On May 25th, 2018 the General Data Protection Regulation (GDPR) will replace the data protection directive of 1995 (officially Directive 95/46/EC), and it’s time for organisations to start preparing to make sure they are ready once it comes into effect. As General Counsel, it’s important that you understand the key legal obligations and risks that could impact your business.
GDPR is coming…
The GDPR extends the definition of personal data, provides increased rights for individuals and gives increased powers to regulatory authorities to take action against data controllers and data processors who don’t comply with it.
Data protection authorities can impose fines of €20 million or 4% of a company’s global turnover (whichever is higher), so it’s important that you are able to show that data protection is a key consideration (rather than an after-thought) when designing any system that processes personal data. While data protection authorities are making efforts to inform organization in their countries, it’s important to note that non-EU countries – like the US – will also be required to comply if they want to do business in Europe or the UK.
And authorities are serious about their commitment. In the UK, the Information Commissioner’s Office have hired 200 additional staff to properly prepare and monitor organisations!
7 ways General Counsel can prepare for GDPR
Here are 7 tasks you should carry out to ensure you’re prepared for GDPR:
Allocate responsibility for GDPR within your organisation and raise awareness.
Raise awareness with key decision makers and ensure they appreciate the impact this will have. Additionally, some organisations may be required to appoint a DPO – a person responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements. Since DPOs are in a leadership position to provide education and training, many organizations may want to appoint a person with related tasks (without the DPO designation) as a best practice.
Document the personal data you hold across the business
As part of your preparations, conduct a full audit to document what personal data you have, where it came from and with whom you share it. While we often think about this in terms of customer data, GCs should also document how other personal data – like employee or partners data – is being collected, stored, and used. If you use a legal repository like Legisway Essentials, you can actually register all of your data processes so you can report on all your processes, as required under GDPR.
Carry out a Data Protection Impact Assessment
Under the GDPR, organisations must conduct data protection impact assessments (DPIAs) when there is high risk involved. However, it is recommended that DPIAs are performed for all processing activities, regardless of risk level. DPIAs look at how your organization’s processes affect or might compromise the privacy of the individuals whose data you hold. If identified risks cannot be mitigated successfully, you will need to consult with the DPA before engaging in the processing activity.
Review your privacy policy and contracts
Review your current privacy policy and put a plan in place for making any necessary changes in time for GDPR implementation. You should identify the lawful basis for your processing activity (ie. consent), document it and update your privacy notice to explain it. Organisations also need to re-examine their agreements with data processors to ensure that they meet the requirements with the GDPR. New agreements should be drafted with the GDPR’s requirements in mind.
Review your procedures to ensure “privacy by design”
To comply with GDPR, you should be aware of the requirements for “privacy by design” and “data protection by default”. What this means is that privacy cannot be an after-thought, it needs to be embedded throughout the process of designing products and services. Technical and organisational measures should be in place to ensure that – by default – personal data is only processed insofar necessary in view of the processing purpose(s). For example you cannot use “pre-ticked” boxes for marketing purposes or use data for purposes not specified.
Review how you manage consent and rights of data subjects
Under GDPR, the rules for obtaining valid consent from individuals are stricter. If consent acts as the legal basis for your data processing activity, you need to ensure it is being requested, obtained, recorded, tracked, and amended as required under the GDPR. If you market to children, you will need to understand what process to put in place to verify age and to obtain parental or guardian consent. Additionally, you need to check your procedures (technical and administrative) to ensure you are capable of providing the rights individuals have, including the right to be deleted or the right to data portability.
Update procedures relating to the detection and reporting of breaches
In the event of a data breach, you will still need to provide notification to data subjects and authorities. But what is new under GDPR is that you are also required to record information about any data breaches that occur, regardless of being whether they were reported to authorities. This documentation must be ready to be shared with a DPA, upon request. If you use a tool like Legisway, you can record your data breaches, allowing you to run a historical report on demand. Furthermore, it’s important to note that if your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority and document it.
When it comes to preparing for GDPR there is no “one size fits all” method, but there are key aspects that every GC needs to be aware of. It is important to have the right tools and processes in place from the start, so that you don't get left behind in your compliance journey.
To learn more about the new obligations under GDPR, download your free copy of “5 Key Aspects of GDPR for legal departments”