By UpCounsel Contributor
On May 25, 2018, the European Union (EU) General Data Protection Regulation (GDPR) will go into effect and will obligate both EU and non-EU based companies to comply with a new regime of rules if the organization offers goods or services to or monitors the behavior of EU data subjects. The Regulation will apply to all companies that process or hold the personal data of data subjects residing in the EU, regardless of where the company is based . The consequences of non-compliance can be quite severe, with fines up to €20 Million or four percent of annual global turnover.
As companies look at their own data privacy and cybersecurity situation, they may feel overwhelmed by glaring deficiencies and the seemingly onerous requirements to achieve GDPR compliance. The points below are by no means an exhaustive checklist for GDPR compliance, but can provide an organization’s decision makers a sense of what needs to be done (as soon as possible).
1. Understand the Stakes & Commit to a Sensible Strategy
There is no getting around it – compliance can be expensive and time consuming. Smaller businesses with few to no customers in the EU may decide that the cost of coming into compliance is simply not worth it and assume the risk. On the other hand, many companies will want to meet or exceed the GDPR’s requirements to avoid fines, maintain their reputation in the market and/or fulfill their obligations and warranties in contracts with customers. Companies need to create a reasonable strategy, properly resource the plan, commit to it and execute attainable milestones.
2. Determine the State of Play
Companies must undertake an honest audit of their current data situation. Basic questions for assessment include, but are not limited to, what data does the company hold, what is done to it, how is it stored, for how long is it stored, is it processed and if so, how,, where does it come from, and where does it go? How is the firm currently handling sensitive, financial, medical, biometric or children’s information? Organizations must map all incoming and outgoing data flows with customers, vendors, subcontractors and government agencies. Companies cannot be compliant with GDPR if they exchange data with non-compliant organizations.
3. Embrace Data Minimization
Some situations genuinely require a company to retain the ability to collect, store, process and use personal data. Others simply do not. If there is not a reasonable commercial justification for keeping certain types of data, they should be deleted.
4. Create Privacy Policies and Notices
Companies should collaborate with their legal team to create policies and notices that meet the GDPR requirements and are written in simple, non-complex language. Then, post them to the website.
5. Seek, Record, and Manage “Consent”
Consent must be freely given, specific, informed and unambiguous, and there must be a positive opt-in method. Consent cannot be inferred from inaction and must be separate from other terms and conditions. Moreover, organizations will need to have simple ways for individuals to withdraw consent.
6. Reach Out & Negotiate with Vendors, Contractors, and Partners
Companies must develop processes to notify third parties who use or access personal data and gain awareness of their deletion and retention policies. Procurement and sales departments should work with their legal and contract negotiation teams to properly amend or terminate arrangements for GDPR compliance.
7. Create a Mechanism to Facilitate Subject Access Requests
Data subjects must be told that they have a right to obtain a copy of their data. However, the company needs to create a legally sufficient and commercially feasible way to actually do this. Some companies allow subjects to download data online and others can provide a printed copy.
8. Understand and Prepare for New Data Breach Notification Requirements
The reality is that breaches happen to companies of all sizes. The GDPR will require companies to notify consumers when there is a possibility their data has been accessed by an unauthorized party. There is a72-hour window to address such a breach, so prepare general and incident-specific templates for affected persons, pertinent vendors or customers, consumer reporting agencies and other regulatory bodies so the company and legal teams can work quickly in the event of a breach.
9. Appoint a Data a Protection Officer (DPO)
Companies should appoint someone to be responsible for data compliance if the company processes demographic data or is in a highly regulated industry. Consult with legal to assess whether the GDPR requires your business to formally appoint and identify a DPO.