Incase you missed my first post, I am documenting our GDPR compliance journey, from where I sit as an in-house attorney working for an EU and International SaaS company. Get up to speed by reading my first diary entry.
Take your mind back… It’s the end of May — one year before the new EU data regulation comes into effect. Articles are coming out about how to be prepared, published from so called experts, law firms, compliance firms and other round of the mill companies trying to attract traffic. So there was truly a lot of information out there. But where to begin? How do I prepare our company — an SME based out in Paris — for the GDPR?
The myriad of articles being published on the subject offered much information, but I wasn’t clear as to the source and its accuracy. Being a trained attorney, I couldn’t rely on other people’s information. So it was best that I start from scratch. I needed to outline myself the needed steps to get us from point A to point C (C for Compliance).
First Step: Understanding the new regulation and what it meant for us.
I knew I needed to set aside some time to delve into the actual law. I printed out and book-bound 2 hard copies and set myself up on the sofa in an empty conference room — away from phone calls, emails and colleague requests. I gave myself 2 hours and read cover to cover the EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 (or in English, GDPR). I’m an attorney by trade, so reading the actual law to me is really interesting stuff! (Yes, I’m a bookworm at heart.). I highlighted the sections and paragraphs relevant to my company (considered not a data controller but instead a data processor) and took notes at the same time.
Why 2 copies? (I promise I wasn’t wasting paper) Well, I work in Paris where I speak 2 languages — English & French. So I wanted the law in both of these working languages. I began by reading through the English version and put aside for another day the attack of the French version as it is helpful to learn the terms and phrases used in the actual law.
Second Step: Roadmap Planning
Setting a roadmap sounds simple, right? Not exactly, the challenge began with analyzing the new law and identifying our requirements. I had a short period of time to put in place our key trigger dates. May 2018 is not that far away!
At the same time, I was dealing with demands from all angles: clients, internal sales teams, and company shareholders. Everyone wants us to be compliant today when there is still much road work to lay out before we can put the actual measures in place. I also wanted to ensure that the steps were to be taken out properly, instead of just fast tracking the process to use the word “compliant” in our communications.
There was also the aspect of inter-departmental collaboration. The implementation had technical constraints. Just because the law stated one aspect did not mean that it could be simply “implemented” in the blink of an eye. The measure needed technical planning, testing and control before any actual implementation. So the roadmap and implementation need to be dealt with hand in hand with the technical and operational teams. I had to also work with our marketing and sales teams to align our message on compliance and the road map to be taken.
Third Step: Mailjet’s Roadmap
After several drafts, and internal meetings with various departments to verify feasibility, I finalized our GDPR compliance roadmap.
Here are the steps I came up with and the related calendar to bring our company up to speed from point A to C (remember c for compliance):
- May — June 2017: Nomination of Data Protection Officer (articles 37–39 of the GDPR)
- July 2017: Training (articles 7–8 and 12–15). Security and data privacy training sessions to be put in place for all employees and contractors.
- Data breach procedures (articles 33 & 34). Data breach response plan. Process to notify controller without undue delay after becoming aware of personal data breach and document such breach.
- July — September 2017: Data processing records (article 30). Record of processing activities, including, purposes of the processing, description of the categories of data and recipients, any transfers. Update periodically.
- July — November 2017: Audit and Analysis of privacy framework (articles 28–30 of the GDPR). An internal audit of all our existing third party provider contracts to ensure compliance with GDPR, and to make any necessary amendments; a review & update of our current company insurance coverages; to put in place the requisite processes; a periodic review and control.
- September 2017: Reevaluate notice, consent and withdrawal mechanisms (articles 44–50). Identify cross-border data flows and review current mechanisms in place. Ensure adequate level of protection with contractual clauses.
- October 2017: Ensure appropriate technical and organizational measures (article 28). Guarantees by processor to implement appropriate technical and organizational measures to ensure the protection of the rights of the data subjects & Update data protection agreements and appendices.
- Data portability (article 20). Ensure data subjects’ right to portability (facilitates ability to move/copy/transmit personal data easily — whether to their own systems, the systems of 3rd parties or those of new data controllers).
- October — November 2017: Data protection by design and by default (article 25). Technical & organizational measures to ensure that, by default, only personal data which are necessary for each specific purpose of processing are processed. Implement data protection principles, such as data minimisation.
- November 2017: Security of processing (article 32). Technical & organizational measures to ensure a level of security appropriate to the risks at stake.
- December 2017: Data protection impact assessment (article 35). Assessment of the impact of processing operations on the protection of personal data with advice of the DPO.
Now off to implement these wonderful concrete steps…. GDPR compliance here we come!