Podcast: Play in new window | Download
FULL EPISODE TRANSCRIPT
Hey there and welcome. I’m Rocio Baeza. I am the founder of GDPR Standup. And today we’re going to be talking about GDPR implementation and what that actually means.
So GDPR took effect back in May 2018. You probably heard the lots of buzz and the noise that was out there. And if you’re watching this video it probably means that you are responsible for some of the GDPR Compliance Initiatives in your organization and you’re looking for some help along the way. So in this session I’m going to be looking to just cut through the noise and help just get a better understanding of the breath of GDPR. A pretty helpful resource I’ve put together that I think will allow you to think of GDPR in terms of different chunks. So if we could compartmentalize this information, I think it will be easier for you to understand what are all the things that your organization may need to put in place.
All right. Since May and even before you’ve probably heard a number of things. You’ve probably heard, “Oh my gosh! GDPR is requiring that I update my privacy policy.” Or, “Oh my gosh! I need to start worrying about hiring a data privacy officer.” Or you might be one wondering, “Oh my gosh! I can no longer use the information that I have about people because I need to get fresh consents.” Or you might be wondering, “Oh my gosh! I need to stop doing business in the EU because I don’t, I’m not compliant and I don’t have to be, I don’t want to be slapped with a fine.” Or you might have been thinking, “Oh my gosh! I need to move my company to a new infrastructure that is GDPR compliant.” Whatever that means. And you might also be thinking, “Oh my gosh! I need to find new tools that are GDPR compliant because that’s the only way that I can be GDPR compliant.”
And what I will say to that is pause. Breath. Calm down. Stop running like a frantic maniac in the office. Stop stressing about all the things that you’ve heard you need to do. Think about all the scary tactics that we’re seeing that, “Oh my gosh! You can be fined up to 4% of your total revenue. You need to figure this out now and if haven’t figured it out by now, you’re doing something really bad.” I would say, “Calm down.” GDPR is not the only data privacy law that has ever been passed. It just happens to be the very recent one and it just happens to be one that is accounting for how technology is being used today. It’s accounting for how data is being used today. It’s looking to address some of the things that wasn’t obvious to consumers. I need you to just pause, take a breather and just educate … I would encourage you to educate yourself so that you’re making thoughtful decisions for your organization and you’re not just opening up your checkbook and making purchases based on all the noise that is out there.
So just some background about me. I’ve been in the, so I’m based in the U.S., in Chicago. I’ve been, I have my data, a data security and a data privacy consultant. I’ve put together information security programs that a number of organizations that I’ve worked for and a number of clients that I’ve worked with on projects. So this is stuff that is pretty … GDPR is introducing a number of things that I’ve worked with in the past. And my goal here with GDPR Standup is to provide you with more practical information so that you can do this in house. There’s no need to hire a data security consultant. There isn’t a need for you to buy the latest GDPR tool. I think that as professionals we have the tools available to get started with what we have today and start there.
So going back to the focus for this episode is … Let’s just talk a little bit more about [inaudible 00:04:49] of your organization. And I just need you to remember that not all of these things apply to your, may not apply to your organization. Some organizations will have to comply with all of the requirements, but there are going to be some organizations that have to comply with a portion of the requirements. I think if that’s the only thing that you take away from this episode, I think it will be very worth your time. I don’t want you to feel that you have to spend lots of time, effort and resources to do all the things that you’re hearing about in the space.
I’m going to point you to a very good resource, if I say so myself, that I would encourage that you check out. There’s a couple of different ways that you could educate yourself about GDPR. One, you can read the text. I will warn it’s very long. It’s dry. It’s not very exciting. I think it was put together by lawyers or, and regulators for the most part. It’s fairly bland, but you’re very welcome to read it if you want to. Lots of regulators have put together resources. And these are free resources that are available out there. So I would encourage you to check that out. But as I was picking this up, like everyone else, I had to pick this up kind of on the go.
GDPR went into effect May of this year. I had to go through the process of learning this myself. I work with a number of clients that need to comply with GDPR. And well I figured this is where the market is going because my clients are asking questions about this. I need to educate myself so that I can help my clients and any, anyone else that needs help in this area.
As I was picking up that knowledge I quickly realized, hey, this is lots of information. It’s kind of difficult for me to organize it my head. So I created this thing, I’m calling it the 10 GDPR Components. You can actually download a copy on my website if you just go to gdprstandup.com. You scroll down to the middle and click on the 10 GDPR Components.
All right. So I broke this out into 10. I broke out GDPR into 10 different chunks. Just by doing that simple step it became easier for me to just start to think of, all right, what are the different things that I have to pick up. So I’m going to briefly cover what those 10 components are. And in future sessions we can take a deeper dive as to, okay, what does that actually mean? And how do I know if it’s something that applies to my organization or not?
With the first one, GDPR may require that you appoint a data protection officer. So this is basically a person that you appoint that will be responsible not only for GDPR compliance, but a compliance with any other data privacy laws or regulations that your organization needs to comply with. That’s the first one.
The second will be internal recordkeeping. The only way that an organization can demonstrate compliance to anything whether it be a law, a regulation, a standard, is if you write it down. If you have internal records that, basically evidence, that serve as proof that you’re actually doing what you say you are doing or what, that serves as proof that you are doing what you’re required to be doing. So that’s component number two. Internal recordkeeping. And putting it in different terms, it basically means you are documenting certain things. You are writing down certain pieces of information. Now yes, you can document this in the fancy GDPR tool, you definitely can. They’re out there. But can use the tools that you have available today such as a Google Doc or a Microsoft Office file. Just create a new one and you can start documenting it there. You don’t have to go and buy anything fancy. You can start with what you have today. So, that’s component number two.
Component number three would be privacy policy. So if you already have, if your organization is already collecting, or holds information about people, then you probably already have a privacy policy. So this is typically published on the company’s website. And depending on what your company does, depending on the level of information that your company holds, you may be required to update your privacy policy, yes. All right, so that’s component number three.
Component number four are third party contracts. If you are working with third parties, with other organizations, and as part of that relationship you’re either sharing or receiving personal information about your citizens or residents, then you may have to look at how you’re managing those third party relationships. And you may have to look at specific language in these third party agreements. So that would be component number four.
Component number five would be consent mechanisms. So your company may be required to obtain consent from people. The different ways that you can use their personal information. And one thing that frustrated me earlier this year was this frenzy, this belief, that everyone had to get fresh consent from everyone that they ever done business with in the past. This is not applicable to all organizations. It may be applicable, but don’t just act on information that you’re hearing from others. Make sure that you’re doing your due diligence because hey, if you don’t have to do some of these GDPR requirements, you should know that so that you can make good decisions about the resources that you’re directing for this initiative. So, consent mechanisms would be a component number five.
Component number six, I’m calling it Data Management Support. So I’ll probably be changing the label. What I mean by this is, think of a set of features or processes that will be, that would allow individuals to exercise the rights that GDPR provides them with. So think of the right to access, the right to corrections, the right to erasure, the right to be forgotten. Data portability. The right to restricting processes. Some organizations will be required to honor individual rights for their, for those that they serve, for those that they hold personal information about. And again, this may apply to your organization, but it will not apply to all organizations. That’s component number six.
Component number seven is this idea of an operationalized information security program. If your organization is holding personal data about people this probably applies to you. What does that actually mean? So think of a program that basically enables your organization to protect that data on an ongoing basis. And by program, I’m referring to things like policy, procedures, training and possibly audits. So, that’s component number six. I’m sorry, component number seven.
Component number eight would be a breach notification. So some organizations will be required by GDPR to have a breach notifications in place. So basically if a, your organization holds personal information about people and that information lands on unauthorized users or if someone has unauthorized access to that information, you may be required to issue a notification to the individuals or to regulators. That’s component number eight.
Component number nine is demonstrating compliance. So GDPR has an accountability principle. So the idea here is that organizations need to be doing things on an ongoing basis to demonstrate that they are complying with their GDPR obligations. And the only way you can demonstrate compliance is by one, recordkeeping. So producing documentation [inaudible 00:14:49]. And again, that’s just writing it down. But also it may be appropriate to do some type of audit, some type of assessment on an ongoing basis so that you can rest assured that you know the GDPR requirements that apply to your organization. You’ve implemented that internally and you’re checking that on an ongoing basis to make sure that you’re doing what you say you are doing. And that would be component number nine.
Component number ten would be paying a data protection fee. This fee, this fee is basically going to fund data protection work for the regulators. So enforcing any type of law usually requires that, if the individuals have a way of reporting complaints or just submitting some type of inquiry if you think an organization is not fulfilling their GDPR responsibilities, you’ve tried to address that with, directly with the company, that is not going anywhere and you’re basically going to someone else to help you out there. That’s going to take manpower. That’s going to take effort. And it’s going to take people to review these complaints, to investigate them, to reach out to the organizations, to see if the complaints are valid or not. And by asking organizations, or not asking, but requiring data controllers to pay this data protection fee, this is one way that regulators are going to be funding the data protection work that goes on into enforcing, continuously enforcing GDPR.
So in a nutshell, those are the 10 GDPR components that I organized. This is something that I created for myself as I was trying to pick this up. And I have it available on the website. Again, gdprstandup.com. If that’s something that you want to download just so that you can start to think of GDPR in very discreet chunks.
And just to close out, I just want to reiterate, yes, GDPR is very long and complex. Not all GDPR requirements will apply to all organizations. The 10 GDPR Components is just one way of you to understand the breath of GDPR. And if you’re looking to take that next step in your path of helping your organization becoming GDPR compliant. That first step is putting together a data inventory. We have a free course available. If you go into our 10 GDPR Components webpage, scroll to the bottom, you have the option to sign up for our free course so you can get started with that.
Thank you very much for checking us out. I hope you found this material to useful and I’ll see you in a future session. Good-bye.