October, 31 2019 – By Dan Welberry

What’s next for GDPR? Making data protection operational

Since the GDPR came into effect, we’ve seen a noticeable change in companies’ attitudes towards the regulations. Before the deadline, compliance was treated as a paper planning exercise with organisations trying to get their house in order before the deadline.

Now, there’s renewed effort to making data protection operational – taking those policies and turning them into practice. The focus is on being able to ensure employee behaviours around handling data are compliant, and that there’s a method of checking if policies are being side-stepped.

Crossing the compliance chasm

The disconnect between policy and practice exists because when organisations were busy planning for GDPR, they mostly formed a centralised project team. But in treating compliance as a project, it had a clear end goal, and a termination date. Hitting completion, the task was ticked off – job done.

However, compliance is never a tick-box exercise because the data, organisation and people are constantly changing. Therefore, the focus has to shift so those good data management principles become ingrained as part of business-as-usual.

The gap between what’s written down in a privacy policy and making data protection operational is something we’ve identified and covered in our guide. ‘Six practical steps you can take to transition data protection to business-as-usual’ is based on insights from our consultants, customers and wider industry. It distils everything we’ve learned into 6 practical steps you can take to turn policy into practice:

  1. Take a data inventory
  2. Monitor your data estate
  3. Benchmark your SAR process
  4. Nominate data champions
  5. Create a data training plan
  6. Lock down your data security

For example, we’ve seen lots of work being done around Article 30 definitions, looking at how personal data is collected, processed and managed. Here’s one that many readers will recognise:

“We will retain personal data relating to employees for three years after they leave. Special category data relating to employees will be stored on encrypted media and password protected.”

Sounds good in theory, but when it comes time to execute that plan, it’s actually really hard. There’s a great description of what the plan is, but little consideration given to how it becomes part of business-as-usual.

In the UK, we’ve witnessed significant fines issued to BA and Marriott, which has prompted many organisations to return to their GDPR planning and consider the missing step – making data protection operational.

Applying GDPR lessons to CCPA compliance

With the California Consumer Privacy Act (CCPA) coming into effect in January 2020, all eyes are on the UK to see what lessons can be carried across the pond. Just like the GDPR, the legislation is designed to enhance privacy rights and consumer protection for residents.

Unlike the UK, where data privacy was already a prevalent part of our business operations due to the long-standing Data Protection Act, many US-based companies haven’t previously been regulated. It means that complying with data subject rights will be a huge change.

Although the GDPR applies to organisations worldwide, many US-based companies have avoided compliance either because they don’t trade with Europe or were able to segregate their European operations. Under the CCPA, it becomes harder to avoid compliance since data relating only to consumers in California can’t easily be neatly kept separate. It means that US-based organisations will need to go back to basics, mapping their data out, understanding how, where and why it’s processed, evaluating any third-party agreements, and establishing effective processes to respond to data subject requests. As well as seeking to operationalise data protection.

So with the GDPR having now been in effect for over a year, US-based organisations are seeing what they can learn about how to embed data privacy principles into their operations.

Learn how in this IAPP webinar

Exonar CEO, Adrian Barrett has hosted a fascinating webinar with the International Association of Privacy Professionals (IAPP) titled ‘What’s next with GDPR – how companies are turning policy into practice’. Speaking alongside Greg Albertyn, a Principal at Reibeeck Associates, and Odia Kagan, Chair of GDPR Compliance and International Privacy at Fox Rothschild, they debated how to make data protection operational both in the context of the European GDPR and the USA’s own version, CCPA.

Click here to hear the panel discuss key topics including:

• The reality of operating in the post-GDPR world.
• The emerging gap between policy and practice.
• How to get people following processes around Article 30.
• What organisations facing CCPA can learn about compliance from GPDR.
• How to support employees in making data protection operational.