How to prepare for GDPR with days to go

One of the most significant changes to data privacy rules in a generation will take effect 25 May, and very few businesses are truly ready for it.

Only about 15% of EU-based companies surveyed by Deloitte last year think they’ll be fully compliant by the start day for the EU’s General Data Protection Regulation.

The regulation, which was officially adopted in 2016 after years of discussion, gives EU residents far-reaching abilities to inquire about and control how corporations collect, protect, and use their personal information. The rules stretch far beyond the 28 EU member nations and apply not solely to businesses with headquarters within the EU.

Companies with European vendors, employees, or even a single customer will need to comply with the regulation that allows citizens to inquire about the data collected on them, opt out of any ongoing marketing, and be able to have the information deleted upon their request.

That enforcement has a punitive risk, too, with regulators able to levy fines of up to 4% of a company’s annual turnover.

The GDPR’s enactment is expected to shift the way corporations digitally interact with their users and codify a new wave of data privacy rights, said Rich Vestuto, managing director in the discovery practice of Deloitte’s transactions and business analytics.

“The EU has always been very protective” of personally identifiable information, he said. “They shook everything up to get [corporations’] attention.”

Vestuto shared his thoughts on the best ways to comply with the GDPR.

Get help, quickly. If you haven’t developed a plan for how your global company will comply, it’s time to call for help.

Anyone who hasn’t started the process of complying with the GDPR is going to find it tough, if not impossible, to become fully compliant by the deadline, Vestuto said.

Most large companies have taken a year or more to locate and rein in their data, and then set up systems where consumers can decide how much, if at all, they want their data shared for marketing or other purposes.

Companies in the process of complying will surely have an advantage over those who haven’t should regulators come knocking, he said.

“They can at least show they’re moving forward,” he said.

Find your data. The first hurdle to becoming GPDR-compliant is determining what type of data your organisation keeps on individuals, and all the places it exists.

“That’s tremendously hard,” Vestuto said.

With database and business software constantly duplicated and downloaded to employees’ hard drives, uploaded in the cloud, or handed off to third-party vendors, an individual’s data could show up in hundreds, even thousands, of places.

For a company that doesn’t already track that information closely, detailing it will be a difficult task, he said.

“They have to figure out what they have and what they need to do to protect it,” Vestuto said.

View this as a chance to spring-clean. One upside to the GDPR is that a lot of companies are going to take a close look at what data they hold, and realise there’s plenty that can be dumped.

If companies have been retaining personal data of consumers for phased-out product lines or past customers, the data examination piece of GDPR compliance is an opportunity to clean out digital closets.

"Let’s get rid of it, it’s just a risk,” Vestuto said about data that has lived beyond its business purpose.

Having routine examinations of your data’s shelf life will put your company in a better position, by shedding liability and setting up processes to routinely sift out what’s not needed.

Don’t forget third parties. While many companies are rightly focused on what they’re doing with data, they need to also pay attention to what happens outside their company’s four walls, Vestuto said.

The way that third-party vendors and service providers process individuals’ data also falls under the GDPR rules, and a company could be held responsible for relaxed approaches elsewhere.

This could apply to information shipped off to law firms for litigation purposes, or systems architects hired to restructure websites.

Remember: This isn’t going away. A lot of what the GPDR has put forward is a continuation of data privacy rules adopted elsewhere.

Japan and China have similarly tough-worded data privacy rules. They just haven’t followed it up with tough regulation, Vestuto said. He expects that as the GDPR takes effect, other countries will start enforcing their rules, or move to adopt similar guidelines.

And it doesn’t mean that corporations need to just get things together by 25 May and then coast. The GDPR will be the new way of doing business, and every company doing business in Europe needs to figure out how to maintain it standards moving forward.

“It’s the business as usual piece coming on May 26 that companies have to be ready for,” Vestuto said.

The hard part for many will be adopting the privacy and digital accountability measures outlined in the GDPR into their everyday business practices, Vestuto said.

— Sarah Ovaska-Few is a freelance writer based in the US. To comment on this article or to suggest an idea for another article, contact Sabine Vollmer, an FM magazine senior editor, at Sabine.Vollmer@aicpa-cima.com.