The clock is ticking toward the May 2018 implementation of the EU’s General Data Protection Regulation (GDPR) and, according to PwC’s recently released Pulse Survey, U.S. companies are now investing significantly in compliance measures. Per the survey, 92% of respondents consider GDPR a “top priority” for 2017, with 77% of companies planning to allocate more than $1 million, and 68% saying their budget falls between $1 million and $10 million.
“No legislation rivals the potential global impact of the EU’s General Data Protection Regulation,” said Jay Cline, PwC’s U.S. Privacy Leader. “The new law will usher in cascading privacy demands that will require a renewed focus on data privacy for U.S. companies that offer goods and services to EU citizens.”
In December, prominent GDPR analyst Chiara Rustici advised businesses “to ring fence 4 percent of 2016 global turnover and earmark it as budget for 2017 compliance.” (Because of its proximity to the release of the EU Article 29 Working Party’s own GDPR guidance, which clarified certain key enforcement issues for member states, Rustici’s budget advice was unable to fully account for the new information.)
“American multinationals that have not taken significant steps to prepare for GDPR are already behind their peers,” Cline also said. This statement echoes Rustici’s advice in 2016, in which she stated that “there are no excuses for not having a GDPR budget in place before the end of 2016.” Though more than a year remains for companies to achieve compliance, and further guidance is expected from EU data protection regulators, PwC cautioned that companies should not wait to make it a priority.
For organizations wondering where to start, here are perhaps the most important steps they should take.
Need for Data Portability and Data Mapping
In its December guidance, the Article 29 addressed a major issue that companies will need to develop infrastructure and processes to address. Namely, it discussed data portability – the ability for an EU citizen to access their personal data and easily transfer it to a different service provider. Closely tied into this concept are two central rights within GDPR: the Access Principle, whereby a user can discover what personal data of theirs a company holds, and the “right to be forgotten,” whereby a user can request the deletion of that data. To turn these concepts into reality, Article 30 of GDPR practically obligates companies to create comprehensive data maps to easily discern what data the company possesses, where it is stored, how it flows, with whom it is shared, and how it is used.
The guidance also indicated the need for companies to develop systems, technological or otherwise, to respond to individual requests under the data portability provision. According to the Working Party, “one of the ways in which a data controller can answer requests for data portability is by offering an appropriately secured and documented Application Programming Interface (API). This would enable individuals to make requests for their personal data via their own or third-party software or grant permission for others to so do on their behalf.” Regardless of process, fulfilling the data portability and data mapping requirements represent no small IT investment for affected companies.
GDPR applies to companies as a whole, and for budgeting purposes, leaders should also take the regulation into account across the full enterprise, as opposed to merely in the legal, compliance and IT areas. “[T]he budget is there to ensure that any interaction of EU-based individuals with a brand’s real and digital estate follows the EU data protection principles,” noted Rustici, and “that will mean product design, user experience, distribution and after sales support, HR, marketing, legal, risk and compliance, storage and security should all own a share of the corporate GDPR budget.”
A good GDPR budget may allocate money to some or all of the following line items:
- data inventory and mapping
- privacy and state-of-the-art safety by design
- solutions to enable data portability and the right to be forgotten
- internal GDPR training
- stress-testing GDPR resilience, information security, and audit
- enterprise-wide coordination and compliance
- vendor management
- hiring of a GDPR architect, CISO, and/or DPO
Hire a Data Protection Officer
Relevant to the last line item above, GDPR requires companies that process personal data “as a core activity” and/or monitor data subjects “on a large scale” to hire a Data Protection Officer (DPO). This role acts to independently oversee corporate compliance. In its 2016 Guidance, however, the Article 29 Working Party went so far as to recommend voluntary designation of a DPO when GDPR does not specifically require it.
The guidance also indicated that the terms “large scale” and “core activity” as they pertain to the DPO requirement will also be broadly interpreted. Regulators will consider a number of factors including the volume of data, its geographic breadth, and its importance to a company’s operations. The Article 29 Working Party clarified this point by way of example: “the core activity of a hospital is to provide health care. However, a hospital could not provide health care safely and effectively without processing health data, such as patients’ health records. Therefore, processing these data should be considered to be one of any hospital’s core activities and hospitals must therefore designate DPOs.” Following this example, organizations operating in highly regulated industries, such as healthcare, financial services, insurance and consumer businesses, should anticipate the need to hire a DPO.
A GDPR architect – a CTO, CISO, CIO, data privacy lawyer, compliance officer, or all of the above – may also be required however. As Rustici warned, “Think of a DPO as a ship’s captain and of a GDPR architect as the naval engineer. [T]o set sail to the seas you rely on a good captain, who can chart a course and avoid thirty-foot waves; but to build or make a ship sea-worthy, and ensure that it can withstand even thirty-foot waves, you first rely on a good naval engineer.”
Ensuring data portability and enabling data mapping, budgeting across the organization for GDPR, and designating the DPO and other important roles are only three of the most prominent steps U.S. multinationals are taking in the new year. Other top priorities could include reviewing and revamping privacy policies, examining procedures to ensure consent for collecting/processing personal data, and improving vendor management programs. Many organizations are also considering data localization, including moving data centers to Europe, while others are assessing the viability of transitioning operations out of Europe altogether.