Today, many U.S. companies that collect personal data typically look for ways to monetize their relationship with a customer or upsell additional products. There should be someone at the table with the knowledge and authority to ensure that privacy principles consistent with GDPR, a new EU data privacy mandate, are in place. The effective date for GDPR compliance is May 25, 2018.
A new European Union (EU) General Data Protection Regulation (GDPR), aimed at protecting the data and privacy of its data subjects has in-house legal teams and the entire C-suite scrambling to meet compliance. Any company that does business in the EU is subject to the mandate, which takes effect on May 25, 2018. The rules are sweeping, and the consequences of non-compliance are severe, with administrative fines reaching 20 million euros or up to 4 percent of a company’s previous year’s annual revenue. Yes, this is real.
While many U.S. companies are not fully prepared to meet this compliance deadline, it’s not too late. The best way forward is to draw up a roadmap. And if you’re just coming up to speed on GDPR, you should consider your next steps very carefully.
GDPR compliance should be led by a champion — the president or a corporate data privacy or compliance officer, or the chief information officer. Ultimately, you may need to appoint a data protection officer, if you don’t already have one in your organization and you fit within certain specified criteria. Establishing a steering committee is another matter of urgency, as this will ensure buy-in from business owners, from the C-suite up to the board of directors.
The new regulatory mandate regarding personal data applies to companies established in the EU, or companies offering goods or services to “data subjects” in the EU. There is no citizenship requirement for data subjects (employees or customers); it applies to anyone who is situated in an EU country when the data is collected, and a potentially broader scope for companies established in the EU.
GDPR is organized in a way that allows companies to divide compliance into practical work streams. A best practice would be to assign each of those buckets to an individual responsible for compliance, working with both IT and key stakeholders or business owners.
Crucial principles that may be novel to U.S. companies fall under the heading “Data Protection by Design and by Default” in Article 25. Today, companies that collect personal data typically look for ways to leverage personal data to monetize their relationship with a customer or upsell additional products. There needs to be someone at the table with the knowledge and authority to insist that those discussions incorporate privacy principles consistent with GDPR.
The U.S. has an “opt-out” business culture — companies assume customers agree to personal data collection, and they must deliberately opt out to be exempted from that practice. In the EU, however, companies typically will not collect personal data without asking customers first. GDPR writes this into the law and is consistent with previous privacy regimes and a general “pro privacy” culture.
Steps to take to right now
A critical, early priority is conducting a personal data inventory — the exercise of determining what personal data your company has, where it is and who touches it. It’s a discovery exercise, which could take two days or more than three weeks, depending on the scale and complexity of the data.
GDPR offers recommendations for compliance. For example, the mandate suggests encryption, pseudonymization or anonymization data protection strategies under Article 32, “Security of Processing,” but does not prescribe specific tools or approaches. With respect to notice, the statute is fairly specific. If you collect an individual’s personal data, you have to tell that individual what you’re collecting, why you collect it and how long you will retain it, and you must promise that you will retain it only as long as necessary for that stated purpose.
Companies just getting started should focus first on applications with the most privacy-sensitive personal data (especially health-related data) and prioritize their 10 to 20 most sensitive applications. In the meantime, work with key constituencies, including general counsel, privacy officer, the compliance team and the chief information security officer, to set up a game plan to handle the rest of your applications in order of sensitivity, with milestones, roles and responsibilities, achievable in a reasonable period of time.
Still more challenging will be compliance with the individual’s “right to be forgotten” — to insist that data be deleted from company databases on request. The right to be forgotten is specified, but it is not absolute. It can be overridden by competing concerns, such as the existence of a compliance obligation.
Additional challenges arise immediately in the event of a data security breach, which, once known, is like waving a red cape in front of a bull. Regulators will notice, and may see it as an occasion to audit that company’s GDPR compliance.
Resources at your disposal
GDPR has been an ongoing concern of Robert Half Legal clients for at least the last 18 months. Training customer-facing employees and making any design changes to a company’s e-commerce site that might be required will take time. Our experts are on hand to help you reach your compliance goals. With the May 25 deadline for GDPR rapidly approaching, it’s imperative to start today.
For more information about our GDPR services, contact Joel Wuesthoff, a managing director of Robert Half Legal’s consulting solutions practice at (212) 399-8614 or [email protected].
About the author: Joel Wuesthoff, Esq., CISSP, is a managing director for Robert Half Legal’s consulting solutions practice. With more than 15 years of legal practice and consulting experience, he has led international forensic engagements and advised general counsel and litigators on strategic and legal preservation efforts in high-stakes litigations. Based in New York City, Mr. Wuesthoff is an adjunct faculty member at the University of Maine School of Law. A former practicing attorney, he earned a J.D. from Vermont Law School and a B.A. from McGill University in Montreal.