It is now less than one year before the EU General Data Protection Regulation (“GDPR”) takes effect—bringing with it increased compliance obligations, penalties (as high as 20 million euros or 4% annual worldwide turnover), and enforcement. EU regulators have already advised organizations that there will be no grace period for compliance after May 25, 2018. As Irish Data Protection Commissioner Helen Dixon said, “The GDPR is big news because it can’t be business as usual for any type of company . . . after May 2018. If it is business as usual after that point, there will be consequences for companies and organisations, whether they are big or small, public or private, and those consequences will be very significant.” (See, also, IAPP, ICO’s Wood: GDPR grace period? No way).
Because of the many obligations the GDPR imposes on organizations, as well as the significant financial consequences for non-compliance, organizations literally cannot afford to wait until the last minute to develop and implement a game plan for meeting the legal, technical and business challenges presented by the GDPR. With the deadline for GDPR compliance fast-approaching, here are three critical GDPR action items organizations should conduct soon (if not already completed). We developed this list of recommended early action items based upon our knowledge of data protection priorities and investigative approaches of European data protection authorities, as well as our experiences working closely with clients on GDPR-readiness plans designed to prioritize addressing organizations’ highest areas of risk without unduly disrupting the organizations’ business.
- Conduct GDPR-Readiness Assessment and Develop Prioritized Compliance Road Map: The first step you should take is to conduct a GDPR-Readiness Assessment to obtain a deeper understanding of relevant privacy and security practices throughout your organization (and of the third parties to which you send EU personal data), and to develop a prioritized game plan for GDPR compliance. The GDPR is not “business as usual,” and significant change requires buy-in. Among other benefits, a GDPR-Readiness Assessment helps drive change by bringing the organization’s GDPR compliance gaps—and the serious risks of non-compliance—to the attention of executives and other key stakeholders in the organization. If you have not yet conducted a GDPR-readiness assessment, it is highly recommended that you do so soon because it will take time to convert information learned through the assessment into an actionable plan for compliance; obtain the necessary buy-in; select a cross-functional team with representatives from Legal, IT, HR, Accounting and other business units to collaborate on GDPR action items; develop the necessary policies, procedures, processes, notices and consents; and implement requisite technical and organizational changes, including appointing a data protection officer if your organization is required to do so.
- Identify EU Personal Data and Data Flows: Another necessary, early action item is to develop and initiate a targeted data mapping project. The data mapping project should be designed to obtain information concerning the types of personal data (including EU personal data) retained by your organization, all locations where such data is stored within your organization, how data is shared within the organization, all third parties to which personal data is transferred, and all cross-border transfers of personal data. Our clients often discover that EU personal data (as well as other confidential data) is being stored in unexpected places. Among other benefits, targeted data mapping projects can be utilized to collect the information needed to prepare required records of processing activities; to assist organizations in complying with their obligations to address data subject requests (e.g., knowing where to find personal data relating to an access or erasure request); to demonstrate compliance with the data processing principles set forth in the GDPR (e.g., identifying opportunities for data minimization); and to facilitate the drafting of accurate and complete privacy notices. This is a recommended early action item because targeted data mapping projects require significant input from throughout the organization and thus take considerable time to complete; and because this work supports a lot of other GDPR-readiness work (e.g., providing the information needed to prepare notices, which often must be translated into many languages before being published, which, of course, takes time).
- Identify Third-Party Vendors and Update Third-Party Vendor Contracts: Organizations may have many relationships with third-party vendors who receive and process EU personal data for a variety of purposes (such as processing payroll, handling customer payments, managing customer relationships in the cloud, etc.). It is important for you to first identify all such third parties currently being used by your organization (e.g., through conversations with or surveys of subject matter experts in Marketing, HR, Accounting, and other departments throughout the organization (including global offices)). This process often takes longer than anticipated. After identifying and classifying third parties as processors or controllers/joint controllers, organizations will need to identify necessary changes to such contracts to meet the different GDPR requirements for processor contracts and joint controller arrangements; confirm that an appropriate transfer mechanism is in place if EU personal data will be transferred to a country that is not deemed adequate by the EU; negotiate contract revisions; draft updated contracts; and develop checklists and processes for incorporating GDPR-required provisions in new contracts.
These recommended early action items are only a few of the many action items that must be taken by May 25, 2018 by all organizations offering goods or services to EU residents or monitoring the behavior of EU residents. It will be important to do so, not only to satisfy EU data protection authorities, but also to satisfy European customers and employees. As European Commission Vice-President Andrus Ansip and Commissioner Věra Jourová recently advised, “Within the year we will also launch an EU-wide campaign to raise awareness so that Europeans are conscious of their rights.”