Cybersecurity was a hot topic at South by Southwest (SXSW) 2018, as reported with our coverage of RSA CMO Holly Rollo’s keynote and our interview with Zulfikar Ramzan, PhD, CTO, RSA, about his insights on why CMOs and CISOs need to strategically partner now.
I also met Brian J. McGinnis, Partner, CIIP/US, Barnes & Thornburg LLP, at the event. McGinnis is a founding member of the firm’s Data Security and Privacy Law practice group, and is on the Indiana Executive Council on Cybersecurity. McGinnis advises Fortune 1000 clients on GDPR. He was vocal about the imminent May 25, 2018 start of the General Data Protection Regulation (GDPR) in the European Union, and its potential significant risk and revenue implications for companies inside and outside of the EU.
With the GDPR May 25 enforcement date 30 days away, we wanted to learn from McGinnis what C-suite leaders and board members can do now to prepare if they have not taken appropriate measures to make sure they are proactively in compliance. These are the highlights of that interview.
SecurityRoundtable: What is GDPR?
McGinnis: It is the single biggest change and regulation in the privacy and data protection of individual personal information in the past 20 years coming out of the EU, and I consider it to be the gold standard of data protection. It has substantial global, legal, and financial ramifications for any business, even if you don’t do business in the EU. I have found it to be a largely misunderstood regulation by executives at many of the companies I’ve talked with.
SecurityRoundtable: If you haven’t taken enterprise measures to be in compliance with GDPR, what are your legal and financial risks?
McGinnis: Whatever size business you are, and wherever you do business, you are at risk of losing business and new opportunities—not to mention substantial financial penalties of up to 4% of your global annual revenue—if you do not meet the GDPR compliance standards.
SecurityRoundtable: What does the C-suite, including CMOs, need to do now, with the May 25th, 2018, start date looming to make sure they are in compliance?
McGinnis: By now, if your enterprise has not dug in on developing a GDPR strategy and implementing an enterprise-wide plan—including with all of your external partners—you are already behind. So, it is very important to get educated and get started. The timeline is imminent, but the compliance window will go past May 25th. This regulation is not going away, so you need to do this. The first step, which most organizations are pretty bad at, is to understand what employee and customer personal data you have in the organization, where it came from, where it is stored, what consents are attached to it, and what permissions are there to use it. This is called a “data tracking” or “data audit” process. Once you do this, you then need to put policies and procedures in place for your organization to make the necessary disclosures to the individuals about how you are going to handle and use their data going forward. This results in an organization having to change its privacy notices at all collection points and data flow.
SecurityRoundtable: What do I do about all of the personal data I’ve been collecting prior to May 25, 2018?
McGinnis: Under GDPR, there is no grandfather clause—period. All of your company’s data sets must be looked at in terms of how it was collected, what were the permissions or implied permissions that were granted to be able to use it. etc. It doesn’t mean that companies necessarily have to throw out all of the data they have. But you do need to take an extremely close look at your data to determine if you may need to, for example, get a new consent from individuals, or can you process this data in a GDPR-compliant way by doing something else. Until you understand what data you have, you are not in a position to make these determinations.
SecurityRoundtable: If you haven’t done anything about GDPR, based on your experience, how much time does it take an enterprise to do this work to be in compliance?
McGinnis: Just to get your head around what I’ve just mentioned will take about two months or more. Then, getting the policies, processes, and organizational understanding and behavior in place can take additional months or years. But, since the GDPR is something new, there is still uncertainty as to what you need to do and how it will be enforced, so it is not too late to get started.
SecurityRoundtable: So, even at this late date, what is your GDPR checklist for the C-suite, CISOs, and CMOs?
McGinnis: Most companies today don’t have someone, like a Chief Privacy Officer, in charge of this work. So, here are several starting points. First, after the data mapping I mentioned, make determinations if you can use that data and on what basis you’re going to process it. This will typically be based on the data-privacy notice you used to collect it and get consent. You also need to understand all of your Data Controller-Processor Agreements with the third parties your enterprise works with. Your third-party partners, such as a payment processor, or Salesforce, or a marketing-tech platform, also need to be in GDPR compliance. You also need to check your internal data collection and use policies and processes to determine if they need to be revised or created anew. Here are a few more starting steps, but this list, by no means, exhaustive:
- Decide who is on your GDPR team. Usually this is led by your CISO or Chief Privacy Officer, or someone from your General Counsel’s office. If you don’t have someone on your team who is knowledgeable about GDPR, find a resource. You also need to include a senior person from each function, including IT, Marketing, Sales, and HR.
- Gather all of the personal data protection policies and procedures you currently have.
- Gather all third-party vendor and data processor agreements, where personal data is being gathered and shared.
- Draft new GDPR specific policies.
- Review your incident response policy, HR personal data and policies, technology and ISO policies and revise them to get them to a GDPR standard.
SecurityRoundtable: Bottom-line, is it too late for the C-suite to take action on GDPR?
McGinnis: It is absolutely not too late. But if you haven’t started, you need to immediately. May 25th is going to come and go, but compliance will be required far after that start date. If May 25th comes and you have not done anything, you are putting your organization at serious risk.
McGinnis shared several documents* to get you going on GDPR:
Legal Insight – GDPR and European Data Privacy – What You Need To Know Now*
Generic example Data Processing Agreement template.*
*Barnes & Thornburg LLP: The materials provided with this article are for general informational purposes only and not for the purpose of providing legal advice. These materials may not be appropriate for your particular legal circumstances. Use of and access to any materials provided here do not create an attorney-client relationship. The opinions expressed at or through these documents and the Barnes & Thornburg LLP site are the opinions of the individual author and may not reflect the opinions of the firm.