The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/810339
58 PEER TO PEER: THE QUARTERLY MAGAZINE OF ILTA | SPRING 2017 FEATURES Preparing for the General Data Protection Regulation » With which service providers does your firm share personal data? » Are there similar compliance regulations (such as HIPAA) already in place? The answers to these questions will provide a foundation for your GDPR readiness activities. Define your scope. As with most compliance initiatives, defining and managing scope is critical. Determine which offices or aorneys have access to personal data about EU citizens. Scoping activities could reveal opportunities to segment or isolate locations, systems or networks most likely to present compliance risks to the firm and may reduce overall GDPR compliance costs. Identify and map data flows. Focus on understanding how data move from country to country, system to system and person to person. Data flow mapping is the single most important tool technologists can use to know with certainty 2 3 where, how, what and with whom personal data are shared, collected, processed and stored. Mapping is not a one-time exercise; rapid changes in communications technology mean the firm should have near-real-time situational awareness of data flows as a means of efficient data privacy and security management processes. The market is responding to this need with new tools that provide on-demand data flow information to technology leaders and other stakeholders. Conduct a readiness assessment and prioritize remediation of gaps. Once flows of personal data are identified, it is time to conduct a GDPR readiness assessment. This is most commonly done by listing the relevant compliance requirements and reviewing business processes that touch those areas. Technologists can use the GDPR as a reference or use a similar data protection framework such as the EU-U.S. Privacy Shield program administered by the U.S. Department of Commerce. Many firms choose outside expertise for data protection compliance reviews, which has the benefit of minimizing the amount of required internal resources. Most knowledgeable data privacy and security consultants will offer an objective, methodical approach to identifying people, process and technology gaps. Use the assessment results to prioritize recommendations for addressing gaps and estimating associated remediation costs. Share the plan with firm leaders and other stakeholders. Legal technologists should determine if the GDPR applies to your firm and begin preparing for the 2018 compliance deadline. These four steps provide solid ground upon which technology leaders can build data privacy and security process maturity that goes beyond simple black- and-white regulatory language. P2P 4 The GDPR seeks to strengthen the legal protections supporting the rights of EU citizens.