9 Months And Counting: 10 Things You Need To Be Doing Tomorrow To Prepare for GDPR
By Saad Gul and Michael E. Slipsky
The European Union’s General Data Protection (GDPR) is now 9 months away. Any organization that processes data needs to assess its state of readiness. Here are the top ten benchmarks to enable it to take stock.
1. Overall Principle: The principle at the heart of the GDPR regime is that a data subject always has the sacrosanct right to control of their personal data. Virtually every GDPR obligation flows from this bedrock principle.
2. Inventory. No company can comply with its data processing obligations unless it has a full understanding of its existing data inventory. This is a time consuming exercise. In our experience, formal company data maps and filters invariably omit isolated data silos e.g. those in standalone systems such as correspondence. Data mapping is an iterative process. The earlier begun, the better positioned you will be.
3. The Data Protection Officer. Organizations that process data on a regular basis are required to appoint a Data Protection Officer. Since the DPO is expected to wear many hats: internal privacy advocate, documentation guru, public interface, and regulatory liaison, the appointment is a linchpin of the compliance process. The unique skill-set required: equal measures of technical and privacy expertise mean that identifying and placing a suitable individual will be a time consuming exercise. Begin now.
4. Check consent or adequate basis for data. An organization should be able to identify consent or an alternative legal basis for every instance of data processing that it undertakes. The corresponding documentation for each basis should be readily accessible in the event of an audit. Even otherwise meticulous organizations can struggle to retrieve specific documentation e.g. a particular consent form. Again, beginning now is the key.
5. Document your processes. GDPR emphasizes Privacy by Design: the principle that data processing is built around the premise of privacy. Privacy should not be an after-thought. This principle is encapsulated in requirements such as conducting a Privacy Impact Assessment. Requirements such as the PIA require significant procedural changes throughout an enterprise. These procedures should be documented and rolled out to the entire organization. Appropriate time should be factored for training. A process that exists only on paper or is largely ignored by employees is worse than one that does not exist at all.
6. Purge your data. In the age of cheap storage, organization are inherently reluctant to dispose of data. There are institutional incentives to retain data e.g. it may prove useful in subsequent analysis. However, the GDPR is explicit that the permissibility of data collection and retention is limited to the time and purpose for which the data was collected. Once that purpose has been satisfied, the organization no longer has a legal right to the data. Organizations need institutionalize practices to periodically and consistently delete unneeded data. This practice also reduces exposure in the event of a breach.
7. Revisit your notification procedures. The new regulations envision stringent post-breach procedures. Regulators must be informed within 72 hours. Data subjects may need to be informed if the data breach places them . Organizations need to ensure that their technological and procedural capabilities are adequate to the task.
8. International data flows. The GDPR requires that international data transfers be limited to (1) the member countries of the European Union; (2) member countries of the European Economic Area; (3) countries that Brussels has deemed to offer an “adequate” level of data protection. The United States retains its adequacy determination under the Privacy Shield program. However, Privacy Shield is under legal attack however, and its future remains uncertain.
9. Alternative international data flow measures. Data transfers to countries without an “adequacy” determination are permissible if the necessary safeguards have been instituted. These safeguards typically take the form of standard contractual clauses or binding corporate rules. The EU’s past enforcement record has been harsh. Companies in full compliance with Safe Harbor were penalized when the program was struck down. In light of this, organizations should consider a “belt-and-suspenders” approach whereby such clauses and rules are incorporated in data processing agreements, even if they are located in a country with an “adequacy” determination.
10. Dealing with the public. Members of the public, or data subjects, have a host of new rights under the GDPR. These include the right to revoke consent, the right to review/correct data, the right to portability of data, and of course, the famed “right to be forgotten.” Meeting the compliance obligations generated by these rights will require both technical and procedural changes. With the clock ticking to May 25, 2018, the time to institute them is now.
Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or email@example.com. Mike may be reached at 919.783.2851 or firstname.lastname@example.org.