Getting ready for the GDPR: what you need to know and how to prepare
Pillsbury Law experts provide breakdown on how law will affect your business
From high-profile cyber attacks, the UK's 'Snoopers' Charter' and the recent legal and political wrangling over the abolition of the EU-US Safe Harbor data sharing treaty, privacy issues continue to hit the headlines on a regular basis.
This is set to continue with the most significant overhaul of EU data protection regulations in recent years - the new EU General Data Protection Regulation - due to become law in May 2018.
However, despite this being just over a year away, and the fact that the GDPR will rip up the existing legal framework, many companies have not yet looked at what they need to do to ensure compliance with the new laws.
Businesses beware: sticking your head in the sand, or hoping that Brexit will exempt the need to comply with EU regulation is a dangerous move. Not only do these new laws have extra-territorial reach and will catch companies who didn't need to concern themselves with such laws historically, they also have the potential to levy huge fines for non-compliance. So what exactly do companies need to be aware of?
Who has to comply?
All organisations operating in the EU will be caught by the new rules. Importantly, organisations outside the EU, like U.S.-based companies that target consumers in the EU, monitor EU citizens or offer goods or services to EU consumers (even if for free), will also have to comply.
The GDPR also applies to "controllers" and "processors". What this means, in summary, is that those currently subject to EU data protection laws will almost certainly be subject to the GDPR and processors (traditionally not subject) will also have significantly more legal liability under the GDPR than was the case under the prior Directive.
What does the law say?
The new laws will replace the current EU Data Protection Directive 95/46/EC. As a Regulation, and unlike the old law, it will be directly applicable in all EU member states.
Businesses should be aware of the following key points:
- Accountability - crucially, those caught will be required to show compliance e.g. (i) maintain certain documents; (ii) carry out Privacy Impact Assessments; (iii) implement Privacy by Design and Default (in all activities), requiring a fair amount of upfront work.
- Data protection officers (DPOs) - in many circumstances, those caught by the GDPR will also need to appoint DPOs and so thought will need to be given as to whether this applies and, if so, who that person or persons might be.
- Consent - new rules are also introduced relating to the collection of data, e.g., consent must be "explicit" for certain categories. Existing consents may no longer therefore be valid and consents obtained should be purged going forward.
- Enhanced rights for individuals - new rights are introduced around (i) subject access; (ii) objecting to processing; (iii) data portability; and (iv) objecting to profiling, amongst others.
- Privacy policies - fair processing notices now need to be more detailed, e.g., new information needs to be given about these new enhanced rights for individuals. Policies will need updating therefore.
- International transfers - Binding Corporate Rules for controllers and processors as a means of legitimising transfers are expressly recognised for the first time and so should be considered as a transfer mechanism.
- Breach notification - new rules requiring breach reporting within 72 hours (subject to conditions) are introduced and so processes in place (or not) will need to be revisited to accommodate these rules.
What should businesses be doing?
With the UK set to leave the European Union, there is much ongoing discussion about what the post-Brexit regulatory regime may look like. It is generally accepted, however, that after the UK leaves the EU, UK laws will nevertheless track the GDPR (e.g. via some form of implementing legislation or a new UK law which effectively mirrors the GDPR). In other words, even if you are purely a UK company, or you are outside the UK and targeting UK consumers only, you should not ignore these changes on the basis Brexit is some sort of get out of jail free card.
Companies need to ensure that they have robust policies, procedures and processes in place to ensure compliance. With the risk of heavy fines under the GDPR, not to mention the reputational damage and potential loss of consumer confidence caused by non-compliance, nothing should be left to chance. In terms of key first steps, companies might consider prioritising the following as a minimum:
- Review privacy notices and policies - ensure these are GDPR compliant. Do they provide for the new rights individuals have?
- Prepare/update the data security breach plan - to ensure new rules can be met if needed.
- Audit your consents - are you lawfully processing data? Will you be permitted to continue processing data under the GDPR?
- Set up an accountability framework - e.g., monitor processes, procedures, train staff.
- Appoint a DPO where required.
- Consider if you have new obligations as a processor - is your contractual documentation adequate? Review contracts and consider what changes will be required.
- Audit your international transfers - do you have a lawful basis to transfer data?
For those businesses who have yet to consider their obligations, the advice is to start thinking about compliance under the GDPR as soon as possible. Not only will compliance be crucial for retaining customer trust it will also avoid being made an example of in a way that will not only hurt your reputation, but also your bottom line.
Written by Rafi Azim-Khan, Head Data Privacy, Europe, Pillsbury Law ([email protected]) and Steven Farmer, Counsel, Pillsbury Law ([email protected])