The most sweeping data privacy regulation in a generation isfinally here, with a compliance date of May 25, 2018. Although it'sbeen two years since the General Data Protection Regulation (GDPR) was adoptedby the European Union Parliament on April 16, 2016, it would be astretch to say that businesses worldwide are adequately prepared.In fact, the global implications of the regulation appear to becatching some U.S. companies off guard; it seems the EU'sindustry-neutral data privacy regulation was not on the regulatoryradar for many businesses used to following the rule-making of U.S.agencies.

Some public reports of preparedness paint a rosy picture. Forinstance, in a July 2017 global survey of Fortune 500 and FTSE350 general counsel and chief security officers, 94 percent ofrespondents from the U.K. and 98 percent from the U.S. reportedtheir company was on a strong pace to meet the regulatoryrequirements by this month. However, the first quarter of 2018 sawan exponential increase in webinars and seminars about GDPR, whichsuggests that some organizations are still scrambling to evaluatethe potential implications of the new rules.

To wit, in an April 2018 survey of more than 1,000companies in the United States and Europe, 40 percent ofrespondents said their organization will not be in compliance withGDPR as of May 25, 2018, and an additional 8 percent were unsure.Moreover, the survey found that 10 percent of respondents areunsure whether their firm is even subject to GDPR. That's analarming finding at this stage in the game, since executives whoaren't aware they're subject to the rule cannot even start plottinga course on the roadmap to compliance.

Certain sectors are faring better than others. IT firms, inparticular, stand to profit from an increased use in software andassessments to map GDPR compliance, which means they have investedsignificant resources into fully understanding the impending rules.Thus, many businesses in the tech sector are well-prepared tocomply with GDPR. That contrasts with sectors in which companiesare struggling to understand whether the regulation even applies tothem, let alone what compliance requires.

GDPR compliance is a significant undertakingfor any firm, in any sector. The GDPR requirements aremultifaceted, spanning several departments, roles, andresponsibilities. And, of course, the steep regulatory penalty fornoncompliance—up to 20 million euros or 4 percent of globalrevenue—heightens pressure on executives to implement GDPRcontrols effectively. Key challenges for firms include building outthe right project teams, managing vendors at different states ofreadiness, conducting data-mapping exercises, applying theprinciples of GDPR down to the level of the day-to-day, and seeingthe big picture of compliance beyond May 25, 2018.

Here are five considerations corporate treasury teams need tokeep in mind as they make final preparations for the new EUrule:

|

1. Change Management

The first step in implementing a GDPR readiness program—and,indeed, the capability to support ongoing compliance—is identifyingthe “who.” Successful compliance with GDPR depends on having aproject team of internal stakeholders and external resources whocan execute on the company's GDPR approach. Any organization thathas not yet assigned responsibility to a specific team is farbehind the curve at this point. But even companies that are movingforward with GDPR compliance efforts may want to re-evaluate themakeup of their project team if they have concerns about theproject's progress.

Effective change management is always a challenge, especiallyfor firms that lack a dedicated change management or projectmanagement function. These companies usually assign responsibilityfor initiatives to a senior employee with a proven track record inwhichever business area is most impacted. This approach may causeproblems for GDPR compliance projects. Depending on the company'sbusiness model and the extent of its European touch points, GDPRcompliance may require extensive collaboration and cooperationamong numerous constituencies across regions, offices, anddepartments.

Many businesses are looking to outside service providers toaugment internal capabilities, either by running the GDPR projecton the firm's behalf or by conducting the initial data mapping orrisk assessment exercises. In the context of a GDPR program for aU.S. corporation, a trusted adviser needs expertise in issuesrelevant to treasury services, processes, and technology, as wellas U.S. data protection law and, of course, the GDPR.Unfortunately, consultants specializing in GDPR risk assessmentsare likely to be booked well beyond the May 25, 2018, deadline.

In-house expertise may also prove to be difficult to come by, asjob postings for data protection officers (DPOs) have increased 11percent every month for the year ending March 2018. The GDPRregulation is simultaneously so vague and so expansive thatassembling teams with the right expertise in both the regulationand the company's industry is proving difficult. This isparticularly true for U.S. companies, which are accustomed to amore industry-specific approach to rule making. Firms would bewell-served to consider holding data privacy training for staffand/or reimbursing employees for continuing education in thisspace.

|

2. Data Mapping

Compliance with the GDPR requires a company to document all datathat it is collecting, processing, and maintaining. It also mustdevelop a clear understanding of where it stores the personal dataof EU residents, how it collects that information, what systems andapplications are involved, who has access to the data, and withwhom it is shared.

Conducting a current-state analysis that accurately identifiesthese components involves identifying the categories of data eachbusiness unit needs to perform its role, whether the data currentlycollected from clients is necessary for that purpose, and whetherthe data includes any special categories of personaldata enumerated under the GDPR. A current-state analysis shouldalso document the physical locations where such data is storedon-site and in data centers, and with which parties the data isshared.

Documenting a full inventory of data intake and data flows is alaborious exercise and one that involves chasing a moving target asdata continues to accumulate even in the midst of the exercise. Acomprehensive current-state analysis takes time, which is in shortsupply as the GDPR compliance date looms large. It also requires aparticular knowledge of systems architecture and business processesacross an enterprise, and very tight coordination efforts acrossregions and offices.

Despite the time crunch, companies will find mapping of their current data processes to be wellworth the effort. Many firms have simply been unable thus farto deploy the resources necessary to fix the plane while they wereflying it, so to speak. They will find the insights thatdata-mapping exercises provide can help them identify thehigher-risk areas of their business, those that need to be targetedfor immediate remediation. At the same time, data mapping canprovide valuable intelligence on processes, systems, and data flowsthat may be in desperate need of upgrade. A current-state analysismay uncover significant business improvement opportunities that thefirm can tackle after completing the tasks that check the box onGDPR compliance.

|

3. Drilling Down to a Practical Plan

Identifying all the tasks required to bring a company intocompliance is no simple feat. While the data-mapping exercisefacilitates identification of the systems and business processesthat touch affected personal data, a parallel effort must be underway to bring the text of GDPR down to the practical, everydaylevel.

Businesses small and large that are exploring the regulationface a myriad of questions. Some of them are seemingly simple, suchas: Do we need to update our privacy policy? Should we have aseparate EU privacy policy, in addition to our U.S. privacy policy?What other documentation needs to be updated?

Other questions are more complex,such as: Do we need to disclose that our organization is usingcookies to track website users? What language should we use? Isthere an exemption if we have just one item of personal data for asingle EU data subject? And (for many companies) is our business inEurope valuable enough to risk noncompliance with GDPR, or shouldwe consider focusing our efforts away from Europe to other regionsof the world?

Translating thevague language of GDPR's recitals and articles into tangibletasks and conclusions requires legal expertise and a fair amount ofguesswork. When faced with the business reality of significant newoperational costs, some companies that have only a handful of EUclients are simply choosing to terminate their EU clients ratherthan dedicate the resources to compliance—an unintentional yetunderstandable side effect of the regulation.

|

4. Managing Vendors at Different States ofReadiness

Vendor management is another key component of a GDPR program.Vendors must be considered in the data mapping, business processdevelopment, and evaluation of GDPR readiness from a contractualperspective. Companies need to understand what personal data theirvendors are collecting and storing for (or from) them. They need toknow what safeguards the vendor is using to protect the data andwhether the information is being forwarded on to a fourth or fifthparty.

Many businesses have faced challenges with service providers'readiness for GDPR. They may be relying on their service providers,particularly those with a strong foothold in Europe, to get insightinto how contracting will work, the content of disclosures, and thetype of due diligence that will be expected under GDPR.Specifically, service providers that transfer personal data willneed to confirm that the receiving jurisdiction affords adequatelegal protection for the data. There are several ways to accomplishthis; the most common involves reliance on an intergovernmentalframework such as the EU-US Privacy Shield, or the use ofEU-preapproved standard clauses in contracts between the partiesthat cover specific provisions around the nature of data processingand the security in place. On the other side of the relationship,service providers are likely feeling the heat from any customerswhose legal departments or procurement departments cannot provide aclear synthesis of their GDPR readiness.

|

5. Mind-set Shift Toward ProactiveDocumentation

The concept of accountability in GDPR's Article5 can require a mind-set shift for some. Data controllers mustbe able to “demonstrate compliance” with the principles ofGDPR—namely, lawfulness, fairness, and transparency; purposelimitation; data minimization; accuracy; storage limitation; andintegrity and confidentiality. This concept is highly ingrained insome industries, such as financial services, where the U.S.Securities and Exchange Commission requires firms to store and savedocumentation evidencing compliance against certain parameters. Forother industries, this notion is more foreign.

We highly encourage companies to train their employees on whatdocumentation is required in every area of the business that mayneed at some point to demonstrate compliance with GDPR. We alsorecommend ensuring that GDPR project efforts are well-documented.Teams change, time passes, and documentation must be able to knittogether the actions that were taken and the policies that were inplace in the event such information is ever requested by aregulator.

|

Looking Forward

The GDPR compliance date has arrived, whether firms are ready ornot. Risk managers who have not begun assessing their GDPR exposureare far behind and will almost certainly be out of compliance onthe rule's deadline date, though they likely will have plenty ofcompany.

Whether or not your company is ready for GDPR, it's important tokeep in mind that May 25 is not a finish line. Risk managers willnot wake up that day to a brave new world. Rather, that date is anincremental step toward a future in which all businesses are databusinesses.

To position your organization to thrive in this new world:

• Ensure you obtain and maintain executive buy-in to a dataprivacy function, and invest in the requisite expertise (whetherinternal or external).
• Continue to critically evaluate your program, your people, andyour providers in the same way you would monitor arevenue-generating area of the business.
• Consider revisiting your data-mapping exercise with an eyetoward business improvement. Instead of a mad dash to comply,position this exercise as an opportunity to lower costs, reducerisk, and improve customer and employee experiences. Shifting thenarrative is a luxury in the weeks leading up to a regulationgo-live date with headline-grabbing fines. But it's a necessity forthe months (and years) ahead.

E.J. Yerzak isdirector of cyber IT services of the technology team at Ascendant(part of Compliance Solutions Strategies), which providescybersecurity consulting services to Ascendant's clients. In thiscapacity, Yerzak assists firms in assessing and managing theircybersecurity risk, from network vulnerability scanning andpenetration testing to onsite cybersecurity assessments andassistance in implementing the NIST cybersecurityframework.

Kelley Merwin isdirector of content development for the Ascendant ComplianceManager (part of Compliance Solutions Strategies), a technologyplatform designed to enable compliance and risk officers to managecompliance programs more efficiently and effectively.