Sanity check: One year until GDPR
On May 25, 2018, the General Data Protection Regulation (GDPR) will go into effect. Is your company prepared? Columnist Todd Ruback explains how to start taking action.
With just over a year left until the EU’s General Data Protection Regulation (GDPR) goes live, it’s time for the industry focus to move from anticipating the impact to action.
But while the importance of complying with the new laws is widely recognized, the best way to do so is less clear. According to a global Dell survey, almost all of the companies that took part — 97 percent — had no plans for when the GDPR comes into force on May 25, 2018, and less than one in three felt prepared.
As a professional in the privacy field, I’m an advocate of gaining a full understanding of regulations before planning begins. So with that in mind, let’s begin by recapping the key aspects of the GDPR.
The GDPR: A quick-fire overview
The chief point to note about the jurisdiction of the new laws is that they extend not only to all companies that are based in or offer their services within the EU, but also any that engage in website monitoring in the region. As a result, the GDPR is set to have a sizable impact for any marketers and advertising technology vendors operating globally, which by and large means most companies.
At its core, the legislation aims to give control over personal data back to the public and therefore contains a series of codified individual rights, such as the right to access and correct data, take data away and request data erasure.
For marketers, this makes it vital to ensure collection of personal data is accountable and transparent. They will need to conduct a full review all internal processes, including where and how personal data is gathered, and if there’s a risk to consumers or employees. These processes then have to be communicated to consumers in simple, accessible language.
Standards of consent have also risen. It’s no longer acceptable to infer a consumer’s consent by lack of action or embed clauses that define “consent” as continued use of a website deep in its terms and conditions page. Now all companies, including marketers, must deliver open requests for data access that clearly explain what it is needed for and wait to receive an unambiguous affirmative. What’s more, if a data breach occurs, they will also need to notify regulators and consumers within 72 hours. Not much of a change for US-based companies, but a new challenge for those in the EU.
To keep a close watch on internal data management, companies with more than 250 employees will be obligated to appoint a designated Data Protection Officer, who will serve as their main point of regulatory contact and report to the highest management level — a requirement that may be difficult, given the dearth of senior and experienced privacy resources.
Finally, there will be penalties for non-compliance that come in two tiers, with the more Draconian being the greater — 4 percent of annual global turnover — and the latter being €40 million.
From understanding to action: What’s next?
The scale of the GDPR, and ensuring compliance, is colossal. But there’s no need to panic. Most companies are already aware that planning should be prioritized — PwC’s latest GDPR Preparedness Pulse Survey shows that over half of US multinationals say GDPR is their top data-protection priority — so the next stage is to adopt a rationalized approach.
By taking a step-by-step view, rather than trying to overhaul all systems and process at once, marketers and ad tech vendors can make sure all bases are covered one by one. This process should begin with the creation of a cross-functional team and then move on to the following steps:
- GDPR readiness assessment. This is a gap analysis that measures where you are against where you need to be when the GDPR comes into force. It will be your road map to compliance success, and from the perspective of a privacy officer, my recommendation is to let an experienced external data protection counsel to ensure that the report is protected as a secure attorney work product.
- Data strategy. While many companies choose to skip this step, it is a vital part of considered GDPR preparation. Once the assessment has pinned down current processes and any weaknesses, its important to decide what data needs to be collected and why, as this will inform your GDPR strategy.
- Budget. After the GDPR report is digested, it’s time to think about funding. Budget requests are starting to come in already, and given the size of the task, it’s not surprising that they are substantial. According to the PwC survey, 77 percent of US businesses are setting aside at least $1 million for GDPR readiness, and 68 percent are assigning up to $10 million. It’s most likely the actual cost will fall somewhere in between.
- Implementation. This phase is likely to require a lot of change management, as it will mean plugging any gaps identified in your initial assessment and the creation of new processes, such as security breach investigation and notification. Consequently, it will mean clearly communicating the need for key measures to company stakeholders and keeping a close watch on how new procedures are implemented so all necessary changes are made. It’s possible that if internal resources are insufficient, a large portion of your budget may be best spent on consultation to ensure watertight compliance.
- Testing. There is little room for error, so all new processes, tools and software code must be thoroughly tested in advance.
- Accountability and transparency. These are the twin pillars of the GDPR, and though they are sometimes difficult to uphold in practice, there are ways and means to do so. The best method of ensuring accountability, for instance, is to document all activities and how they align with your data strategy. Being totally transparent is more challenging. It requires the ability to sum up all data handling in an easy-to-understand way that is readily available and accessible to the individual — be that a consumer or employee. Marketers also need to deploy a consumer-centric communication portal or tool that explains what consumers’ new rights are and how to exert control. That tool should also be wired into your databases or infrastructure to provide swift initiation of whatever the individual is asking to do. This last point is also the most fundamental element of transparency. Why? Because it’s the kind of compliance activity regulatory authorities can most easily see and will therefore be likely to monitor and enforce first before moving on to consent violations.
The GDPR countdown is in its last phase and the moment is here, not to panic, but to take action. Right now, the best thing marketers and advertisers can do is to ensure a complete view of what the GDPR means, then get going with preparations. Fast.
Opinions expressed in this article are those of the guest author and not necessarily MarTech. Staff authors are listed here.