Patty P. Tehrani, Esq.
Founder, Policy Patty Toolkit and author of compliance/legal tools
Most compliance officers I know are consumed right now with the European Union’s General Data Protection Act Regulation (GDPR or the Regulation). Though advised two years ago that the GDPR was on its way, the reality of its upcoming deadline (May 25, 2018) didn’t hit most until this year. Besides concerns about their state of readiness, compliance officers are mindful of the reputational harm and significant fines for non-compliance. Many are now diligently working to avoid the possibility of unfavorable headlines and enforcement actions down the line.
While the GDPR represents significant changes to the processing of personal data, don’t panic. Below is a checklist of the Regulation to help start your efforts or do a pulse-check. Separately, you may want to join me for an upcoming webinar hosted by the SCCE where I will provide further guidance on GDPR planning (details are noted below).
Scope and Application
Let’s start with the GDPR’s territorial scope. The Regulation applies to organizations within the European Union (EU) that process personal data and those outside of the EU that are:
- established within the EU and process data about EU individuals inside or outside the EU;
- offering goods or services to individuals who are in the EU; or
- monitoring the behavior of individuals who are in the EU.
Don’t assume that if your processing or organization is outside of the EU, you don’t have to worry, especially if you have an online presence. For example, if you have websites or social networking services available to individuals in the EU, you’re probably subject to the GDPR unless one of the limited exceptions apply.
Bottom line – organizations, anywhere in the world that collect, store, or process information on individuals in the EU, need to pay attention to this regulation. You should carefully assess its application and avoid being too conservative in your interpretation.
Why does it matter?
Fines, enforcement, and reputational harm are just some possible repercussions for non-compliance. Consider the Regulation provides various remedies that include:
- administrative fines of up to 4% of annual worldwide turnover or £20m, whichever is the greater;
- warnings and reprimands issued by supervisory authorities;
- orders to compel action such as producing information or suspending processing activities;
- audits and inspections by supervisory authorities; and
- private rights of action for affected individuals such as lodging complaints or judicial remedies.
GDPR At-a-Glance Checklist
To start your planning or check for GDPR compliance consider these general guidelines:
- Establish a working group to lead your GDPR compliance and engage all key functions to make sure you have broad representation.
- Develop a project plan to document your efforts including maintaining records of decisions made not to comply with a requirement of the GDPR.
- Review the GDPR (99 articles) to know what is required and incorporate the applicable measures into your project plan (also check for any applicable exceptions).
- Raise awareness on the GDPR through notices and training to staff, management, and others and do so periodically to maintain awareness.
- Determine roles and responsibilities under GDPR including the appointment of a Data Protection Officer (DPO) to spearhead your GDPR efforts and serve as the point person for questions and issues.
- Review and document your data flows to know at the very minimum what is happening with the personal data your organization processes, where it is, and who has access to this information.
- Conduct and document an impact assessment for any high-risk processing of personal data.
- Enhance your information governance framework with compliant security, and privacy controls factored into your new operations (especially technical ones).
- Assess your data processing controls against the GDPR’s data subjects’ rights (for example, right to be forgotten, correct, object, access, and portability) and updated them as needed.
- Review your consent process for obtaining consent and update them (including seeking new consents) to comply with the GDPR.
- Assess your data breach protocols to make sure the timing and notice measures align with GDPR mandates (for example, the required notice to a Supervisory Authority within 72 hours of the discovery of a data breach).
- Update your third-party governance by checking your screening / due diligence reviews and strengthening contractual terms to assure that those you engage carry out processing activities on your behalf comply with the Regulation.
The GDPR goes into effect on May 25, and lack of compliance can be costly. And while there is plenty of work to prepare your organization, consider potential benefits such as enhanced data processing activities.
Join me for my upcoming webinar on April 3rd hosted by the Society of Corporate Compliance & Ethics where I will cover this new regulation and measures you can take in response. For more information on the webinar and how you can register: