Taking the Smart Path to GDPR Compliance – Part 2
By: Will Xiang, CAMS, CITP, CPA, CA
The GDPR compliance deadline is May 25th. To no surprise, a look at Google Trends tells us that the interest for GDPR has peaked globally.
Based on a survey published by Paul Hastings LLP, U.S. companies are likely to spend $501,000 to $1 million on staffing needs ahead of GDPR implementation. Many more organizations expect there to be a need to also engage with external law firms or consultants.
However, even with the heavy investment and attention, according to IBM, only 36% of companies expect to be fully compliant by May 25; 46% have begun their efforts, whereas 18% have yet to begin.
For those in the 18 and 46 percent, the immediate and time sensitive execution of a GDPR compliance program may have a far reaching effect on future compliance cost, effectiveness, and impact on existing business models.
At Richter, we have advised our clients to focus on risk: how can we take a risk-based approach to reach GDPR compliance?
In Part 1, we asked the following key initial questions:
- Internal: How is data used in the organization? Where do we keep personal data? Why do we have data? When do we collect data?
- External: Which third parties have access to the data?
- Data Subjects: How do we interact with data subjects (i.e. people who provide us with data)?
- Processes: What are our current internal processes around information security, breach notification, and codes of conduct?
After we have asked these initial questions, it is often important to take a step back and re-assess our overall risk exposure. Are we actually impacted by GDPR?
Some may think of this question as another symptom of denial – yet it is worthwhile to invest the time to think about the answer as you try to build a robust program. IAPP has outlined a few examples to assess GDPR impact.
If compliance is required, it is important to build a target execution program by thinking strategically about the following:
- Which existing processes can we leverage (either as-is, or through slight modification)?
- What do we need to build (process, people, technology)?
- Which leaders should we engage?
Depending on the answers above, the organization can identify the scope and requirements of its GDPR compliance program. Instead of trying to do everything immediately, it also may be valuable to tackle the high risk items first and draft a privacy-by-design road map which can be sustained in the future.
With the laundry list of items to be done for GDPR compliance, it will also be important to leverage existing processes, and integrate GDPR compliance with current programs to ensure we build a sustainable platform.
As an example – GDPR requires notifications of a personal data breach to the supervisory authority not later than 72 hours. Many companies may already have robust incident response processes which can be adjusted, or modified, to serve the GDPR requirements.
Sorting through a succinct GDPR implementation road map takes time. However, a well thought-through and customized program will build long term sustainability that will not fall under its own weight.