Thursday, January 26, 2017

GDPR Compliance ... SHOWTIME!

Today, this elephant looks hypothetically a year ahead to the Spring of 2018.

Pretend it's now just weeks until 25May2018, the kickoff day for full GDPR enforcement. Assume that your enterprise actively captures personal data from EU data subjects, and as such is fully GDPR-exposed.  Depending on your enterprise's  appetite for risk of regulatory sanctions, it's now time to be GDPR-compliant.  It's SHOWTIME!

As that big date looms, one might wonder "Who will be the judge of whether or not my enterprise  is compliant?"  And how and why would my enterprise be singled out from thousands of others "in the same boat" with respect to full compliance? Who would take the time to pore through the data studies, impact assessments, gap analyses, etc. that my team has conducted over the past many months?  Who would question our accountability?  Who would complain?

An answer to those questions is chillingly simple,  To sample your dedication to compliance, all anyone will need to do is visit any of your public-facing websites or mobile apps where you touch personal data and look at how you manage consent dialogues with your data subject.   In all cases, do you:

1.  Gather affirmative, explicit consent (Articles 5,6,7,13 & 14)?
2.  Provide explicit and transparent pre-consent notice (Articles 12,13,14, & 22)?
3.  Present and manage data subject's individual rights (Articles 12-22)?

It will take just a LOOK to assess and document your enthusiasm for compliance.  Truly, SHOWTIME ... out there for all to see.

Returning now to the present: The drafters of the GDPR have seen the protection of EU citizens' personal data as a fundamental right (Recital 1, sentence 1). The spirit of the regulation embraces protecting consumers by building a fair, safe, and trusted notice/consent dialogue around the passing and processing of personal data.  Exhibiting that positive spirit at SHOWTIME will speak volumes to those would could/would judge your dedication to GDPR compliance.

Privacy-by-designing and building a compliant notice/consent dialogue is not a trivial exercise, yet the GDPR itself suggests a variety of solutions. Click here to learn more about what is required, and here to learn more about tools and resources now available for help.

Dale Smith, CIPT