Just last week, I spoke with leaders from three different organizations who are facing the same dilemma. These enterprises are dedicating a significant amount of time, effort, and resources to prepare for GDPR compliance. As the May 25 deadline approaches, they are starting to ask “How can we tell how close we are to complying?” and “How can we show potential business partners what we have done towards compliance?”
It’s Not (Just) About the Fines
In many of the conversations I hear about the importance of complying with GDPR, the focus is on staying out of trouble with the European Commission. We’ve all heard about the large fines the EU will impose for GDPR violations (up to 20 million euros or 4 percent of worldwide annual revenue), but I believe that the incentives emerging from within the business community are just as compelling — possibly more so.
If you’re a U.S. company looking to sell products or services to European companies or if you want to partner with a European business, the question of your firm’s GDPR compliance will definitely come up in the due diligence process. The issue will also arise if you’re looking to be acquired or to merge with another company. Even if you’re not yet 100 percent compliant — which may be nearly impossible, as compliance is a moving target — showing what you have accomplished in aligning your data processes, policies, and security practices with GDPR requirements may improve your chances of success.
European companies will be diligent in ensuring that their current and potential business partners are compliant, mainly because of an important detail in the way GDPR will be enforced. If one company enters into a partnership that involves the transmission of EU residents’ personal data, and the second company is found to be noncompliant in its handling of the personal data, then both companies will be held accountable under GDPR. This is an important difference compared with other compliance regulations (such as HIPAA), under which only the noncompliant company may be held responsible.
Having the Right Response
A simple “yes” to the question of GDPR compliance will seldom suffice, and claiming compliance in a contract may not exempt the other party from accountability should a violation be discovered. How can you respond to this question in a way that offers the inquiring party the assurance they need to move forward with the partnership, business deal, or acquisition?
Some companies respond with statements such as “We’ve been working on GDPR compliance since early 2017,” but simply sharing their timeline tells very little about how close they are to aligning with the requirements that apply to them. If a company has a large number of systems that process personal data, the compliance process could take quite a long time, while another company with only a few systems might require significantly less time.
How Do You Test Compliance?
Consider another possible answer to the question of whether your organization is compliant with GDPR:
“Yes, we brought in a third party to evaluate our compliance efforts in the most critical areas of GDPR that apply to our organization. Here’s a copy of their final report.”
The GDPR involves 99 articles and 173 recitals, so doing a comprehensive test on every single aspect for your organization is probably not a viable option. A more realistic approach would be to focus on the highest-risk areas of GDPR that apply to your company and make sure your policies and processes are in line with those requirements.
While you can decide to test compliance on your own, be aware that your team may be too close to the issue — having just implemented your readiness plan — to objectively review the results of their efforts. Just as companies have a separate testing team to test a system before it goes to production (rather than use the developers who built the system), your organization can benefit from having an outside expert review your compliance status.
Partnering with a third-party expert offers an array of additional advantages, including
- Specialized Expertise: The right partner will have deep knowledge of the GDPR legislation as well as the clarifications that the Article 29 Data Protection Working Party has released over the past two years.
- Objectivity: An outside third party with no vested interest in the outcome of your review can be truly objective in evaluating your efforts.
- Efficiency: A third party can deliver a focused effort to complete your evaluation in a timely manner.
You can work with your partner to determine the most critical aspects of GDPR that apply to your organization (maybe 5–10 requirements) and to devise a plan to “test” those areas. On completion of your testing, be sure to have your partner document the results for you. Not only will this documentation give you a good sense of your readiness for the regulation, but you’ll also have evidence to show potential customers, partners, and acquirers when they ask about your GDPR compliance status.
GDPR Compliance Audit
Primitive Logic offers a GDPR Compliance Audit, bringing our expertise in GDPR and knowledge of business systems to the task of helping clients understand the results of their compliance efforts.