Sam Pfeifle is content director at the International Association of Privacy Professionals.
GDPR didn’t end on the May 25 compliance deadline—it just got started. To connect associations with advice and resources to assist with ongoing GDPR compliance, ASAE turned to—who else?—an association with in-depth expertise: the International Association of Privacy Professionals.
On May 25, 2018, the new era of the European Union’s General Data Protection Regulation began. Generally regarded as the most far-reaching privacy legislation in the world, GDPR grants rights to people in the EU regarding their personal data, but also affects organizations outside the EU because of its extra-territorial scope. If you have members or nonmember customers in the EU and you’re looking to attract more, GDPR applies to you, regardless of where your association’s headquarters is located.
Organizations large and small have spent the past several months preparing for GDPR’s May compliance deadline. That day has come and gone, but compliance is an ongoing responsibility—and a pretty daunting one. Fortunately, your fellow association, the International Association of Privacy Professionals, is here to help.
There’s a reason IAPP has grown from 12,000 to 40,000 members in five years—GDPR is a complex piece of legislation, and compliance is complicated. A good way to start is to read this series of articles outlining the top 10 operational responses to GDPR.
In a nutshell, these are the responses you should be undertaking (the articles provide more detail):
1. Conduct a data inventory and mapping exercise. It’s vital to know how personal data is entering your organization, where it’s being stored, who it’s being shared with, and when it’s being deleted. Remember to think of personal data broadly. It’s more than just credit card numbers and national ID numbers. Rather, it’s any data related to an individual person or created by them.
2. Establish your legal grounds for processing. There are six legal bases for processing the personal data of people in the EU. Consent is just one of them. You might find that you have a contracted relationship with your members you can leverage. Regardless, work with privacy counsel or consultants to figure this part out. If you can’t establish a valid reason to process, make it stop.
Data is now as much a risk as it is an opportunity. GDPR says you need to delete data once the purpose for which you've processed it has been completed.
3. Create a data governance system. Create rules for who can handle and who has access to personal data. Follow them. Have a plan for how to delete information you’re no longer using, as it now represents significant risk to your organization.
4. Create a process for privacy impact assessments. This is part of a process called “privacy by design.” Every time you think up a new product or service for your members that might include the use of personal data, make sure you apply a process that examines which personal data will be used, how it will be used, and what the legal basis for processing that data is.
5. Understand how long you're going to keep each piece of data and why. Sure, storage is cheap, but data is now as much a risk as it is an opportunity. GDPR says you need to delete data once the purpose for which you've processed it has been completed. And if you're keeping data, you need to have records to show what legal right you have to it.
6. Update your privacy notice. Tell people exactly what you’re doing with their data in clear and concise terms. Do only what you say you’re going to do. And make sure to appoint a data protection officer and let people know how to contact that person.
7. Figure out how to accommodate data subject rights. Your members in the EU now have the right to see everything you hold about them, to correct what’s wrong, and even in some circumstances to ask you to delete that data. Can you produce a member’s record on demand?
8. Create a data breach response plan. GDPR demands that you notify your European regulator (you might have to figure out who that is) if you have a significant data breach, within 72 hours of discovery. Could you do that?
9. Establish solid contractual agreements with your vendors. If you’re sharing data with anyone—a company that supports your technology systems, for example, or that helps you put on a tradeshow—make sure you have a contracted relationship so that you and your vendor both have the same understanding of what can and can’t be done with your data.
10. Identify and contact your supervisory authority. As mentioned above, even if you don’t have a physical location in the EU, you still have to identify a lead regulator in one of the member states if you’re doing significant business with members or other customers in Europe. Call the regulator and tell them who your data protection officer or other point of contact is.
All of this can be paralyzing for some organizations. But the first step is simply to start. Organize stakeholders. Create a plan of attack. And turn to your colleagues, including the community of privacy professionals.