Sarah Manimalethu
Santa Clara Law
LLM Candidate 2018
This is the first of two posts recapping the Bridging the Privacy Gap: GDPR Conference organized by the Santa Clara Journal of International Law. This short overview will be followed by a more-in depth post next week.
Preparing to bring your company’s current data privacy framework into compliance with the GDPR in time for the upcoming May deadline probably seems like an insurmountable task—but not so, say the data privacy experts speaking at the recent Santa Clara Journal of International Law Symposium on the topic.
The panelists outlined a multifaceted approach for integrating compliance strategies into an existing corporate structure.
First up was data mapping, an admittedly lengthy process that’s designed to determine where, how, when, and which consumer data is being stored within corporate servers as a result of normal business operations.
The next step is using your newly-created data inventory to assess any data risk issues in existing products and services. The goal here is to assess risks and begin to mitigate them in order, starting from the most serious issues.
In order to ensure complete and accurate reporting of data practices from various departments throughout the corporation, the panelists suggested identifying relevant stakeholders in the company. Relevant stakeholders are individual corporate employees from positions across the company, who, for various reasons, have a less attenuated interest in GDPR compliance than many of their colleagues. Stakeholders could be compliance officers, human resources officers, or employees from IT, customer relations, or even management.
After identifying stakeholders, panelists emphasized the importance of keeping stakeholders involved and engaged throughout the entire development of compliance strategies. As employees of the corporation, stakeholders will be in the unique position to understand what works within their own corporate culture, and can assist privacy experts in crafting individualized solutions for compliance integration.
Moving forward, panelists advised data privacy experts and corporations covered by the GDPR to (1) train employees, and create a culture of awareness regarding data collection and privacy; (2) empower relevant stakeholders by providing them with resources as needed; (3) document the rationale for selected compliance measures; and (4) to begin assembling a form response that efficiently conveys its compliance measures to any inquiring clients.
