Will You Be Ready When the GDPR Takes Effect?
What is GDPR?
The Guiding Principles
What’s at Stake?
Roadmap to Compliance
TABLE OF CONTENTS
Controllers now bear the burden of proof for demonstrating that they have procedures in place for dealing with their obligations to data subjects. The GDPR’s new recordkeeping requirements are substantial and not something that many organizations currently have in place.
Definition: Data Processors
Data processors are organizations that handle personal data and carry out technical operations on behalf of data controllers and in accordance with their instructions.
Definition: Data Controllers
Data controllers are organizations that determine the purposes and means of processing personal data, making key decisions about the scope and nature of the processing.
The GDPR imposes significant new obligations on organizations that control or process relevant personal data and introduces new rights
and protections for EU
The General Data Protection Regulation (GDPR) is a sweeping privacy and data
protection regulation in the European Union (EU) and will be enforced from
May 25, 2018, replacing Data Protection Directive 95/46/EC.
What is GDPR?
Lawfulness, Fairness, and Transparency
Data must be collected in a lawful, fair, and transparent manner.
Data can only be collected for specified purposes, and cannot be used in a manner incompatible with those purposes.
The amount of data collected must be limited to data that is relevant to, and necessary for, the purpose for which it was collected.
Efforts must be made to ensure data accuracy and allow for correction of inaccurate data.
Data must not be stored in an identifiable form for longer than necessary to accomplish the purpose for which it was collected.
Integrity and Confidentiality
Data must be processed in a manner that ensures appropriate security and protects against loss or compromise.
Data controllers are responsible for, and must be able to demonstrate, compliance with the above principles.
The requirements of the GDPR are driven by these guiding principles for the collection and use of personal data.
Select the icons to learn about each principle…
The GDPR establishes an extensive enforcement regime. In comparison to the Directive, the GDPR creates the potential for increased invasive investigations and substantial economic consequences for potential violations.
The GDPR grants Supervisory Authorities (SAs) extensive powers and responsibilities, which include broad investigative and corrective powers.
SAs are empowered to impose significant administrative fines on both data controllers and processors that violate the GDPR.
For the most serious violations, including those relating to the guiding principles previously mentioned, obtaining consent, data subject rights, and cross-border data transfers, organizations may face fines of up to 4% of the global annual turnover of the preceding financial year or 20,000,000 EUR, whichever is greater.
Evaluating Your Current State
With so much on the line, data controllers and processors will want to take immediate action to prepare for enforcement of the GDPR.
The first step is determining whether the GDPR applies to your organization. You can do this by:
Reviewing your organization’s current data handling activities to determine whether they fall within the scope of the GDPR.
Mapping your organization’s current data handling practices to create an inventory of the types, locations and flows of personal data.
Designating a GDPR compliance team comprising stakeholders from key business units within the organization.
Planning Your Roadmap to Compliance
Next, you can determine how the GDPR applies to your organization and plan a roadmap to compliance that fits your organization’s needs. While both data controllers and data processors are now directly subject to the GDPR, there are differences in how each type of organization is required to comply.
Setting a budget and allocating resources to address the weaknesses identified by the gap assessment and areas of non-compliance with the GDPR.
Reviewing your new legal obligations under the GDPR and conducting a gap assessment.
Engaging the participation and support of your board of directors.
Potential next steps could include:
Identifying your Member State of main establishment, which is important under the GDPR because it determines which SA will have the lead in regulating your organization’s GDPR compliance. Note that the definition of main establishment differs based on whether your organization is a data controller or processor.
Assessing your current liability
arrangements and insurance coverage.
Develop a Governance Structure
This includes designing a responsibility structure that fits your existing organization, determining whether to appoint a data protection officer, and, for organizations not established in the EU, appointing a representative in the EU that can act on the organization’s behalf on all issues relating to processing.
Update Internally Facing Policies and Procedures
This includes implementing data protection by design and default, satisfying new, more stringent requirements regarding consent and recordkeeping, and conducting data protection impact assessments when developing and using data in a manner likely to create a substantial risk to the rights and freedoms of individuals.
Implement Mechanisms to Accommodate Data Subject Rights
The law requires that controllers provide information notices to individuals regarding their personal data and after certain data breaches. Controllers must also respond to requests relating to individuals’ rights under the GDPR. These new obligations require the creation of new processes to accommodate requests and identify data.
Closely Manage Vendors
Data controllers will want to perform due diligence of vendors with access to EU personal data to ensure they too comply with the GDPR. Existing contracts can then be reviewed to ensure the specific GDPR requirements are met. Companies may want to develop a standard form addendum for new vendor agreements and consider how to add these new clauses without renegotiating existing provisions.
Restrict International Data Transfers
Transfers of personal data to a third country or international organization outside the EU can only take place if the safeguards set forth by the GDPR are in place. While this was true under the Directive, the list of acceptable safeguards has changed and, as this area of the law is still evolving, data controllers and processors will want to evaluate any existing mechanisms to be sure they continue to serve the intended purpose.
Implement Appropriate Data Security and Incident Response Measures
Data controllers and processors are required to implement technical and organizational security measures to protect personal data. The GDPR also imposes an obligation on data controllers to disclose the occurrence of certain personal data breaches to the supervisory authority within 72 hours, so organizations must be prepared to respond.
Abide by Seals, Certifications, and Codes of Conduct
The GDPR strongly encourages approved codes of conduct and
certifications for the purposes of guiding data controllers and
processors on GDPR requirements.
Set Up an Ongoing Monitoring Program
Organizations may want to put in place a mechanism to track regulatory developments and guidance, interpretative decisions, and local requirements relating
to the many areas of
the GDPR reserved to
Remember that May 2018 is only the beginning of the GDPR.