Technology

The Biggest Reasons Why The GDPR Requires A 'TEAM' Approach

Taking a 'TEAM' approach to GDPR compliance ensures that the business will be positioned for ongoing success in an increasingly interconnected world of personal data and data privacy.

By  
on

It has been a little over a year since the GDPR became effective, and what a wild ride it has been (to say the least).  A comprehensive update to the European Union’s Data Protection Directive 95/46/EC, the GDPR substantially increases the rights provided to individual “data subjects” in the EU regarding their “personal data.”  That said, it has also substantially increased the responsibilities placed upon companies (as “data controllers” and/or “data processors”) regarding such personal data.  Although the GDPR applies to EU data subjects, it is essential to note that the GDPR can apply to U.S. companies doing business in the EU.  As a result, U.S. companies have been moving into compliance since the effective date of the GDPR (May 25, 2018), and needless to say, have learned a few things in the process.

I have previously written about the implications of the GDPR regarding software-as-a-service agreements here, here, and here, but that is merely one area among many where GDPR compliance can be challenging.  One of the biggest things the last year has taught most companies is that GDPR compliance requires not only an understanding how such companies collect, store, and use personal data, but how that data flows through the organization and third-party vendors.  Another big area of concern has been the obtaining and processing of consent — Article 4 of the GDPR requires that such consent be “freely given, specific, informed, and unambiguous.”  Needless to say, merely having a privacy policy that explains what is collected, how it is used, etc. is not enough.  I haven’t even begun to address the “right to be forgotten,” disclosure of personal data breaches under Article 33, and many others (although I have previously written on their importance here). These points, however important, are only the tip of the GDPR compliance iceberg.

When it comes to GDPR compliance, I can state unequivocally that the last year has taught a number of important lessons, but the biggest of which is that GDPR compliance requires a “TEAM” approach.  Now I know what you are thinking, but the term “TEAM” as used here covers more than what the term implies, and more than what you might think.  Of course, it requires companies to have internal teams that work together, but there is more to it.  Rather than missing the personal data forest for the trees, the “TEAM” approach also refers to the following:

“T” Stands for Technology.  Whether you like it or not, technology plays a critical role in overall GDPR compliance because the personal data at issue is resident in some platform either controlled by your company (or client), or third-party vendor(s).  What is less evident, however, is how that personal data flows through such systems both internally and externally.  Although not expressed in the language of the GDPR, the regulation absolutely demands data mapping to ensure that your company (or client) understands the risks involved with such personal data.  Technology is also essential in being able to address data incidents and potential data breaches, especially given the supervisory authority reporting requirements under Article 33 and individual notification requirements under Article 34.  Technology is part of GDPR compliance — not only having the right technology, but knowing how to use it and leverage it.

“E” Stands for Ecosystem.  Experience has shown that a company cannot assess its risk and mitigate it without understanding the entire ecosystem for the personal data flow, storage and use.  Of course, it is essential that your company (or client) have appropriate data privacy and security policies in place in the handling of personal data under the GDPR, but that is only one aspect of compliance.  The other aspect involves the data privacy and security policies of third-party vendors that are part of the personal data flow, handling and storage.  In addition to Article 33 (Notification of a personal data breach to the supervisory authority), such third-party responsibilities are specifically addressed in Article 28 (Processor), Article 30 (Records of processing activities), Article 32 (Security of processing), and Article 36 (Prior consultation).  The bottom line is that your company (or client) is not alone – it is part of an ecosystem of entities that are part of the personal data flow and handling, all moving parts that must work together both contractually and in practice.

“A” Stands for Awareness.  “Awareness” here more than just being aware of the GDPR requirements — it requires knowledge of its requirements as applied to your company (or client). Companies are no longer operating blindly involving a regulation yet to become effective — there has been a year of implementation and guidance (and in some cases, even fines) to help understand how the GDPR applies and can be implemented in the organization.  It also means that your company (or client) should have accumulated (or is in the process of accumulating) the appropriate expertise internally as well as with outside consultants and counsel to address both implementation and the inevitable data incidents (and personal data breaches), attendant notifications, as well as data subject requests.  This also means that business processes and policies are properly addressed and put in place to stem potential risk.  In this case, the maxim of “Knowledge is Power” holds true, as in having power over potential risk.

“M” Stands for Management.  None of the foregoing points matter without having the appropriate level of management engagement and understanding. Without question, management needs to understand the risks presented by GDPR non-compliance (as if the top-tier fine of the greater of €20M or 4 percent of gross annual turnover is not enough to get their attention).  The bigger issue, however, is that business teams with the company must work together to not only address compliance, but ensure that the necessary business processes, policies, and procedures remain in place and evolve accordingly.  In practice, this coordination not only helps attenuate potential liability (such as in where a data incident occurs and a determination of impact on the rights and freedoms of the affected data subjects is necessary), but it ensures that such business processes, policies, and procedures are not stagnant.  Believe it or not, experience has shown that GDPR compliance has forced not only an assessment of technology architecture, but of managerial processes that have benefitted from the process of becoming GDPR compliant.  Simply put, reviewing, modifying, and updating these processes, policies, and procedures has made the overall business stronger for companies that have taken the steps to do so.

Sponsored

Sometimes the whole can be greater than the sum of its parts, and the GDPR is no exception. Taking a “TEAM” approach to GDPR compliance is more than just ensuring that specific responsibilities under specific articles are met — such an approach ensures that the business will be positioned for not only GDPR compliance but ongoing success in an increasingly interconnected world of personal data and data privacy.  GDPR compliance can be a tough exercise, but make no mistake, the “TEAM” approach represents a bottom line worth getting excited about for your company (or client).

Tom Kulik is an Intellectual Property & Information Technology Partner at the Dallas-based law firm of Scheef & Stone, LLP. In private practice for over 20 years, Tom is a sought-after technology lawyer who uses his industry experience as a former computer systems engineer to creatively counsel and help his clients navigate the complexities of law and technology in their business. News outlets reach out to Tom for his insight, and he has been quoted by national media organizations. Get in touch with Tom on Twitter (@LegalIntangibls) or Facebook (www.facebook.com/technologylawyer), or contact him directly at tom.kulik@solidcounsel.com.

Sponsored

CRM Banner

Topics

, , ,