Podcast: Play in new window | Download
In this episode, we discuss the similarities with how we file our taxes in the US and GDPR implementation. We break this down into 3 areas:
- Impact
- Approaches
- Documentation
Episode Transcript
Hey there and welcome. I’m Rocio Baeza and I’d like to welcome you to today’s episode where we are going to be talking about the similarities between how we file our taxes here in the U.S. and how that relates to GDPR.
A quick note before we get started. This is actually a re-recording of episode number 11, the previous episode. In episode 11 I did talk about this topic, however when I was recording, I was actually sick and I needed to make the decision between skipping an episode or not. I felt like it was important that I continue with the schedule, so I ended up continuing with the recording. I did not like the way that it turned out, so this is a redo of that. So if you listened to that, sorry if that was painful to hear. if you did not listen to that, then no need to worry about things.
All right. In today’s topic we’re gonna be breaking this down into three areas. The three areas that we’re going to be focusing on are impact, approaches and documentation. I think that there’s value in having this analogy, because most of our listeners have filed their taxes at least a few dozen times. I think by discussing the similarities, I hope to use that as a way to anchor your knowledge to help you better understand GDPR.
All right. Just going one layer deep. When I’m talking about impact, I’m referring to how many people are impacted by things when we think about filing our taxes in the U.S. This impacts a wide number of people. If you are bringing in income, whether it be you are working for someone else or you’re working for yourself, this is something where you’re very likely having to file this on an annual basis.
When it comes to approaches, I think that the two levels that we can look at this are, you can, one, do it yourself or you can pay someone else to do your taxes. This is entirely a personal choice. If you decide to go down the “do it yourself” route, it’s definitely doable. You just have to know that it will take time. If you decide to pay someone else, so this may be a luxury, so you may not want to spend the time to gather the necessary information to plug it in and to figure out whether or not you are owned a refund or if you need to pay additional money for your fair share of taxes. Or your situation might be complex. It might be complex and it may make sense to hire this out to a professional just to make sure that you are accounting for things correctly.
When it comes to the tools available there is a wide variety. You can go the old fashioned route and just file this using paper and pen. So this would be the 1040 form. But you can also use things like software, apps, think of like H&R Block. You can use virtual services, think of virtual bookkeeper or CPA, or a professional services team. There are thousands of these where you basically work alongside someone else or a team of other people and they will do this for you.
All right. When it comes to documentation, it’s very important that we document and hold on to that documentation, because that’s the only way that we’re able to prove things. If we are ever flagged as needing to be audited by the IRS, that’s exactly what they’re going to go after first. They’re going to be asking for a copy of your documentation because that is what the findings of the audit will be based on. So they will bring up whatever form that you submitted to the IRS and they will ask you to provide that supporting documentations, whether it be receipts, whether it be paperwork.
At the end of the episode, I wanna help you see what your options are when it comes to implementing GDPR. All of these options, I would say are perfectly fine. They are all legitimate and the option or the route that you decide to take, it really comes down to your preference, your budget and any timing or deadlines that you’re needing to meet. What I want you to see is that it probably makes sense for you to continue to learn and do, and use the resources that you have right now to get as far along in the process as you possibly can until you’re done or until you realized that, “Hey, you need additional help and you need additional resources to reach the finish line.”
All right. Now let us switch gears here and talk about things in term of GDPR. GDPR is no different. Again, we’re gonna be talking about this in terms of impact, approaches and documentation. When it comes to impact, it actually impacts a wide range of organizations. GDPR will impact organizations regardless of where they’re located, what industry they service or the size of the organization. It also doesn’t matter if it’s a for-profit organization if it’s a non-for-profit organization. It also doesn’t matter if the organization is actually selling things or not. What matters is if the organization holds personal data belonging to someone that is from or is living in the EU, the European Union, GDPR will apply to that organization. Given the global reach, given the opportunities that we just have to service people and other organizations at a global scale, I think that GDPR impacts a very wide range or organizations and it’ll take time for organizations and leaders of the organizations to realize that and understand that and accept that.
When it comes to approaches, the same way that we have different options in filing for our taxes, we have different approaches for how we tackle GDPR. We can go the “do it yourself” route and this is when either you or a member of your team is tasked with this initiative. You can also outsource this, so your organization can hire this out whether it be to a consultant, whether it be to a firm. When it comes to the tools available, we have similar options. We can go the paper route, so where we are documenting things on a piece of paper and we are managing things manually. But I’m gonna guess that this is a route that probably doesn’t apply to most organizations. I feel like that this is probably going backwards. But I think the next step up would be managing a GDPR compliance program where you’re leveraging things like Word processing tools, where It’s a step above using paper, but it’s an electronic format that will make it much easier for you to manage.
We also have software. There are online services and software. Think H&R Block and any of the competitors of H&R Block, where you’re basically plugging along information. You are being prompted for additional information based on your responses and then at the end of the day it spits out the completed forms and you have the options of submitting this directly to the IRS. The same way we have software available that is looking to either help you with your entire GDPR compliance program or just a portion. Some examples of what I mean by just a portion is so I’ve come across many solutions that focus around helping you fulfill any type of requests of people that are wanting to exercise their individual rights. I’ve also seen solutions where service providers have software to help you manage consent. We definitely have software available to help you with your GDPR responsibilities. I would expect to continue to see more and more software solutions out there in the next, I would say one to five years.
Just tying a bow around the tools that are available, we also have the ability to outsource this to professional services. I would say that there are hundreds of organizations and individuals that provide this as a service and this could be either virtual or in person, and we see ranges where people are providing this as a service and it’s a basic approach, or there is a higher end approach to helping organizations with this initiative.
All right. And the last thing to mention here that we’re gonna cover is documentation. So when we’re filing our taxes, it is super important that we hold on to that documentation. It’s no different when it comes to GDPR. This is very important. In the GDPR there is the accountability principles, so it’s this idea, this requirement that organizations need to be able to show that they are complying with GDPR. The only way that you can truly show that is by writing it down and having that documentation available to show that what you went through the exercise of knowing what applies to you and you are managing … You are producing records that substantiate them. If you wanna go into the details here, I would point you to an article 30 in GDPR where it talks about records of processing activities. This is just another way of saying … Another way of saying this is it’s basically documentation on how an organization uses personal data.
The way that you address this accountability principle, the way that you are able to demonstrate that you know what you need to be doing and that you are doing what you say you are doing is by writing it down. That’s the only way that you’re able to demonstrate compliance. So when you’re writing it down you’re needing to write down, “Okay, what do you need to do?” As an organization given the data that you hold, given how that data is received. Given the business use of the data, you need to be able to show that you have thought about and analyzed which of the GDPR responsibilities actually apply to you. If there’s one thing that you take away from this episode, let it be this. Some organizations will have to do everything that GDPR requires, but many organizations will only have to fulfill a subset of the requirements. And the only way that you know exactly what end of the spectrum you fall in, you need to create a GDPR data inventory.
Now, once you have an idea of what your organization needs to do, you need to implement that. You need to actually take action and implement that. After you are done implementing that, you need to be able to hold onto record, hold onto to documentation that shows you are doing what you need to be doing. In the event of an audit, the outcome of that audit will truly depend on the documentation. Typically, this is how you should expect that to unfold. In my career, I’ve been on both ends of this type of work. I’ve been on the receiving end where I’m working with an auditor that is doing some type of security audit and I’ve also been on the end where I am the security auditor and I am working with other organizations to help determine where they’re at.
The process usually goes something like this. The auditor will ask for a copy of your policy and procedures. Taking a step back here, this doesn’t just apply to auditor, this also applies to any type of regulators that might be conducting an investigation. When they’re ready to get started, they will start by asking you for a copy of documentation. They’re gonna come in and ask, “All right, we need you to provide us with a copy of your policy and procedures.” They’ll probably ask for a copy of your privacy policy and then they will want to see what kind of policy and procedures are around your GDPR program. What kind of internal policies do you have documented and are in place, what kind of training materials have you used and are being deployed and what are the procedures that your employees are being asked to follow, so that as an organization you can fulfill those GDPR obligations.
After the auditor or the regulator has completed obtaining all that documentation, they will be asking for evidence. What does that mean? Say they’re wanting evidence that you actually have trained your employees. They’ll typically ask for a some type of report that shows who has completed that reporting over the last year. They may ask for a copy of that training material is and then they’ll probably ask for a roster that indicates who was trained and when. They’ll probably also ask for that GDPR data inventory. Again, this is that first step. This is that first step that documents, all right, what data does your company hold, how is that obtained and how is that used internally? This is the tool that will inform what your GDPR responsibilities are. I would expect any auditor, any regulator that is looking at your GDPR compliance program to ask for a copy of that or at a minimum to ask if you have that.
When it comes to the policy, they’ll probably ask for your policy around SARs. SARs are Subject Access Requests. They may also ask for documentation around consent. Now, consent, this is something that will not apply to all organizations, but if it applies to your organization, you will probably be asked questions around consent. When it comes to third parties, if your organization is sharing personal data with another party, whether it be that you are handing this off directly to them or maybe you’re using an environment that is managed by a third party, they will probably ask for a list of what your third parties are for you to flag which one of these are processing personal information. They’ll probably pick a sample and they’ll ask for a contract of those vendors.
Taking a step back with SARs, if they’re looking at how you handle SARs, Subject Access Request, they may ask for a list of all the requests that your organization has ever received. They will probably pick a sample and they’ll probably ask for a documentation of the sample that they’ve selected. “What was the request? How did you process that internally? How did you respond to that request?” If they’re looking at your breach notification plan and preparation they’ll probably ask for a copy of that plan and any inventory or the inventory where you’re keeping track of all the recorded or all of the suspected security incidents where you had to review that and analyze that to determine if you had to report this.
All right. To wrap it up guys, there are a lot of similarities when it comes to how we file our taxes here in the U.S. and the way that we should think about GDPR. In terms of impact, the same way that many individuals and businesses are impacted and need to file to for their taxes, I would say that vast majority of organizations will have to do something when it comes to GDPR. When it comes to approaches, we have the option to do it ourselves or to pay someone else, or maybe do something in between. Our organizations have this option. I would say that professionals are very much capable of taking the DIY route. I would say that this situation makes sense if your situation is simple.
Or if you are willing to take this on or if another member of your team is wanting to take on this project. If your situation is one where you’re looking for faster results or your situation is complex, then it probably makes sense for you to take this as far as you possibly can, but then look to outsource it so that you can get to the finish line. When it comes to documentation, documentation is super important. This is the only way that you’re able to prove things and this is the only way that you are able to demonstrate that requirement where organizations must show that they are complying with the GDPR.
All right, so that basically wraps it up for today’s episode. Before we close out I wanna point you to a couple of resources that I want to point you to if you are looking for additional help around GDPR. We have a number of free resources, so you can continue to listen to this podcast. This podcast is dedicated to helping you succeed with GDPR compliance and it is a free resource that is available to anyone with an internet connection. The next free resource are document which is The 10 GDPR components. If you are still struggling with understanding the breath of GDPR, this is a great breakdown, a research that I created for myself as I was learning to learn more about GDPR. The last resource is you can also sign up for the GDPR implementation blueprint. This is a free resource that is available to you if you are looking of that roadmap on how an organization can approach this from start to finish and what are those steps that are in between and the ideal order that you should execute these steps.
Now if these free resources are great but you’re wanting more, there are additional ways that I am able to support you. You can join our virtual community. Think of this as a virtual platform where you have direction and opportunities to ask me questions about your situation. I’ve been in your shoes where I’ve done projects like this on my own and it’s hard, and it’s especially hard if this is the first time that you’re undertaking something like this. I would encourage you to leverage my knowledge, leverage my previous mistakes and my understanding to help you get there faster. If you’re looking to outsource, I’m definitely available as a consultant. If you’re looking to hire this out, so that someone else can help you, I am certainly available.
All right, so all of these resources are available online. You can check that out at our website gdprstandup.com. All right guys, that very much wraps it up for our session today. Thank you very much for listening and see you next time. Goodbye.
Thanks for listening to the GDPR Stand Up Podcast. If you need additional help, please check us out at gdprstandup.com. Until next time.
HELPFUL LINKS AND RESOURCES
Photo Credit: “rawpixel” @ Unsplash