What priorities to consider if a company is late in getting compliant with the GDPR? What are the actions to be taken to limit risks?
Cannot be further late in your GDPR program
As expected and anticipated in my privacy predictions for 2018, a number of companies realized that they were late in completing their GDPR, and some companies have not even started working on it!
If the above scenario applies to your company, here are my top 3 priorities to consider first in my Diritto al Digitale video series in Italian and then more extensively in the body of this article in English
1. Focus on GDPR activities impacting on personal data of end customers
There is no doubt that the majority of privacy related disputes concerned the unlawful processing of consumers’ personal data. This is often occurring following a complaint submitted to the competent data protection authority which leads to an investigation on the company.
In order to limit such risk and avoid to be too late, companies shall primarely
- map data processing activities that involve the majority of customers’ personal data;
- draft a GDPR compliant privacy information notice and consent which shall be as much accurate as possible since their replacement, if they had been improperly arranged (e.g. because not all the legitimate interest scenarios had been considered), can be quite costly; and
- run a data protection impact assessment on the most invasive processing activities impacting customers’ personal data, focusing on the main applications and identifying at least short term potential corrections (e.g. manual solutions) which can be then improved in the future through automated systems.
2. Adopt the required measures at least in relation to major suppliers
A full mapping of suppliers processing personal data on behalf of a company may be a quite time consuming activity. Given the urgency, it is better to identify suppliers that process the vast majority of personal data on behalf of the company and
- run a check of their compliance with the GDPR obligations, also by means of a checklist of compliance and
- adopt a data protection agreement compliant with the European Data Protection Regulation which in relation to for instance data breach notification procedures shall be consistent with internal privacy-related policies and procedures.
3. Set at least basic procedures, but work on internal culture on privacy compliance
Setting out internal procedures and an organization structure compliant with the GDPR can be quite time consuming, while if a company is running late, it shall
- appoint a DPO, if it reaches the conclusion that is required, otherwise appoint at least an internal privacy expert;
- set minimal internal procedures for the management of individuals’ rights (e.g. right of access, portability, right of erasure etc.), the adoption of a privacy by design approach and the handling of data breaches which can be based on manual processes, if no technology supporting them is available; and
- give instructions to employees on how properly process personal data and run trainings to their benefit to acknowledge them of the new obligations imposed by the GDPR and the risks to which the company is exposed in case of lack of compliance.
Once the above is performed, the company shall in any case have a business plan to complete the other activities in the short future. This is with the exception of technical changes requiring substantial investments for which it is in my view justified the possibility to adopt short term solutions, giving evidence of a long term plan to put in place more efficient technical changes.