How Legal and IT Teams Can Work Together to Achieve GDPR Compliance
The clock is ticking for the General Data Protection Regulation (“GDPR”) enforcement date to go into effect on May 25, 2018, and many organizations are still working to ensure they’re fully compliant before the deadline. While the GDPR can seem intimidating at first, thoughtful planning can help your organization efficiently maintain compliance.
That means comprehensive training needs to be done now so that affected employees and stakeholders understand how the GDPR impacts them, what it requires, and the consequences of noncompliance. And since the regulation can affect many parts of the enterprise, regular interdepartmental meetings will help ensure that each team is aware of any operational changes that are being made.
The keys to getting ready for the regulation are communication, transparency, and accountability. Everyone involved in GDPR preparations needs to understand their role and be held accountable for ensuring compliance.
For legal advice regarding your organization’s GDPR compliance needs, be sure to consult your organization’s lawyer. This article doesn’t constitute legal advice, and is provided for informational purposes only.
Requirements of the GDPR
The GDPR regulates all identifiable personal data of European Union (“EU”) individuals. The definition of personal data is meant to be wide-ranging and future-proof, covering everything from email addresses and employee identification numbers to geolocation data, depending on the circumstances. The regulation strongly encourages encryption and requires that security measures are built into any system that is engineered to collect, process, or store personal data of EU individuals.
Most notably, the GDPR creates new important rights for EU individuals: the right to erasure if their personal data is no longer being used for its original purpose or the data subject withdraws consent, and the right to portability of that personal data if the data subject wishes to transfer it into another data processing system.
Penalties for noncompliance with the GDPR can reach up to 20 million euros or 4% of a company’s annual worldwide revenue, whichever is greater.
Are you interested in learning more about specific GDPR rights and terms? Okta’s GDPR glossary spells it all out.
What IT needs to gather for and from the legal and compliance teams
The IT department knows the nitty gritty of your enterprise’s data infrastructure in a way that the legal department may not, meaning that IT may need to outline much of that information for the organization’s legal and compliance teams.
The first step in accomplishing this is to identify the types of personal data of European individuals that an organization collects, processes, and stores, where the data is located, and with which external organizations it may be shared. A good first step is to “map the data” – in other words, having the organization illustrate, in internal documents, how and where such personal data is used, stored, and shared. These documents should be updated periodically, to reflect any changes over time. Mapping the personal data and avoiding unnecessary duplication is one of the key ways to help ensure compliance with the GDPR. Doing so makes it easier to comply with erasure and portability requests.
Regular training about the GDPR requirements can also help IT better understand how personal data of EU individuals is subject to the regulation. IT will also need to work with the compliance and legal teams to understand if any IT processes for handling data needs to be changed to better comply with the regulations.
Learn more about Okta’s Lifecycle Management and how your organization can use it to help build a holistic map of who has access to what personal data of EU individuals, a process critical to GDPR requirements.
What compliance and legal teams need to know about IT
A key role of an organization’s compliance and legal teams is to understand how their enterprise collects, stores, and processes personal data of EU individuals, and how the GDPR impacts the organization.
This is important because the GDPR puts personal data handlers into two categories: data controllers and data processors. The data controller provides direction and input to the data processor and determines which personal data is to be collected.
While both the controller and processor are generally responsible for security of the data, each has different responsibilities that an organization’s compliance and legal teams will need to apprise them of.
In addition, compliance and legal teams will need to understand whether their organization processes personal data and/or sensitive personal data of EU individuals. Under the GDPR, sensitive personal data is data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or sex life and sexual orientation, genetic data, or biometric data. If an organization processes sensitive personal data, additional compliance measures will need to be reviewed.
It may be important for compliance and legal teams to advise IT about whether new security solutions – such as identity and access management or a cloud access security broker – are needed to ensure personal data-handling is compliant with the GDPR.
Download our GDPR White Paper for more information on how Okta’s solutions can help your organization comply with the GDPR.
Ensuring collaboration
Encouraging two completely different departments to work together can be a challenge, but there are several ways to ensure smooth collaboration.
Appoint strong leaders
The first step is to appoint leaders who understand the goals of compliance and who have a history of handling projects of this magnitude. It is important to determine the right fit for team leaders to ensure each team has the resources and support necessary to handle critical security tasks. Leaders who are flexible, uphold a collaborative mindset, and are willing to invest their time in building strong relationships with individual team members are especially valuable.
Establish clarity within roles
These leaders should ensure that the roles of their department and the roles of the individuals within it are clearly defined and well-understood. They can communicate across departments to keep track of what each team is doing to get ready for the GDPR. It’s also important for teams to have a checklist with deadlines, and even more so to hold people accountable if they miss those deadlines.
Hold inter-departmental meetings
Bring teams together and visually map out roles and expected contributions to the end goal of GDPR compliance. Request input from teams on process improvements, to help them feel valuable and invested in the final outcome.
Finally, leaders of all affected departments should hold regular meetings to know how far along they are towards achieving their GDPR goals. This also presents an opportunity for leaders to be proactive, rather than reactive, and flag any risks before they become issues.
The GDPR is going to have a big impact on how businesses handle the personal data of EU individuals, but with proper preparation, strong communication, and accountability, any enterprise can be prepared for May 2018.