The Scope of GDPR
Size has no bearing on an organization’s GDPR compliance obligations. Due to its complexity and international origins, many small businesses have either delayed their response or ignored their compliance obligations altogether. However, the GDPR’s extra-territorial nature means that all companies that offer goods or services in the E.U. have specific responsibilities to safeguard and manage the personal data of any E.U. data subject.
GDPR Impacts More than IT
GDPR requires process and technology changes across many functional areas. HR, Marketing, and Customer Service are often affected most. And IT is required to support each of these areas through the implementation of technical safeguards or an advisory role as application and data owners oversee changes to outsourced or cloud applications.
There are many ways that GDPR affects small businesses in the U.S., but foremost among them are requirements to:
1.Know Your Data
A critical first step to protecting and managing the affected data is to understand where it is used, processed, and stored, including any third parties or other facilities, e.g. offsite tape storage. Data flow diagrams should be developed and maintained to help the organization understand which systems are in scope. This step is the pertinent precursor to all others.
Data cannot be protected if it has not been identified. Moreover, the GDPR grants explicit rights of access to data subjects over their data. They can exercise these against any company holding their personal information. Companies have 30 days to respond before the individual can file a claim with their country’s supervisory authority.
In addition to diagrams, other information should be collected and maintained. For all data subject personal information, each company should document what personal information is held, where it came from, who it’s shared with, what your company does with it, and any other details related to its lifecycle, e.g., expected destruction date. Once the personal information is identified, there is a requirement to document your company’s “lawful basis for processing”.
2. Conduct a Data Protection Impact Assessment (“DPIA”)
A DPIA is required so the company can identify and mitigate the data protection risks. The DPIA must:
- Document the nature, scope, context of the processing
- Assess the necessity and proportionality of the processing
- Identify and assess risks to data subject personal information
- Determine if any additional safeguards are required.
The process of conducting a DPIA should be documented and formalized into a company’s policies. Any procedural actions the company takes following the DPIA, e.g., remedial projects, should be documented and maintained to show the company’s efforts towards compliance.
3. Implement Technical Safeguards
Following the DPIA, any standard safeguards that are not in place should be documented and implemented immediately to mitigate the privacy risk. Common technical controls that are often overlooked for small businesses, but are most likely required are:
- Vulnerability and Patch Management
- Encryption At-Rest
- Multi-Factor Authentication (MFA)
- Critical Event Monitoring
- Vendor Risk Management
While none of these are explicitly called for in the legislation itself, it does require “Data protection by design and by default” in Article 25. Many of the member states’ enforcement bodies have stated that it’s tantamount to indefensible to not have the above technologies and processes if the company is handling the personal information of an E.U. data subject. As data breaches continue to be reported and enforcement actions are litigated, it is likely that these safeguards and others will become explicitly required.
4. Obtain and Manage User Consent
Where consent is the lawful basis of processing, it must be gained and recorded. Data subjects must have the ability to give specific, informed, and unambiguous consent. Their consent can be modified or withdrawn at any time, so companies need a system to manage, track, and update consent records. Where possible, these processes should be automated to allow data subject ease in managing their own consent.
5. Update and Maintain Documentation
Finally, since the above steps will most likely take months to perform and implement, it is critical that organizations act prudently and in good faith. Moving towards compliance and documenting efforts is crucial to showing best efforts as organizations balance GDPR compliance with day-to-day operations and other strategic priorities. Documentation need only be appropriate for the business environment, but, at a minimum, should include the steps taken, management decision-making, and remedial actions with expected timeliness and documented progress toward the goals.
What to do Next
The E.U. understands these requirements may be burdensome to small businesses. The legislation is intended to elevate digital privacy to a fundamental right. The E.U. is focused on protecting individuals and raising the overall awareness of digital privacy and how companies may use personal information.
Preparation and ongoing compliance may be costly, but it has been shown that ignoring privacy requirements may be considered negligent and the penalties can be much more expensive. GDPR’s myriad requirements affect each business uniquely. It is prudent to seek counsel for legal guidance and explanations as the law will continually be updated as it is enforced. Finally, conducting information security and data privacy assessments at the direction of an attorney may provide additional legal benefits if litigation is ever required.