One month sprint to GDPR compliance: 5 things to do now if your business isn't prepared

Some organisations have spent the best part of the past 16 months preparing, others haven’t taken advantage of the grace period / Pexels

The General Data Protection Regulation (GDPR) affects every company or organisation, anywhere in the world, that touches an EU citizen’s data, yet with one calendar month to go until the 25 May compliance deadline fast approaching, many have found themselves largely unprepared for the new regulatory framework.

But, there's still time to act.

While a number of organisations have spent the better part of the past 16 months preparing for compliance, others haven’t taken full advantage of the grace period and are now facing urgent questions about how to bring themselves up to scratch.

GDPR is unlike anything the industry has experienced before, which has contributed to an increase in market uncertainty.

The UK Information Commissioner’s Office (ICO) for example has said that it plans to hire 200 additional staff, many of whom will presumably be tasked with enforcing the regulation.

Ireland’s Data Protection Commissioner, meanwhile, shared that not only will there be no grace period for enforcement but that the commission has more than doubled its enforcement team ahead of the May 25 deadline.

With little over 30 days to go before potential enforcement month, there is still time for firms – brands, publishers, agencies and adtech outfits included – to take several critical steps forward to satisfy some of the core obligations of GDPR.

Here are five steps businesses can take to shift compliance efforts into high gear over the next 30 days:

1. Map your data

A key first step is to understand what EU personal data your organisation receives and processes. Article 30 of GDPR describes the categories of information that must be included in this “record of processing activities,” including what data is collected, where it is stored, for how long it is kept, and how it is processed.

2. Determine whether you're a data processor or a controller

GDPR distinguishes between data controllers and data processors and the compliance requirements are different depending on the role. Controllers are companies that determine the purposes of the data processing and the means by which it is done, while a processor is a party that processes data on behalf of the controller.

Applying these seemingly simple-sounding definitions to any given category of data can be complicated, and you should discuss this with privacy experts.

3. Update policies and practices in order to live 'privacy by design'

Starting with the privacy policy, companies should take a hard look at all their policies and practices that relate to data-- covering items like data security, data retention (ie how long data actually needs to be kept for), employee training on data protection, and how to comply with requests for information from data subjects.

In many cases, new policies or procedures may be required. By living with a 'privacy by design' attitude, companies will minimise the data collected in the first place, design services with data security in mind, and ensure that purposes for data collection and use are clearly disclosed to users and documented internally.

4. Take a close look at your partners

One unique element of GDPR is that under the regulation, data controllers and data processors are legally and financially liable for the actions of their partners. More than ever before, companies should choose their partners carefully.

Businesses will need to monitor regulatory progress and make adjustments as needed, and the shared liability means that they also need to feel confident that their partners are doing the same.

5. Identify the lead supervisory authority

A key component of GDPR is the designation of a lead supervisory authority for each company or organisation. By establishing a lead supervisory authority, organisations avoid the risk of multi-state jurisdictional adjudication and instead have any complaints arising within the EU addressed by one central supervisory authority.

For controllers, the supervisory authority is the central location where the decisions around data collection are made. Many large internet companies, for example, have their headquarters in Ireland, which would make Ireland the lead supervisory authority. Before 25 May, every company should identify its applicable supervisory authority and register with it.

GDPR imposes a set of requirements on affected companies well beyond what is described above. By taking these proactive steps, however, publishers, advertisers and tech companies can begin to set a clear, good faith path towards complying with the most sweeping regulation in the history of digital advertising.

Doug McPherson leads the Legal and Facilities teams at OpenX as general counsel and data protection officer. He tweets at @douglasmcp

Get The Drum Newsletter

Build your marketing knowledge by choosing from daily news bulletins or a weekly special.