chevron-down Created with Sketch Beta.
August 01, 2018 Articles

Five Keys to a Successful GDPR-Readiness Program

By David Manek, Brian Segobiano, Kenric Tom, and Emily Cohen

The General Data Protection Regulation (GDPR) affects not only European companies but also most organizations outside the European Union (EU) that collect personal data from people in the EU.

One of the goals of the GDPR, which went into effect May 25, 2018, is to provide people in the EU with more control over their personal data. The GDPR is nearly 100 pages

and comes with a long list of requirements. For example, under certain circumstances, people in the EU can request that an organization provide a copy of the personal data it has about them. Similarly, people in the EU can request that the organization delete their personal data. GDPR also requires that data breaches be reported to a supervisory authority within 72 hours of when the organization becomes “aware” of the breach.

Failure to comply with the GDPR could result in an organization being fined as much as 4 percent of its annual revenue.

As a result, organizations with exposure to the GDPR have launched GDPR-readiness programs to assess their exposure, develop a road map to enhance privacy notices, update existing procedures, or introduce new procedures.

Navigant’s data privacy team, consisting of subject matter experts in data management, EU data protection, and information security, have worked on many GDPR-readiness projects. We have identified five keys to success:

1. Establish a Privacy Council
The GDPR affects organizations far beyond their compliance departments. Companies are collecting personal data across functions, including recruiting, sales, human resources, finance, data security, and analytics.

Becoming GDPR-compliant therefore requires a holistic reboot of the methods organizations use to proactively manage their data across the entire organization. Our clients succeed in adopting this cultural shift by establishing privacy councils made up of representatives or champions from different functional areas.

Depending on structure, if an organization works as more of a decentralized collection of smaller subsidiary companies, it may be logical to have representatives for each subsidiary or geographic region on the privacy council. Whether our clients structure their privacy council by department or geographically, privacy champions recognize that they are not the sole persons responsible for privacy within their group. Rather, privacy champions serve as the chief point of contact, sharing knowledge about new policies and procedures. The champions are also a funnel for stakeholders to provide feedback to the organization’s central privacy office.

A privacy council can serve multiple purposes, both short and long term, for a global privacy program. In the short term, privacy councils should meet regularly to receive updates on activities undertaken to meet compliance with the GDPR.

As the organization moves through its plan to adopt new policies and procedures, the drafts can be shared with the council to provide operational feedback. Once the drafts are finalized, the council should be empowered to roll out these new policies and procedures to their teams.

Longer term, the privacy council will help maintain the program by keeping their teams accountable for updates, such as the data inventory and data privacy impact assessments.

As new privacy regulations are adopted across the globe, the privacy council will help bring functional and geographic cohesion through periodic workshops. This helps ensure that new compliance efforts are consistently adopted, allowing the organization to operate in a practical manner while minimizing compliance risks.

2. Choose a Provider with a Multidisciplinary Team and an Established Project Framework
Developing and supporting a successful GDPR-readiness program requires proper alignment and use of resources. The GDPR requirements can be complex, but they can be categorized into three main elements: data privacy, data management, and information security.

Through our project work, we have adopted and use a framework with over 50 privacy management activities, all of which tie back to specific articles in the GPDR. A framework is important and serves as the backbone of the project plan. Having a framework and project plan in place allows stakeholders to visualize the final state and monitor progress toward completion.

Data privacy covers governance structure (such as assigning a data protection officer), maintaining a privacy policy, embedding data privacy into business operations (procedures for collection and use of personal data, deletion of personal data, and response to requests), and ensuring training in and awareness of data privacy.

Data management pertains to the assessment and management of personal data holdings. It involves completing a data inventory register; facilitating data protection impact assessments (DPIAs); and ensuring proper risk management is conducted on the personal data collected through the processing activities.

Information security requires the integration of data privacy risks into information security programs consisting of risk assessments, testing and security, and technical measures toward restricting access and responding to data breaches.

The three elements play an important part in adhering to the GDPR requirements. Therefore, it is crucial that the right consultants with expertise in these three areas form an organized, multidisciplinary team to address the framework of the GDPR. The effective utilization of this team will ensure the success of a GDPR-readiness program.

3. Ensure Continued Compliance
Organizations are likely caught up in the race to become GDPR-compliant. But it is important that they be forward-thinking and recognize the need to assess and adjust their internal processes to ensure continued compliance.

For example, the GDPR requires organizations to maintain a record of processing activities. We have seen many cases in which no such record of processing activities exists. As part of our project, we institute a streamlined approach to ensure such records are kept and continually updated.

Using a register of processing activities as an example, there are a few general guidelines that apply regardless of an organization’s size, complexity, or nature when developing a streamlined approach.

We first identify and involve stakeholders from various parts of the business, such as representatives from the functional business area, privacy office, legal, procurement, contracting, compliance, and information technology.

Then we establish an assembly line approach that occurs each time a new processing activity is implemented. For example, each new processing activity triggers an entry into the data processing register, review for appropriate legal data transfer mechanism, and then screen for DPIA.

Finally, we ensure that the tool used to house the data register is appropriate for the volume of processing activities and that auditing mechanisms are set up where appropriate.

While the initial step of setting up a streamlined, assembly line approach may seem daunting, it will ensure consistent GDPR compliance and save time and money in the long run.

4. Create a Deliverable Approval Matrix
A deliverable approval matrix is a simple tool, but we have found it to be incredibly useful in creating a successful GDPR-readiness program and driving deliverables to completion.

The risk when preparing any procedure is that the deliverable is never implemented at the organization. It is all too easy for deliverables to get lost in email and never see the light of day.

For that reason, we have implemented two standard processes. The first is to build a library of privacy documents. Depending on the client’s infrastructure, we can build the library of privacy documents within the client’s intranet, SharePoint, network folders, or other secure collaboration tool. This library then allows for the GDPR consulting team and client to work from the same set of materials, and when the deliverables are finalized, they can be easily distributed broadly across the organization.

The second step is to create an approval matrix. In this, we recommend at least three levels of approval. The first level may be the stakeholder closest to the privacy management activity. For example, if we are updating the client’s incident response plan to include procedural steps to comply with the 72-hour breach notification requirement, we may work directly with an information security manager. The information security manger could be the first approver, the chief information security officer the second, and the chief information officer the final approver. The approval matrix not only ensures the appropriate positions within the organization are reviewing the deliverable, but it provides the GDPR consulting team a clear path to completion for each deliverable.

5. Show Measurable Progress
Now that we have a plan or framework in place to be GDPR-compliant, how do we measure the success of the project and ensure the framework is executed to completion?

The management and tracking of progress through the GDPR framework and achievement is another critical factor toward GDPR readiness. For one thing, we need to be able to refer to the organization’s deliverables—whether it be policies or procedures—and implement them across the organization.

In addition, if the data protection authority or another local regulator comes calling, we will need to help ensure the organization is prepared to provide relevant requested documentation and information.

Therefore, it is imperative that the organization track its progress and communicate when a deliverable is completed. In our experience, it is beneficial to use two main tools: (1) a detailed project plan or tracker and (2) a biweekly status meeting with project sponsors.

The project tracker used for the organization’s GDPR-readiness program can be as sophisticated as needed—as long as activities can be tracked toward completion. There are many planning tools applicable to GDPR; some have friendly user interfaces, whereas others provide a Kanban board or Gantt chart for tracking. We have found it is best to ensure deliverables are tracked by status, action steps, responsible person or resource, target dates, and any potential risks or issues.

When we have deliverable-status meetings, it is important to review the status of each deliverable and any roadblocks to completion. Through these status updates, we can clearly identify and measure our clients’ progress.

Meeting the Challenge
It’s a challenge to be ready for GDPR. But through our projects, we identified five steps toward a long-term strategy for remaining compliant.

A thoughtful approach to GDPR—both internally and with the assistance of outside expertise—is part of a proactive strategy to allow an organization to reduce its risk while growing its worldwide business.

 

David Manek is a director and Brian Segobiano, Kenric Tom, and Emily Cohen are associate directors with Navigant.

This publication is provided by Navigant for informational purposes only and does not constitute consulting services or tax or legal advice. This publication may be used only as expressly permitted by license from Navigant and may not otherwise be reproduced, recorded, photocopied, distributed, displayed, modified, extracted, accessed, or used without the express written permission of Navigant.

Navigant Consulting is the Litigation Advisory Services Sponsor of the ABA Section of Litigation. This article should be not construed as an endorsement by the ABA or ABA Entities.


Copyright © 2018, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).