The European Union’s General Data Protection Regulation (GDPR) presents an unprecedented challenge for organisations around the world – and puts general counsels in the hot seat. The scope of these new laws, combined with potential fines of up to €20 million or 4 per cent of annual worldwide turnover, means many are worrying about the impact of the GDPR – and that’s understandable.
However, it’s also a new opportunity to build customer trust and a better, safer business. By taking a step-by-step approach, you can stop worrying about the GDPR, and instead learn to embrace the change and attract the benefits it can bring – and even build business confidence.
1. Get to know the GDPR
The GDPR came into effect on 25 May 2018 and reaches well beyond the European Union’s (EU) borders. Australian businesses, regardless of size, may be required to comply if they have an establishment in the EU, if they offer goods and services in the EU, or even if they’re monitoring the behaviour of individuals in the EU.
The requirements in the GDPR share some common ground with the Australian Privacy Act requirements, and are based on data protection principles. To become GDPR-confident, get familiar with the data protection principles along with key terms and concepts.
2. Let legal take the lead
The GDPR’s complexity means your legal team – particularly if it embraces technology – is perfectly placed to play a lead role in GDPR compliance. Every member of the team, from general counsel to junior lawyers, should be fully up to speed on the GDPR and its implications for the organisation.
Similarly, it seems more appropriate that a lawyer, rather than an IT professional, step up to the job of data protection officer where this role is required within the organisation. The GDPR requires someone to be appointed to this role if any of the following apply:
- data processing is carried out by a public authority or body, except for courts acting in their judicial capacity.
- the core activities of the controller or the processor consist of processing operations, which, by their nature, their scope and their purposes, require regular and systematic monitoring of data subjects on a large scale.
- the core activities of the controller or the processor consist of processing sensitive personal data on a large scale and data relating to criminal convictions and offences.
3. Take a whole-of-business approach
While lawyers can take the lead on the GDPR, a multidisciplinary approach between legal, HR, IT and communications teams is the only way to effectively create organisation-wide protocols, incident responses and a risk-aware culture – all things that are essential in easing GDPR concerns and taking advantage of the benefits it can bring.
Legal, HR, IT and communications personnel need to work together to implement solutions for their organisations, from adopting new technologies and compliance measures to developing training and creating a risk-aware culture. This multidisciplinary approach also helps embed privacy, cybersecurity and GDPR compliance into all relevant processes and systems.
4. Put people at the centre
To embrace the GDPR and the opportunities compliance can bring, you also need to have the right people to help execute your plan. The right people will drive the changes required and promote a risk-aware culture. You might need to bring in a new team member as your data protection officer (DPO), for example, or perhaps it represents a new career opportunity for an existing team member.
It’s also vital to coordinate with the rest of the organisation around any new hires, and around a communication and cultural-change program. Without organisational acceptance and a proactive attitude toward risk management, even the most sophisticated technologies will struggle to be fully effective. Similarly, managers and leaders at all levels must be brought up to speed so they can model the proactive, compliance-friendly behaviours needed to create and maintain compliant and generally risk-aware workplace culture.
5. Learn to love the GDPR
If your organisation needs to comply with the GDPR, it’s important to keep in mind that its requirements aren’t entirely new to Australian businesses – Australia already has privacy and data breach notification requirements that overlap with some of the GDPR requirements.
Take a systematic approach and follow a plan to get GDPR-confident:
- Review your data. What personal data does your organisation currently hold? Where is it stored? How is it used? Why have you collected it?
- Review your current practices. This includes the technology used to protect any data you hold that’s subject to the GDPR. Are you encrypting data? What other data security protections does your organisation have in place? Who do you offer your products and services to? What legal obligations apply in those jurisdictions?
- Check for gaps. Once you’ve examined the data you hold and understand how you’re managing and protecting it, you can determine whether you need to change your procedures and policies to align with the new requirements.
6. Make technology your partner in compliance
Having the right technology in place can help you identify compliance threats and opportunities, allowing you to replace your worries with a business-growth mindset. Key technologies to consider include:
- Document automation and proofreading tools: systems that automatically generate, proofread and update legal documents from pre-approved templates, helping you deliver more compliant and self-service contract services to your business.
- Compliance and information services: legal guidance solutions that provide fully maintained and up-to-date resources like step-by-step guides, standard documents and clauses, checklists and legal updates.
- Research and updates: tools that offer authoritative legal analysis and commentary, and other insights to make research tasks faster and more accurate.
- AI-powered tools: ‘smart’ systems that use machine learning and other techniques to improve the quality and relevance of the information and analysis they offer, for example by understanding what your most common queries or areas of legal research are.
By taking these six steps, you’ll be well on your way to developing an effective compliance program and, more importantly, embracing the GDPR and the value it can bring to your organisation.