GDPR Governance: Staying the Course

GDPR Governance
Photo by Anthony Delanoix on Unsplash

Now that the EU’s General Data Protection Regulation (GDPR) is in force, companies who have spent the last few months (or years) getting ready for it are breathing a sigh of relief. But as we discussed in our webinar “GDPR — Why May 25 Is Just the Beginning,” the enforcement date was not a finish line. Even if your company created and executed a comprehensive readiness plan in time for the deadline, the task of maintaining your compliance is just beginning — and it has no end date.

Ongoing Responsibilities Under the GDPR

Your company may be well situated to fulfill your obligations under the GDPR today, but remember that technology doesn’t stand still, and neither does your business. Triggers such as mergers or acquisitions, new processes, new applications, new reports, and other events can significantly impact your GDPR compliance status, and you need to be ready for them.

In addition to watching for triggers, you also need to ensure that your team can execute the actions the GDPR mandates — such as honoring data subjects’ requests for erasure and reporting data breaches — within the required time frames whenever the need arises.

As you look at your ongoing GDPR compliance strategy, remember to consider the following factors:

Monitoring compliance: How will you monitor the “big picture” of your organization’s GDPR compliance on a day-to-day basis? Having policies and procedures in place is half the battle; you also need mechanisms in place for ensuring that your employees follow them.

Data processor audits: How will you vet potential business partners who will process personal data on your behalf?

New processes and technology: How will you evaluate new processes and new applications to determine which ones are covered by the GDPR, and if they are, how will you ensure that they offer the necessary security features, privacy by design, etc?

Record of Processing Activities (RoPA): What is your process for updating your RoPA to keep up with changes in your business?

Data Protection Impact Assessments (DPIAs):
How do you determine whether a new process requires a DPIA, and what is your process for ensuring that your team conducts them when needed?

Building a GDPR Governance Committee

As you can see, maintaining your GDPR compliance level is no simple task, and you may be thinking “Who is going to manage all this?”

While your data protection officer (DPO) is responsible for overseeing your company’s overall compliance, it’s impossible for one person to have the required level of expertise — or the bandwidth — to monitor all impacted areas. Ongoing compliance across the organization requires the concerted effort of a team of experts, and that’s where your governance committee comes in.

When building your GDPR governance committee, consider the areas within your organization that the GDPR impacts, and make sure that each has high-level representation, such as

  • Education (HR/Communications)
  • Data Processing (CIO)
  • Policies and Contracts (Legal)
  • Security (CISO)

Remember that your governance committee must have authority over your GDPR-related processes and the ability to exercise that authority. This will help you avoid the mistake that many organizations made with the project management offices (PMOs) they built for project governance. Because these groups lacked real authority, stakeholders saw them as a hurdle that slowed down business processes, and as a result, lines of business found ways to circumvent them. This breakdown in authority may have no real impact on the success of a project, but in the case of the GDPR, the potential consequences are substantial — up to 4 percent of your global revenues.

It’s a Milestone, Not a Finish Line

Over the last few months, many organizations have been so focused on the May 25 GDPR deadline that they’ve given little thought to what comes now. Now that your preparatory work has (hopefully) set you on the road of compliance, your mission going forward is to stay on track, which can be an even greater challenge. By creating a GDPR governance committee with the necessary expertise and authority to manage compliance activities, you prepare your organization to adapt to future “triggers” and to fulfill your responsibilities on an ongoing basis.

If you have any questions about GDPR governance, just give us a call.

Follow Jill Reber at @PrimitiveCEO and Kevin Moos at @KevinMoos.

Jill Reber and Kevin Moos, July 2018

View more articles by and