The hour cometh. The European Union's General Data Protection Regulation (Regulation (EU) 2016/679) (the "GDPR") goes into effect on May 25, 2018. If a company processes or stores the personal data of EU residents (not citizens), it is subject to the Regulation. (The UK presents a special case, which will be the subject of a subsequent alert; in the meantime, we advise UK-affiliated clients to anticipate and prepare for full GDPR compliance).
The GDPR is an intricate regime that will potentially require affected companies to make both technological and procedural adjustments. In many cases, it will be no small undertaking to achieve compliance. Accordingly, the time to begin your compliance efforts is now.
With the hour of reckoning approaching, here are the key issues that senior management should be discussing with their information technology teams:
1. Set Benchmarks to Meet Tight Breach Deadlines. Under Articles 33 and 34, GDPR mandates data breach notification to local regulators within 72 hours of the company's determination of a breach. The notification must encompass an explanation of what has transpired, the nature of the data exposed, and the number of data subjects affected. These tight timeframes highlight the necessity of creating a data breach response plan (and periodically engaging in test-runs).
2. Incorporate the Data Protection Officer into Company Processes: Under Article 37, companies whose business entails the processing of sensitive data must appoint a Data Protection Officer. Sensitive data includes details of an individual's ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, biometric data, health, sex life, and sexual orientation. Articles 38 and 39 set up the DPO as an internal privacy ombudsman. This requires independence and job security protection. He or she must have access to both IT personnel and executive leadership to be a component in both tactical and strategic decision making.
3. Enable Data Subject Control: The GDPR is premised on the idea that an individual should control his or her own data. Articles 15 and 21 give data subjects substantial control over their personal data. This control includes the right to cease processing (which gave rise to the famous "right to be forgotten") and the right to portability. Compliance with these rights may require technological adjustments.
4. Enforce Vendor Requirements: Article 28 contains a non-exhaustive list of requirements that must be incorporated in agreements with third party processors or vendors that process data on behalf of a GDPR-regulated entity. These requirements incorporate the GDPR vision of security, privacy and control: vendors are expected to protect data, limit access, cooperate with regulators, and be able to document their compliance with all requirements. All new contracts should reflect these requirements. Existing ones should be amended to reflect the same.
5. Notice of and Limits to Processing: Articles 12 and 14 require that data subjects be notified of the nature and objectives of data collection and processing. The notification must be clear--i.e., using non-technical and non-legal language. IT should ensure that data is processed within the constraints set out in these notifications.
Both the legal and technical complexities of the GDPR regime mean that compliance is a long-term project. Companies who process EU resident data should be prepared to (1) educate their IT departments on the intricacies of the regime; and (2) develop a project plan encompassing the required technical, procedural, and training milestones that will have to be achieved before the stroke of midnight on May 25, 2018.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
