By UpCounsel Technology Attorney Jim Varghese

On May 25, 2018, the European Union (EU) General Data Protection Regulation (GDPR) will go into effect and will obligate both EU and non-EU based companies to comply with a new regime of rules if the organization offers goods or services to or monitors the behavior of EU data subjects. The Regulation will apply to all companies that process or hold the personal data of data subjects residing in the EU, regardless of where the company is based . The consequences of non-compliance can be quite severe, with fines up to €20 Million or four percent of annual global turnover.

As companies look at their own data privacy and cybersecurity situation, they may feel overwhelmed by glaring deficiencies and the seemingly onerous requirements to achieve GDPR compliance. The points below are by no means an exhaustive checklist for GDPR compliance, but can provide an organization’s decision makers a sense of what needs to be done (as soon as possible).

1. Understand the Stakes & Commit to a Sensible Strategy

There is no getting around it – compliance can be expensive and time consuming. Smaller businesses with few to no customers in the EU may decide that the cost of coming into compliance is simply not worth it and assume the risk. On the other hand, many companies will want to meet or exceed the GDPR’s requirements to avoid fines, maintain their reputation in the market and/or fulfill their obligations and warranties in contracts with customers. Companies need to create a reasonable strategy, properly resource the plan, commit to it and execute attainable milestones.

2. Determine the State of Play

Companies must undertake an honest audit of their current data situation. Basic questions for assessment include, but are not limited to, what data does the company hold, what is done to it, how is it stored, for how long is it stored, is it processed and if so, how,, where does it come from, and where does it go? How is the firm currently handling sensitive, financial, medical, biometric or children’s information? Organizations must map all incoming and outgoing data flows with customers, vendors, subcontractors and government agencies. Companies cannot be compliant with GDPR if they exchange data with non-compliant organizations.

3. Embrace Data Minimization

Some situations genuinely require a company to retain the ability to collect, store, process and use personal data. Others simply do not. If there is not a reasonable commercial justification for keeping certain types of data, they should be deleted.

4. Create Privacy Policies and Notices

Companies should collaborate with their legal team to create policies and notices that meet the GDPR requirements and are written in simple, non-complex language. Then, post them to the website.

5. Seek, Record, and Manage “Consent”

Consent must be freely given, specific, informed and unambiguous, and there must be a positive opt-in method. Consent cannot be inferred from inaction and must be separate from other terms and conditions. Moreover, organizations will need to have simple ways for individuals to withdraw consent.

6. Reach Out & Negotiate with Vendors, Contractors, and Partners

Companies must develop processes to notify third parties who use or access personal data and gain awareness of their deletion and retention policies. Procurement and sales departments should work with their legal and contract negotiation teams to properly amend or terminate arrangements for GDPR compliance.

7. Create a Mechanism to Facilitate Subject Access Requests

Data subjects must be told that they have a right to obtain a copy of their data. However, the company needs to create a legally sufficient and commercially feasible way to actually do this. Some companies allow subjects to download data online and others can provide a printed copy.

8. Understand and Prepare for New Data Breach Notification Requirements

The reality is that breaches happen to companies of all sizes. The GDPR will require companies to notify consumers when there is a possibility their data has been accessed by an unauthorized party. There is a72-hour window to address such a breach, so prepare general and incident-specific templates for affected persons, pertinent vendors or customers, consumer reporting agencies and other regulatory bodies so the company and legal teams can work quickly in the event of a breach.

9. Appoint a Data a Protection Officer (DPO)

Companies should appoint someone to be responsible for data compliance if the company processes demographic data or is in a highly regulated industry. Consult with legal to assess whether the GDPR requires your business to formally appoint and identify a DPO.

Request a Demo

About the author

Jim Varghese

Jim Varghese

Outside General Counsel for several new startup and small companies with a particular emphasis in representing Clients in their technology, hardware, software, cloud (IaaS, PaaS, SaaS) data security, professional services and consulting transactions. In addition to transactional work Jim is the point of contact for his Clients on an array of business law projects including but not limited to entity formation, corporate governance and votes, employment & termination procedure, covenants not to compete and also mergers & acquisitions diligence. Jim is able to identify and implement process improvements for legal and business operations alike. Jim is also a CIPP/US.

View all posts Request a Proposal

Post a Job on
UpCounsel and get
high quality legal work done

Post a Job on UpCounsel
Shares