The European Union’s sweeping new privacy law—the General Data Protection Regulation, or GDPR—is the farthest-reaching data privacy law in the world. It becomes enforceable on May 25, 2018.
GDPR directly impacts EU-based companies; however, GDPR also affects organizations doing business in the EU—regardless of where they’re located. If your organization markets to, tracks, or handles an EU personal data (whether a customer, prospective customer, or employee), your company is subject to the numerous new data-management and -protection requirements mandated by GDPR.
At the organizational level, what are companies doing to be compliant with GDPR?
With GDPR, companies can no longer use the data in their possession according only to their own priorities. Now, they must make smart, justified decisions around their data; moreover, they must document the governance policies that support those decisions as well as the processes and technologies that demonstrate compliance with GDPR.
At one level, organizations are reshaping their big-data strategies from top to bottom. A few years ago, the question would have been, “What’s our big-data strategy?” Now, organizations are asking themselves, “In light of GDPR, what’s our big-data strategy?”
At an operational level, organizations subject to GDPR are grappling with these kinds of questions as May 25, 2018, approaches:
- What data do we have?
- Where does it reside?
- Do we have the right protections in place to protect that data?
- How will we manage data and document our management practices in light of GDPR’s requirements?
To become GDPR-compliant, organizations are establishing policies and procedures that ensure accountability and transparency in terms of how they manage and process the personal data in their possession. In practice, that means:
- Data mapping
- Establishing formal data retention policies and procedures
- Putting more robust information security and privacy programs in place
- Updating their privacy notices and policies
- Implementing the necessary technical, physical, and organization controls
- Putting programs into place to respond to data subjects’ requests, including data rectification, data portability, data subject access, and data erasure
- Demonstrating compliance through documentation and extensive record keeping, almost at a record level. Organizations need a high-level policy, but need to be able to track each and every record.
What should risk, insurance, claims, and safety leaders be doing to prepare for GDPR?
Chances are, your organization is or will soon be formulating an enterprise-wide response to GDPR. At a departmental or functional level, what does it mean to operationalize the organization’s overall GDPR strategies and mandates?
As a risk, insurance, claims, or safety leader within your organization, now is the time to define the specific actions your department needs to take in order to comply with your organization’s overall GDPR response.
Here are some examples of the kinds of questions risk, insurance, claims, and safety leaders should be asking as they develop their team’s response to GDPR:
- What’s the retention period once a claim has closed?
- How do we anonymize claim data?
- What’s the legal basis for processing the data we possess?
- Is our data processing based on the data subject’s informed consent?
- Does the data we hold further our organization’s best interests?
- Do we as a department have the right controls in place to protect the data we hold?
- Do we have the right access policies defined, and how are they documented?
- Do we have the right technical controls in place?
What about the technology vendors you work with?
GDPR requires organizations to review, re-engineer where necessary, and document all their business practices, including their relationships with technology vendors. Here, it’s important to ask the same questions of your technology vendors that you ask of yourself.
As a data controller, GDPR requires you to take steps to work with technology vendors (usually classified as processors) who are GDPR compliant. After all, organizations can be fined or subjected to administrative action for working with technology partners who are not GDPR-compliant.