What is GDPR?
GDPR stands for General Data Protection Regulation. It replaces local EU Data Protection Directive implementations (e.g., in the UK the “Data Protection Act”). This will take effect on May 25, 2018.
Who is Subject to GDPR?
Organizations that collect and process personal data of EU data subjects – regardless of size. It does not apply only to organizations with an office in the EU. It is borderless and it applies to data processors as well as data controllers.
What are the Penalties?
The penalties are up to 20M € or 4 percent of an organization’s annual global turnover, whichever is higher (board attention is now guaranteed). Data subjects can claim compensation for damages suffered as a result of a breach of GDPR by an organization.
Main Focus Areas for CareerBuilder for May 25, 2018
- Breach Notification: Report Privacy breaches to the EU regulator within 72 hours and potentially to the data subject (subject to certain exceptions). On target to have a compliance process in place by May 25, 2018.
- Vendor Risk: Evaluate vendor contracts and controls for adequacy to protect data subject -. A formal Vendor Risk program is under development. Key vendors have been identified and Data Processing Addenda are being issued to the vendors.
- Consent: Where relying on consent as the legal basis for processing data, requirement to obtain unambiguous consent (i.e. explicit). In the few instances where we are relying on consent as our legal basis for processing, we have made the consent explicit and unambiguous.
- Privacy By Design & By Default: Updating existing SDLC and system procedures and policies to incorporate privacy and security into normal processes. On target to be in place by May 25, 2018. SDLC processes are being updated to include privacy and security in all system and application development processes.
- Data Protection Officer (DPO): Because CareerBuilder does not conduct regular and systematic monitoring of data subjects on a large scale or process Special Categories of data , we have determined a DPO is not required at this time. As our business continues to evolve, we will continue to evaluate the need for a DPO; should we determine one is required, we will make the appointment at that time.
- Data Security: Requirements to secure systems and data with best practice security programs. On target to be in place by May 25, 2018. Evaluation of GDPR relevant security controls currently underway.
- Data Subject’s Rights: Developing the ability to accept requests exercising the rights to access to, rectification of, deletion of and portability of personal information, as well as requests to restrict or object to the processing of personal data and to object to any decision based solely on automated processing of personal data. . Portal to accept requests will be in place by May 25, 2018. A short-term process to (manually) respond to requests is being developed. Parallel effort to develop long-term automated processes are being developed.
- Legal Basis for Processing: Legal Basis for all processing activities is being documented. The basis for our main processing activities have been determined and remaining processing activities are being evaluated to determine appropriate lawful basis. All determinations and documentation are on target to be complete by May 25, 2018.
- Records of Processing Activity: All details of processing activities are being documented. Target date to be completed is May 25, 2018.
Protiviti is providing GDPR subject matter expertise services. They have conducted data discovery, mapping and data inventories as well as the Records of Processing Activities. In addition, they are performing a GDPR Readiness Assessment to determine CareerBuilder’s gaps to reaching compliance. Finally, Protiviti is providing valuable guidance and advice as CareerBuilder continues efforts toward GDPR compliance.
Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Their consulting solutions span critical business problems in technology, business process, analytics, risk, compliance, transactions and internal audit.
Chief Information & Security Officer