year to prepare your business for the official reinforcement date of May 25, 2018, for the General Data Protection Regulation (GDPR or the Regulation), you have probably already done a great deal in preparation. As you still apply the GDPR as best practices, you have some time to explore the possible challenges that your organization may face, in terms of operational impacts. With the right team in place, all should run smoothly, but you may not know exactly which team members are equipped to handle each type of operational impact since it is all new for everyone.
Manage the Top 4 GDPR Operational Impacts with an All–Star Team
With stiff penalties in place for GDPR non-compliance, you simply cannot afford to miss a beat when it comes to tackling the operational impacts. Already adhering to the strict set of privacy rules that were set for by the Data Protection Directive 95/45/ec, taking on the GDPR is a matter of tightening up some practices your team already performs while adding some new elements, per the Regulation.
1. Extension of Territorial Scope
The EU decided to greatly extend the territorial scope of the data privacy law with the GDPR. Basically, organizations that are located outside of the EU must comply with the GDPR when processing personal information that is connected with the offering of goods or services to, as well as monitoring of data subjects who live in the European Union, according to Lexology.
How can your team manage the extension of territorial scope?
Work with your legal team to determine whether or not your organization is part of the GDPR scope. Your legal professionals should study the mandates of the GDPR carefully to understand just where you fit into the territorial scope. It is important to note that concepts such as "monitoring" and "offering goods or services" are drawn intentionally broadly in the GDPR, making it crucial that your legal team look for the shades of meaning, specific to your organization, and advise you on the best approach going forward.
Erring on the side of caution is the best tack to take to help avoid experiencing a trigger event, which might include undergoing a data breach or receiving a complaint from a European customer due to underestimating your organization's need to comply with the GDPR's requirements.
Prepare to regularly reevaluate and revise this aspect of data security to ensure customer protection and GDPR compliance. Keep the lines of communication open with your legal staff and key personnel members who monitor, input and manage data. If you discover additional customers that need GDPR attention, add them to your GDPR customer list to make sure you are within scope.
The EU has updated and strengthened consent requirements for companies, no longer allowing the use of unclear and illegible terms and conditions, full of legalese, that generally confuses customers. For example, the request for consent itself must be laid out in easily understood terms for customers. Additionally, the Regulation also expands the range of special categories of personal data and restricts the ability of children to consent to data processing without parental authorization.
What can your team do to ensure compliance with consent requirements?
Work with your legal team to develop legal language that is easily understood by lay persons who are not involved in the legal field while still conveying the necessary legal conditions of the transaction or other interaction within the retention period. Have your IT professionals draw up a report of any possible minors in your system to ensure you are in compliance; only asking for parental authorization for transactions in the future.
3. Breach Notification
This key operational impact intends to protect customers in the event of a data breach that could compromise their identity and could "result in a risk of the rights and freedoms of individuals." Within 72 hours of a breach that you feel could endanger your customers' privacy, you must provide breach notification. Your data controllers must notify customers "without undue delay," according to EUGDPR.org.
How can your team successfully and fully manage this operational impact?
Your well-trained and attentive IT team will continually monitor your system for data breaches and notify customers.
4. Right to Access
This expanded right of data subjects means that your customers have the right to request and obtain information about their data from the data controller. They are allowed to know whether or not their personal data is being processed, as well as where and for what purpose is it being processed. The data controller will provide a copy of the customer's personal data, free of charge, via electronic format. This expansion of rights offers an extra degree of transparency and greater customer confidence, knowing how their data is being used by different companies.
How can you fulfill your duties to provide Right to Access to data for customers?
Instruct your data controllers of their responsibility to provide the appropriate materials upon request and without hesitation to the verified customer.
Work with a Trusted Staffing Agency to Gather and Develop Your GDPR Operational Impact Team
At ICS, we work with many clients who need help building their GDPR team to manage operational impacts. We are here to help you understand your staffing needs when it comes to this complex new Regulation.
Contact us today to discuss your staffing needs for GDPR matters and more.