GDPR Compliance Action Plan
2018 GDPR Compliance Action Plan
(1). Create a Culture of Awareness and Accountability
The GDPR is a game-changing piece of legislation in many ways, primarily in that it puts forth a rigid set of requirements regarding data security for companies not just in the EU, but also all around the globe. For these reasons, controllers and processors need a GDPR compliance action plan, and now. The GDPR scope is potentially massive in terms of businesses affected by it, yet just as important to note is that it’s not a one-dimensional piece of legislation.
It’s not just about security, and it’s not just about legal and data privacy rights, or even Human Resources best practices; its’ about combining all elements of an organization’s internal controls (i.e., policies, procedures, and processes) for meeting the GDPR regulations. You can find a plethora of white papers written by law firms on the legal aspects of GDPR, and even more written by I.T. firms discussing InfoSec ramifications; combine then all together and you now have a massive to do list that can be incredibly taxing to perform.
Time to sound the trumpets of compliance within your business and get everyone on board for purposes of assessing, discussing, and educating employees on their roles and responsibilities for GDPR compliance.
It’s time for a GDPR compliance action plan for controllers and processors.
I.T. will need to ensure an adequate system of information security controls exists. Legal will need to thoroughly review all data privacy policies, rights, provisions, and other critical documentation relating to personal data. Operations will need to examine the types of data kept, for how long, and what disposal initiatives are in place. Simply put, compliance with the GDPR can be a massive undertaking.
Your mission is to find that internal GDPR champion within your organization, have that person or persons start assigning roles and responsibilities with all parties, both employees and with third-party professional services firms brought in to assist with compliance. The more you educate your employees and get them involved, the quicker, easier, and more cost-effective GDPR compliance will be.
(2). Practice Good Corporate Governance
In simple terms, corporate governance is the initiatives and related processes, procedures in which corporations are controlled and run. Effective governance structure allows a business to run efficiently, with ethical practices that yield long-term success, to both employees and shareholders. Corporate governance gained widespread adoption following the early 2000 financial debacles in the United States, from both businesses, and the accounting firms that audited them. The advent of the Sarbanes-Oxley Act of 2002 lit a fire for corporate governance, and it burns stronger and brighter than ever before, especially now with the GDPR.
How can organizations ensure the safety and security of a data subjects’ personal data if the right tone isn’t established at the top by senior management? You can’t, making corporate governance principles a must for any organization serious about GDPR compliance. None of today’s compliance regulations and frameworks & InfoSec best practices are singular or stand-alone, rather, they all blend and connect together to form the larger fabric of good corporate governance, so keep this in mind.
It’s also About Interpretation
One of the most challenging aspects of the GDPR is what many people refer to as the general vagueness of the regulation itself. Specifically, many of the articles merely provide a broad overview of the requirements, often falling short in offering concrete details regarding implementation. And that’s probably done on purpose as the regulation had to be painstakingly drafted to fit a wide-range of business industries. Nevertheless, this has resulted in countless white papers, webinars, and conferences from legal, H.R, InfoSec, and operational experts and consultants all weighing in and giving their opinion. And to no surprise, the answers can be starkly different from one “expert” to another.
The point to make is that the GDPR needs to work for your organization, which ultimately requires internal personnel to walk through each of the respective articles, asking the necessary questions regarding its applicability and scope. GDPR regulations for an e-commerce business in the U.S. selling tickets overseas will more than likely result in notable different compliance requirements than for a medical office in London specializing in pediatrics. Try and ignore all the noise and confusion from some of the so-called “experts”, instead focusing on who knows your business better than anyone else, and that’s you!
(3). Learn Key Definitions and Terms for the GDPR
You don’t need to become a legal or I.T. expert to conquer the GDPR compliance requirements, but you do need to have a solid understanding of the core terms and phrases. Here’s the essential terminology you need to become acquainted with when building your GDPR compliance action plan:
- Automated Means: Any operation or set of operations performed upon personal data that utilizes automation for collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
- Binding Corporate Rules: Internal rules (such as a Code of Conduct) adopted by multinational group of companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection. Specifically, BCR are utilized by multinational companies in order to adduce adequate safeguards for the protection of the privacy and fundamental rights and freedoms of individuals. As such, BCR ensure that all transfers made within a corporate group benefit from an adequate level of protection.
- Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, that essentially determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
- European Commission: The executive of the European Union charged with promoting the general interest of the EU. (https://ec.europa.eu/commission/index_en)
- European Data Protection Board (EDPB): Committee made up of the heads of national supervisory authorities (or their representatives) and the EDPS. Thus, the EDPB is to that of an advisory committee, and also an independent body within the European Union (EU) with its own legal power. The EDPB will have a chair that represents the committee. The EDPB will work to resolve disputes between national supervisory authorities, with most matters decided by a simple majority.
- Lead Supervisory Authority: The authority with the primary responsibility for dealing with a cross-border data processing activity.
- Personal Data: Any information relating to an identified or identifiable natural person (i.e., a "data subject"); an identifiable natural person is essentially somebody that can be identified, directly or indirectly, in particular by reference to an identifier via name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
- Processing: Any operation or set of operations that is essentially performed on personal data or on sets of personal data, whether or not by automated means. This would include, but is not limited to, the following: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Profiling: Any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyze or predict aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her.
- Recitals: Text that sets forth reasons for the stated provisions within the "Articles" of the GDPR. Such text for the GDPR recitals consists of an enumeration or listing of facts and other related information.
- Special Categories of Personal Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
(4). Controller vs. Processor – Know the Differences
Using the above definitions as reference, let’s use a relatively straightforward business model as an example of a Controller vs. Processor for purposes of the GDPR.
The Smith Company sells a wide-variety of home goods products through its e-commerce system, ranging from picture hanging hooks, candles, alarm clocks, etc. During the transaction process, they collect a wide-range of personal data, such as name, address, phone number, age, payment information, and more. All new clients and existing clients therefore create an online account with the Smith Company for purposes of tracking orders, updating personal data, and more.
The Smith Company also uses this information to analyze purchasing patterns, hoping to create stronger engagement with their clients. They, however use two (2) external companies to help facilitate the online account platform, particularly in regards to setup, management, and communication. Specifically, the ABC Data Analytics Company is a third-party with an online SaaS platform used by the Smith Company to store all order information and related personal data for each customer. Additionally, the XZY Marketing Company integrates into the overall platform for providing email and communication of all relevant personal data between the customer and Smith Company.
In such a scenario, Smith Company is the Controller and the ABC Data Analytics Company and the XYZ Marketing Company are the two (2) Processors. Why? Because the Smith Company, according to the GDPR definition of a controllers is “The natural or legal person, public authority, agency or other body which, alone or jointly with others, that essentially determines the purposes and means of the processing of personal data”. And the ABC Data Analytics Company and the XYZ Marketing Company, according to the GDPR definition of processor is “A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
(5). Conduct a Deep Dive Data Discovery Assessment
There’s an old saying in information technology – “You can’t protect what you don’t know you have” – which means companies will have to take a good, hard look at the types of data they’re storing, processing, and transmitting. Where is the data located? In what format is it in? Is it structured or unstructured data? What is the purpose of the data and is there a defined retention period? How is data destroyed? These are just a few questions that you’ll need to answer with a deep dive data discovery assessment regarding personal data for your GDPR compliance action plan. The end deliverable for assessing your data should be a formal Data Matrix that lists all relevant PII and related personal data information just discussed – and more – but there’s much work to be done before that can be accomplished. Also, it’s important to note that a supervisory body has the legal right to request such documentation for any organization for which businesses is being conducted within their legal jurisdiction.
The GDPR definition of “personal data”, is defined as the following:
“Any information relating to an identified or identifiable natural person (i.e., a "data subject"); an identifiable natural person is essentially somebody that can be identified, directly or indirectly, in particular by reference to an identifier via name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Key initiatives for a deep dive data audit for your GDPR compliance action plan should consist of the following:
(1). Identify all aspects of personal data that you store, process, and or transmit
(2). Use a “Personal Data Inventory Matrix” for recording the following information:
- Data Type
- Lawfulness, Fairness, and Transparency
- Collection Purposes
- Data Minimization
- Special Category of Data?
- Processing Safeguards
- Data Storage Protocols
- Data Transfer Protocols
(6). Perform a Data Protection Impact Assessment (DPIA)
The GDPR requires, under certain circumstances, that a Data Protection Impact Assessment (DPIA) be performed by controllers if certain conditions exist. Specifically, Article 35(1) of the GDPR states that “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.” Furthermore, in accordance with Article 35(3), a data protection impact assessment is to be required in the case of:
- (a). Systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- (b). Processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or
- (c). A systematic monitoring of a publicly accessible area on a large scale.
Per Article 35(7) of the GDPR, a DPIA is essentially a process in which:
- (a). Authorized personnel examine an organization’s processing operations and the purposes of the processing
- (b). An assessment of the necessity and proportionality of the processing operations in relation to the purposes
- (c). An assessment of the risks to the rights and freedoms of data subjects
- (d). The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data.
More simply stated, it’s about assessing one’s business and technology controls (i.e., policies, procedures, processes, and practices) relating to the safety and security of personal data for EU data subjects. FLANK offers a world-class Data Protection Impact Assessment (DPIA) program templates available for download today at flank.org. Our DPIA template is an essential element of your GDPR compliance action plan, so get it today!
(7). Dedicate Yourself to “Data Subjects Rights”
One could argue that just as important to securing personal data for data subjects within the GDPR are the rights that data subjects have regarding the use and disclosure of their data. The European community as a whole as always been a leader when it comes to privacy issues, believing wholeheartedly that their citizens deserve, rightfully so, to have their personal data protected at all times. The GDPR has therefore resulted in an almost laundry list of rights afforded to data subject, rights which you as a business need to know, specifically, the following:
- Article 12: The right to have communication in a concise, intelligible, and easily accessible manner.
- Article 13: The right to know (via a notice) the contact information of the controller and the data protection officer, purpose of processing, where it’s being performed, recipients of the data, and more.
- Article 14: The right to know (via a notice) that when personal data has not been obtained from the data subject – thus obtained indirectly – such data subjects must thus be informed in a timely manner (i.e., one (1) month).
- Article 15: The right to obtain confirmation of how, where, and why a data subject’s personal data is being processed, and more.
- Article 16: The right of data subjects to obtain rectification of inaccurate data or completion of incomplete data.
- Article 17: The right to have personal data erased, thus no longer used.
- Article 18: The right to restrict processing of their personal data if specific conditions apply, such as the accuracy of the personal data is contested, the processing of such data is unlawful, the controller no longer needs the personal data, and the data subject has objected pursuant to Article 21(1).
Assessing and evaluating the controls you have in place for data subjects’ rights are in important element of your GDPR compliance action plan, so start with a comprehensive GDPR Checklist from FLANK.
(8). Portability is Paramount for the GDPR
Are you aware that the GDPR allows gives data subjects the right to “Portability”, specifically, “…the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided…where the processing is carried out by ‘Automated means’” (see definition above), (Article 20, “Right to Data Portability)? Portability, while a much-lauded concept for data subjects, will ultimately require organizations – specifically, controllers – to move, copy and/or transfer data from one environment to another in a safe, secure, an efficient manner. What’s the real purpose of data portability? To give EU data subjects (i.e., consumers) choice and flexibility in today’s economic landscape – thus to empower the consumer in a rightful way. It therefore will require the controller – and possibly even the processor – to give data subjects the necessary tools to actually move data, perhaps in the following manner:
(1). A “do-it-yourself” scenario where a data subject can download and export personal data.
(2). An option (and probably the most common) where a data subject submits a request for data to be moved and controllers (and again, possibly even processors) assist in the data migrations with various scripts, tools, and other technology solutions.
(3). The use of an independent third-party that can facilitate data transfers from one controller to another.
(9). Get Serious About Information Security (GDPR Article 32)
Unfortunately, the GDPR does not provide a prescriptive listing of information security frameworks, domains, or any real set of policies and procedures that must be in place (they do offer a few high-level security requirements, but not much else). Rather, they offer broad guidance and recommendations throughout the regulation itself, and most notably in Article 32. For the detailed reader, one will notice the language pertaining to “implement appropriate technical and organizational measures”. Specifically, controllers and processors must implement measures required by Article 32, which details the GDPR’s “security of processing” standards. To be clear, addressing the requirements within Article 32 constitute an element of your GDPR compliance action plan.
Specifically, Under Article 32, controllers and processors are required to “implement appropriate technical and organizational measures” taking into account “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.” Thus, the GDPR provides specific recommendations for the type of security that should be considered “appropriate to the risk,” including:
- The pseudonymisation and encryption of personal data.
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Security Requirements for the GDPR
So, what are the actual security requirements for GDPR? While ensuring the safety and security of personal data is paramount, organizations can’t achieve such a mandate without adequate information security policies, procedures, and processes. Luckily, the GDPR does tell us to “implement appropriate technical and organizational measures”, to “ensure…the confidentiality, integrity, and availability…of processing systems” – all of which are pillars of a comprehensive InfoSec framework. Two options therefore arise in terms of Information security compliance for the GDPR, which are the following: (1). Implement a proven framework, such as ISO 27001/27002 (most popular choice for EU companies), or even NIST SP 800 (a viable option for North American companies). (2). Implement information security that’s not based on any prescribed standard, but on stand-alone InfoSec domains, such as access control, change control, data backup, etc. In all reality, both options should provide adequate coverage for information security controls in meeting the requirements for Article 32 of the GDPR.
The World’s Two Most Dominant InfoSec Frameworks (ISO 27000 and NIST SP 800)
It’s important to note that the two most well-known information security frameworks in the world are the ISO 27000 framework (particularly, ISO 27001 and ISO 27002 publications), and the NIST SP 800-53 publication put forth from the National Institute of Standards and Technology in the U.S. Many organizations required to comply with the GDPR often have adopted ISO or NIST as their InfoSec framework, thus mapping to the existing GDPR requirements becomes a little-less overwhelming. Remember that the GDPR is much, much more than just information security. In fact, while information security is the central theme for ensuring the safety and security of personal data, a multitude of other legal, H.R., data privacy and operational best practices come into play. It’s not enough to just have an adequate set of I.T. controls in place for the GDPR, so while ISO and NIST are definitely helpful, they’re not a silver bullet for curing all your GDPR requirements.
Why ISO is the Preferred Security Framework for GDPR
While there are many ISO 27000 series publications, the two most well-known are ISO 27001 and ISO 27002. As for ISO 27001, it essentially states the following: This International Standard specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. This International Standard also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.
As for ISO 27002, its best viewed as a "code of practice"; guidelines and general principles for initiating, implementing, maintaining, and improving security management within an organization. Furthermore, ISO 27002:2013 contains detailed descriptions of controls, coupled with guidance on implementation, and other information for 14 security control clauses.
And because the GDPR is primarily built around the concept of “data security”, then implementing an ISMS, or at the very least, adopting controls within the ISO 27002 publication, will no doubt result in significant achievements toward meeting a large majority (but not all) requirements for GDPR. Furthermore, because both ISO 27000 and, of course GDPR, have their origins and roots in the European community at large, a natural “marriage” of these two core data sets seems logical when discussing what type of security framework to use for GDPR compliance.
EU businesses are well-versed with the ISO 27000 publications, and not so much with the North American NIST standard, so the logical step is to move forward with ISO. FLANK offers a world-class ISO 27001/27002: 2013 All-in-One Toolkit that’s available for instant download today at flank.org. Additionally, learn more about the mapping between ISO and GDPR by downloading the GDPR mapping to ISO 27001/27002 matrix. Bottom line; choosing a security framework is a critical element of your GDPR compliance action plan.
NIST is also an Acceptable Security Framework for GDPR
The NIST SP 800 publications, particularly NIST SP 800-53, can effectively be used for one’s GDPR information security requirements as it contains numerous control families that easily meet various requirements found within Article 32 of the GDPR. NIST has published a Cybersecurity framework document which consists of a Framework Core consisting of the following areas: Identify, Protect, Detect, Respond and Recover. These areas then map to various categories within the Cybersecurity publication itself. In all, if an organization were to adopt the NIST Cybersecurity framework, it would no doubt help in meeting the information security requirements for the GDPR.
Another alternative is the well-known NIST SP 800-53 publication, one of the world’s most in-depth information security documents that covers a wide number of operational and InfoSec domains. Many organizations having to become FedRAMP, FISMA, and DFARS 800-171 compliant are required to comply with NIST SP 800-53, thus a natural extension for GDPR would be to use one’s existing controls as evidence of compliance.
Stand-Alone Security Domains
Yet even another alternative for complying with information security requirements for the GDPR is implementing what’s known as “stand-alone” security domains; areas within the broader platform of information security that have not been developed in accordance with industry frameworks, yet are still acceptable. Here’s an example to clarify: Take access control; both the ISO 27001/27002 and NIST SP 800-53 frameworks have prescriptive language as to what should be included within the scope of one’s actual access control policies, procedures, and processes. But perhaps you developed your own unique access control methodologies (i.e., policies, procedures, and processes) that do not include, align, or map to ISO or NIST.
That’s completely acceptable, so long as your methodologies are commensurate to your security needs. We see examples all the time of InfoSec policies that are extremely well-written and comprehensive, so don’t think you’re confined to just the ISO or NIST frameworks. Regardless of which framework you use or do not use in terms of InfoSec, just remember that you’ll need to “implement appropriate technical and organizational measures”, to “ensure…the confidentiality, integrity, and availability…of processing systems” (per Article 32 of the GDPR). Keep this in mind when thinking about your GDPR compliance action plan.
(10). Assess Third-Party Requirements for GDPR Compliance
Ask almost any company in any industry in any region of the world if they use the services of a third-party for performing critical business functions, and the answer will almost always be yes. Just stop and think about what your company outsources – payroll, managed security services, cloud storage – the list is almost endless, and it can create immense challenges for GDPR compliance. Similar to a deep dive data discovery, you’ll want to identify and list all third-party vendors, their functions, what types of personal data, if any, do they store, process, and transmit, what provisions are in place for deleting data, and much more.
Hopefully, many of your third-party vendors are taking the time to become GDPR compliant by putting in place all necessary controls, which means you’ll still need to obtain some type of confirmation that this is in fact true. Doing a little due-diligence can go a long way for ultimately complimenting your own GDPR compliance initiatives. The best plan-of-action to take is implementing a third-party provider and due-diligence program and engaging in continuous monitoring of such providers. Remember that your controls in regards to storing, processing and transmitting personal data are often only as strong as the controls of your outsourcing providers.
(11). Put in Place a GDPR Remediation Plan for Compliance
Remediation is without question one of the more challenging and time-consuming aspects of compliance with the GDPR, as every organization will have to perform some type of essential “house cleaning”. How much remediation is required? What areas will we need to focus on? What are the costs associated with remediation? These are just a handful of questions we receive from companies all throughout the EU, North America, and other select global regions seeking to become GDPR compliant. While we can’t provide a one-size fits all answer to all, what we can tell you without hesitation is that the GDPR is a massive exercise in documentation creation. As one client stated, “Well, we do all of the things required by the GDPR, we just don’t have any documentation in terms of policies and procedures to say we actually do it”.
It’s a common theme we’re hearing more and more of as companies are seeking guidance on a wide-range of documents – legal policies, privacy policies, consent forms, operational policies, information security policies, and more. What makes it challenging is finding an organization with the depth and expertise capable of developing the enormous amounts of documents, thankfully, FLANK specializes in GDPR documentation creation, and for all Articles within the regulation. We also developed a world-class GDPR Compliance Toolkit, and ISO 27001/27002 policy toolkit, and other documents that can be used for many areas within the GDPR regulation. View the GDPR mapping to ISO 27001/27002 matrix today, along with the ISO 27001/27002 policy toolkit.
With documentation creation often topping the list for GDPR remediation, don’t forget about privacy, legal, operational, and information security activities that might require your attention. Documentation, while important, is of little value if a lack of controls exist in other areas of your company. For example, what good is a data retention policy that specifically states when data is to be deleted, yet only to find out that such an activity is not even being performed? Processes and procedures speak to the actions of an organization, so keep this in mind for the GDPR. Some things to consider when developing your GDPR compliance action plan:
- Do adequate processes and procedures exist for obtaining, storing, processing, transmitting and deleting personal data for data subjects in scope?
- Do comprehensive information security controls exist for protecting data at all times? For example, do you use encryption, implement strong access controls, have a documented cyber incident response plan in place, perform data backups of critical data sets, and more?
- Are processes and procedures in place for portability of data, and other essential activities that need to be executed upon the requests of data subjects in scope?
- Do you actively monitor all relevant third-party providers (i.e., vendors) that are involved in critical functions that could affect for your company? Think data centers, managed security services providers – almost any entity that has the ability to interact with personal data relating to a data subject should be considered in-scope for GDPR. Again, you can clearly see the unbelievably large scope this regulation is having.
- Do you have a Data Privacy Officer (DPO) – a strict requirement for some controllers and processors – or at the very least (and as a best practice), does your company have a compliance/security officer that is essentially responsible for overseeing and maintaining GDPR compliance efforts?
(12). The Time to Act is Now
Depending on the date you’re reading this article, GDPR compliance may very well have passed, but regardless, compliance is mandatory. Therefore, if you’ve missed the compliance deadline, then you’ll need to keep working to cross the finish line, and if you’re a new business, then welcome to the world of regulatory compliance and the GDPR. Bottom line, the time to act is now in putting together your GDPR compliance action plan. Compliance with the GDPR, even if you’ve met the 2018 deadline, will undoubtedly require a constant effort for continuing to monitor organizational controls. You can’t rest on your laurels of meeting the initial deadline – that’s great if you did, and congratulations – but a regular health check of inspecting one’s controls is not only mandatory, but a best practice every business should be performing.
Think about it, doesn’t it just make sense to develop and integrate compliance requirements in parallel with your business needs? FLANK can also assist with a wide-variety of other regulatory compliance requirements for companies all throughout the globe, so visit flank.org today to learn more. GDPR is not an event in time, it’s going to be a journey, a long-term process requiring collaboration amongst key players within an organization. It’s time to put in place your GDPR compliance action plan. FLANK can help.