Law Technology Today From the ABA Legal Technology Resource Center
Related Articles
Establishing a robust data security policy is critical for businesses that process personal data, but compliance officers and attorneys know that establishing policy is only the first step. In reality, a data protection policy is only successful if the rules are properly written, implemented, and enforced.
Any company that is obliged to follow GDPR, the upcoming CCPA, or any other data privacy law, likely has some form of a compliance program in place. These could range from the founders of a company putting together a list of do’s and don’ts to several hundred pages of rules that include notes on data retention policies, acceptable use guidelines, and password requirements.
The trouble is, simply having these rules documented doesn’t equate to true compliance with data privacy laws. A company that has detailed information security policies can be considered minimally prepared, but not necessarily ready for data privacy laws. Frankly, most companies we’ve met with aren’t ready. In one case, we spoke with a data protection officer (DPO) about GDPR and realized the DPO was unaware that personal data in unstructured formats (e.g., messages in Slack) must be indexed and searched when processing data requests.
Accounting for personal data in unstructured information in practice is one of many essential obligations to be GDPR ready because, without a holistic and comprehensive view of data processing, compliance can never be truly achieved. It’s clear to us that attorneys, engineers, and business owners all arrive at GDPR from different perspectives. Below are three suggestions for advisors looking to help clients with best practices for implementing comprehensive data protection policies:
- It always starts with the audit
- Compliance teams need automated tools
- Enforce the rules that are established
Audit existing policies and practices
One of the leading experts on privacy, Dr. Ann Cavoukian, first developed the principle of “privacy by design” to describe a process whereby privacy is integrated throughout the systems engineering process. Her theory is applied to principles throughout GDPR, which calls for data protection by design, data minimization, security by design, and other related principles throughout the regulation.
Chances are high that most companies are imperfect on some if not most of the data protection principles, like privacy by design, outlined in GDPR. To identify these gaps, best practice is to conduct a thorough evaluation of all data processing activities. Companies that want to comply with GDPR must first conduct a detailed assessment of existing policies and compare those policies to practices in order to identify potential gaps or vulnerabilities. This process, also known as a data protection audit, can be extensive and requires a lot of manual checks in each of the systems that process personal data throughout the company.
The data protection audit is one of the first steps to achieving full visibility into data processing. Yet truly knowing where personal data resides across the company’s databases is challenging, because data is always in motion. The typical company has personal information dispersed throughout internal databases and third-party systems like Slack or Gmail in both easy-to-search and hard-to-search formats. If “bad data” lives in any of these systems (e.g., information collected without explicit consent, data that should have been erased but is not, etc.), then the company is violating GDPR. Not even the most well-intentioned data protection policy will pass the supervisory authority.
Just like paralegals, your compliance team needs automated tools
Compliance officers have a big job, and one of those responsibilities is processing data requests for access, erasure, or transfer. Once a data request comes in, the company has 30 days to complete the request. We have heard from DPOs that it takes anywhere from 20 minutes to four hours to fulfill a data request, depending upon the nature of the request and complexity of the systems being searched. But when companies are receiving dozens to hundreds of data requests per week, time that could be spent on growing the business is instead allocated to administrative compliance tasks.
Manually processing personal data is both time-consuming and risky. GDPR requires that businesses have complete awareness about data processing activities and be prepared to report on these activities, at all times. This is complicated because personal data stores are constantly changing as new data is loaded into different cloud-based systems. Conducting manual checks on different systems or quarterly data protection audits are insufficient for providing true visibility into data processing activities across the company or for fulfilling compliance-related tasks at scale.
Compliance teams that operate without tools might miss personal data when performing an audit or fulfilling a data subject erasure request because they don’t have a solution that offers a comprehensive view of all data at the company level. Not fulfilling a data request completely is a GDPR violation, and could carry a penalty.
In order to work effectively, compliance teams will need to rely upon more than just spreadsheets and the goodwill of the company’s engineers, who are often left to conduct individual searches of every database to fulfill GDPR-related requests. Companies that rely too heavily on human resources or analog processes will stumble, which could negatively impact growth and profits in the long-run.
Analog solutions will not suffice so long as personal data stores remain fluid. We recommend compliance teams use tools that automate some of the daily grind of GDPR-related tasks. Automation can help businesses stay on top of their compliance obligations without allocating excessive time and resources to the project.
Enforce the rules
Unintentional violations happen by well-meaning businesses every day, but regrettably, the GDPR supervisory authority does not recognize good intentions when doling out fines.
There is a lot of confusion about GDPR, and most businesses are struggling to properly apply the regulation to their operations. This is where attorneys can add immense value to businesses that want to comply with GDPR but aren’t sure really sure how to do it. While conducting a data protection audit and writing an airtight rulebook are good first steps to compliance, reinforcing these policies is important also. Attorneys should encourage their clients to find creative ways to enforce these new, company-wide data protection policies like regular checks and unscheduled mini-audits. It is also best practice to get team leaders involved in the policymaking process, which will no doubt encourage uptake of the particular data processing policies that align with workflows.
Some other suggestions: the compliance team can conduct quarterly data privacy checks at individual departments, offer weekly office hours for employees that want one-on-one help, host mandatory data privacy training to keep everyone up-to-speed, and include a data privacy training as part of onboarding for new employees. If there is one team that is not complying with the data privacy rules, or a particular rule is not getting as much uptake as it should, these barriers to uptake must be carefully analyzed and fixed. A practical approach to data privacy policymaking that involves the compliance team and the departments impacted by the policy can help build sensible, sustainable, and scalable data protection policies that are readily adopted by the entire company.
Conclusion
In the end, GDPR compliance is not a status that is achieved, but rather, a process to be maintained. A carefully crafted data privacy policy that takes into account the rules outlined in GDPR is certainly necessary for compliance, but the way it is implemented is even more important.
