GDPR: Why May 25 Is Just the Beginning (Webinar Replay)

On May 24, Jill Reber and I, along with a panel of Primitive Logic experts, presented the webinar “GDPR: Why May 25 Is Just the Beginning.” With the deadline for the EU’s General Data Protection Regulation (GDPR) less than 24 hours away, we offered insights on the question “What’s next?” from a data management perspective.

If you were unable to join us, you can watch the webinar above, or click here to view on our BrightTALK channel.

Many companies have been working on GDPR compliance since the regulation was first announced in 2016 … and some are just hearing about it. Both groups are now facing the question of what will happen now that the May 25 deadline has come and gone.

The Deadline Has Passed — Now What?

If you’re like many companies, you’ve been busy for the last couple of years taking the steps you need to be ready for the GDPR deadline of May 25:

Approach to GDPR Readiness

Before you start looking forward to a well-deserved break from all things GDPR, it’s important to understand that compliance is not a one-time event. It’s an ongoing, evolutionary process, based largely on best practices in data privacy and data security, continuous communication and training at all levels of the organization, and basic common sense.

If you’re still wondering what an in-force GDPR will look like, you’re not alone. The EU has delegated enforcement to a patchwork of regional and national watchdogs. As several authorities recently shared in a Reuters survey, they are still uncertain how they will go about overseeing companies and investigating complaints — and allocating the funds necessary to do so effectively.

Even if your firm was ready in time for the deadline, in many ways the real challenge lies in maintaining your compliance on an ongoing basis.

Prepare for Triggers

It’s important to stay vigilant in watching for internal and external “triggers” that will require a re-assessment of your GDPR compliance status.

External Triggers

External triggers include regulatory interpretations of the GDPR, new regulations in other countries or regions, customer expectations around data privacy, and other factors. While the GDPR is explicit on what data controllers and processors must do, it’s less clear on how they should go about the task of complying. Because of this ambiguity, we will all be looking to regulators and to the European courts for clarification.

Also consider that the GDPR could be the precursor to many similar regulations in other countries and regions. Here in the United States, the recent Congressional hearings regarding the Facebook-Cambridge Analytica scandal have shone a spotlight on data privacy, and lawmakers are coming around to the idea that a federal law similar to the GDPR might be necessary.

Internal Triggers

Internally, new processes, new vendors or partners, mergers, and acquisitions are just a few of the occurrences that could impact your alignment with the GDPR. For example, say your marketing team decides to start pulling in an additional data field containing personal data. To remain compliant, you’ll want to determine the implications of collecting this new data. If the new field makes some data subjects identifiable when they were not previously, you may also need to install an additional security level (e.g. anonymization or pseudonymization).

Changes in your business can also trigger a need for re-evaluation. Recently a new client came to us because they were looking to expand their business into Europe, but when potential customers asked about their GDPR compliance, they had no knowledge about the regulation. We worked with the client to help them become GDPR-ready, and they recently passed a potential client’s audit with impressive results.

Know Your Ongoing Responsibilities

Regardless of whether specific triggers are on your horizon, maintaining compliance with the GDPR requires addressing ongoing responsibilities, such as training employees, building “privacy by design” into all new functionalities, responding to data subject requests promptly, sending breach notifications within 72 hours, and much more.

Ongoing Responsibilities Under GDPR

To learn more about complying with GDPR now that the regulation is in force, view the webinar replay above, or click here to visit our BrightTALK webinar channel.

Kevin Moos, May 2018