GDPR Compliance – How are we Doing a Month In?

Over the past year, the privacy profession’s attention has significantly shifted around the globe to Europe’s General Data Protection Regulation EU/2016/679 (GDPR). Because of the extra-territorial reach of the GDPR, which is clearly the most stringent data protection legal framework in the world, GDPR compliance has been top of mind for many of my Canadian and U.S. clients. This short article will address what a GDPR compliance project look like for a North American company who is processing some personal data of EU residents, for example due to:
a)    an on-line store available globally;
b)    web analytics activities that includes EU IP addresses; or
c)    accountholders or customers who move to the EU but whose personal data continues to be processed outside of the EU.

Prior to the coming into force of the GDPR on May 25, 2018, in my experience many Internet giants, organizations with a heavy European presence and those with a large European customer base invested heavily in GDPR compliance projects, data mapping exercises and data protection impact assessments. However, the large majority of businesses are just catching up.

A month in, we are seeing some useful reporting on GDPR activity. For example, the International Association of Privacy Professionals recently published an interesting catalog of GDPR complaints received by various data protection authorities since May 25th.

Common Mistakes when Seeking GDPR Compliance Advice

I have worked with many North American organizations who, with the best intentions, have taken steps to address gaps between the GDPR rules and their own practices. The motivation to do so may be fear of the heavy fines that can be imposed by EU data protection authorities; but more likely, it’s a sense that customers want (or expect, and in fact seek demonstration of) serious GDPR compliance efforts that will protect the data entrusted to you for processing.

Unfortunately, there is no quick fix or one-size-fits-all when it comes to the GDPR. Any promises of GDPR compliance ‘in a box’ should be reviewed with caution. There are certainly great templates available for privacy policies or data protection addendums that provide a great starting point to GDPR compliance documentation, but I have ran into too many businesses who have invested in resources that are not a good fit for their organization or who have not properly implemented such templates. It is critical to get advice from a legal professional who has a sound understanding of the GDPR.

E-tools that promise to automate compliance and GDPR off –the-shelf training programs must also be approached carefully. How is a standard overview of the GDPR going to ensure your staff know how to reduce the risk of non-compliance for your particular business operations? It is certainly worth exploring training programs like those available through Privacy Core or MediaPro,  but expect to supplement or customize with your own material. Aptible, an organization that has developed Gridiron for GDPR compliance, helps by drafting of all of the risk documents and policy and procedure manuals for an organization. Before starting, users receive a GDPR charter to follow using a 35-day timeline. Aptible posted on Twitter “Stop worrying about GDPR compliance, and let Gridiron handle it all for you. Sign up today to become compliant.”  This sweeping statements is a risky one to be making. As noted in the comments to this post, most organizations are aware that there is no simple approach to the GDPR, where compliance responsibilities can be easily off-loaded. And if that’s what you are looking for, expect it to be quite obvious that you have a slap-it-together GDPR compliance framework that doesn’t really help your image for taking privacy seriously.

A To-Do List for Organizations that Touch EU Data Peripherally and have ‘Pretty Good’ Privacy Practices

Many organizations in Canada have already taken important steps when it comes to privacy best practice and introducing strong data security controls. In Canada, we have a principle-based privacy legal framework under PIPEDA that espouses many of the critical components of the GDPR, such as accountability, safeguards, consent, and limiting collection, use and disclosure of personal information. This was instrumental in Canada becoming the first country outside of Europe deemed adequate by the EU Commission in 2001 under the EU Data Protection Directive 95/46/EC (the GDPR’s predecessor). An adequacy finding allows the flow of data from the EU to Canada as a trusted country in data protection. Meanwhile, for American organizations that have committed to the Privacy Shield, a great deal of work may also have been done to introduce privacy and data security best practices under the Shield. Note that the Privacy Shield has been challenged by several European courts and it is unclear whether Canada will be considered adequate the next time the EU Commission completes their analysis, in light of the GDPR.

You may not be a controller or processor of large volumes of the personal data of EU data subject, or you may consider your risks of exposure to be low due the privacy work undertaken by your organization. In such cases, you can still be proactive and take steps to address the GDPR directly. Based on the work I have done with many such clients, here is my sense of the five key items to keep in mind:

  1. Where you must rely on consent as your reason for the lawful processing of EU personal data (see Article 6 of the GDPR), review your consent language and ensure it meets the strict standard of the GDPR on explicit consent.
  2. Develop records of processing (Article 30) that cover data type; data classification (public/confidential/restricted); data subject; purpose of processing; general description of recipients; storage location; and data retention timeline.
  3. Review your privacy policy and address GDPR requirements that are different from privacy expectations in Canada and the U.S. Just a couple of example in a myriad of updates to consider, profiling and automated decision making must be made transparent (Article 22); EU customers should know that the data subject rights they enjoy (such as the right to data portability, rectification or erasure) will be respected and how to exercise them.
  4. Take a good hard look at service provider relationships and the contracts that govern them. Ensure clauses required by the GDPR to be in place for service provider contracts (see Article 28) are inserted and outline subcontractors who personal data is shared with and for what specific purposes.
  5. Review your data breach response plan and security controls in place, and determine how they line up with Article 32 of the GDPR (in particular, the use of encryption, pseudonymisation and how personal data collection could be minimized).

Remember to be selective and cautious with the GDPR resources you invest in. There are many businesses and professionals jumping onto the GDPR compliance bandwagon. Make sure you are actually relying on GDPR experts.

For assistance with your GDPR compliance efforts, contact PRIVATECH.