Conducting a GDPR Review
With the General Data Protection Regulation (“GDPR”) coming into effect on May 25, 2018, every organization doing business in the EU needs to be aware of its potential impact. From budgeting to the task of conducting contract reviews, here are some of the challenges an organization may face while conducting their internal GDPR reviews, and how Kira can help streamline the process.
Appointing a Data Protection Officer
The Data Protection Officer (“DPO”) is a new and mandatory role for any organization that processes or stores large amounts of personal data of either individuals outside the organization, employees of the organization, or both. DPOs are responsible for educating the company and its employees on compliance requirements, training staff involved in data processing, and conducting regular security audits.
As of May 2017, half of organizations surveyed for GDPR preparedness reported they did not currently have a DPO appointed and would need to hire. Hiring and appointing a DPO can pose difficulties, since in addition to putting a DPO in place, organizations will need to reference the DPO, where required, across all of relevant internal documentation. Amending all appropriate internal documents to reflect the new position will be required, and can be part of a lengthy, but essential, document and contract review process.
Updating Your Contracts
Updating the defined terms in contracts is no easy task but it will be an essential part of any effective GDPR contract review. Organizations need to remember to update contracts to reflect the definition revisions being implemented by the GDPR. The GDPR changes or adds several definitions. For example, the definition of “consent” is a core tenant of the GDPR, and has been updated and clarified to reflect the new legislation. Another example is the addition of the term “genetic data" to an updated definition of “sensitive personal data.”
Updating contracts doesn’t end with the definition provisions, organizations will need to review and update all necessary third-party contracts and ensure they meet the new regulatory requirements. It is important for organizations to only work with third-party providers who are GDPR compliant themselves, and this must be reflected in all contracts. For businesses that heavily rely on third party contracts, this task alone could prove a massive undertaking.
Refining Policies & Processes
Organizations will need to review their own data access request policies, so that they can provide any requested information (i.e. all personal data of an individual) within the new timescale. Creating a seamless process and ensuring access requests are handled consistently will be essential for efficiency and compliance in any organization with many departments and geographic locations.
52% of IT decision makers surveyed ranked Article 30—records of processing activities—as their biggest concern. Under Article 30, organizations will need to establish lawful basis for processing personal data. Once established, documentation will need to be fully updated in addition to all privacy notices.
Budgets often pose difficulty for organizations, particularly when conducting company-wide internal reviews. Manually reviewing all of the organization’s contracts and documents can result in inflated, but necessary, labor costs. Using appropriate technology and software can drastically cut down on hours spent on the review process and can offset the budget in favorable ways.
Although compliance with GDPR may be a challenge for organizations, many also see it as an opportunity to gain an edge over an industry competitor if done right. But within that statement could be the greatest challenge of all—if done right. Organizations are risking massive fines, and the only way to avoid them is through tedious contract review. However, with the encroaching date of May 25, it is getting more and more difficult to deliver on-time and on-budget.
Kira can quickly review large volumes of legacy and third party vendor contracts and highlight only the data that may be affected by the change, including many of the new contract requirements listed in Article 28 of the GDPR. Kira will automatically provide a bird’s eye view of the impact of the changes, and the software’s workflow tools allow for quick and accurate reviews.
Customers can use the Data Protection/Privacy provision model to find any data protection, information security or privacy language across their projects. They can then use narrower built-in provision models to locate specific data protection-related concepts, including:
- “Data” Definition
- Assistance with Data Subject Requests
- Notification Upon Breach
- Third Party/Personnel Confidentiality Requirements
- Technical and Organizational Measures
- Transfer of Data
- Proof of Compliance
- Return or Destruction of Confidential Information/Data