The new European General Data Protection Regulation (“the Regulation”) has been formally enacted and will take effect in May 2018 (see more details in our special Client Update on this subject).

The Regulation dramatically changes the existing data protection and privacy regulatory regime in the EU, introducing significant changes and entirely new requirements such as:

  • Appointment of a formal representation in the EU;
  • Appointment of a Data Protection Officer (“DPO”) who will  oversee  and monitor compliance with the obligations, and act as a contact point for data subjects and Data Protection Authorities;
  • Conducting Data Protection Impact Assessment (“DPIA”) where data processing activities present high risks to data subjects’ rights;
  • Maintaining internal records which consist of detailed information  with regard to data processing activities;
  • Reporting of data breach events to the authorities and to the affected data subjects; and
  • Demonstrating compliance with data protection principles by implementing appropriate technical and organizational safeguards.

In addition, the territorial reach of EU data privacy law will be extended significantly once the Regulation will be in force.

WHAT IS THE RISK OF NON-COMPLIANCE WITH THE NEW  REGULATION ?

Companies should begin preparing themselves to comply with the new requirements under the Regulation, as the consequences arising from non- compliance with the Regulation are draconian and may result in fines of up to €20 million or 4% of the company’s annual global turnover.

WHEN DOES THE NEW REGULATION APPLY TO YOUR BUSINESS?

  • If your business is located in the EU or if the personal data you process is being processed or stored in the EU.
  • If you process personal data within the context of offering goods or services to EU citizens, even if your business or data is not physically located in the EU.
  • If your business activities include monitoring the behavior of EU citizens, including targeting or profiling EU citizens (such as by analyzing or inferring interests or preferences based on online behavior, for various purposes, such as advertising, analytics or marketing purposes), even if your business or data is not physically located in the EU.
  • The new Regulation applies to you even if you process personal data (in any of the above scenarios) for or on behalf of another entity.

WHAT TYPES OF BUSINESSES OR ACTIVITIES WILL BE MOST AFFECTED BY THE NEW REGULATION?

While the regulation will affect worldwide businesses in all industry sectors, some activities or sectors that are involved in data-intensive activities, or that typically handle data of sensitive nature, face a higher risk of being prioritized by EU regulators under the new regime. This includes –

  • Businesses in the digital advertising, direct marketing and e-commerce sectors;
  • Any business that employs (either independently or through a third party vendor) “big data” analytics, particularly in the IT sector;
  • Businesses in the financial and insurance sector and any business that handles financial records and personal data transactions;
  • Businesses in the health sector, and any business that handles health- related data (such as in the clinical and research sides of the health sector);
  • Businesses activities that involve handling of employees’ personal data, particularly businesses in the employment, recruitment and HR sectors;
  • Businesses activities that involve the collection of data from children under the age of 16, particularly mobile apps and websites that appeal to children;

SO… WHAT ARE THE NEXT STEPS?

Our goal is to help you understand the new Regulation and prepare yourself for the new requirements by implementing the required adjustments to your privacy and data security practices.

  • We will start with an in-depth gap analysis and review of your privacy and data security practices, after which we will map together with you an action plan for addressing all applicable issues.
  • We will work with you in accordance with the action plan in order to address all relevant issues, such as:
    • Updating all privacy practices to make sure they are aligned with the updated requirements concerning the legitimacy of your personal data collection;
    • Revising all privacy notices and agreements with data subjects;
    • Advising on the way to orchestrate and maintain internal records, which consist of detailed information regarding the Company’s processing activities;
    • Conducting a Data Protection Impact Assessment in cases where it is required under the Regulation;
    • Amending your agreements and preparing new data processing agreements with your service providers, business partners, data processors, etc., in order to reflect the required new provisions, responsibilities and practices;
    • Building a comprehensive data breach response plan;
    • Reviewing and advising on the required data security safeguards;
    • Formulating internal compliance programs  and  procedures  to  reflect the new administrative, data privacy governance, accountability and material limitations and requirements; and
    • Reviewing and advising on the way to practically implement various requirements that are specifically relevant to your business, such as with respect to profiling activities, pseudo-anonymization, sensitive data, Big Data, children’s personal data, and others.
  • Based on the previous steps, we will build with you a comprehensive data protection compliance book for your company. This compliance book will include all records, documents, procedures and policies that will allow you to ensure the monitoring and compliance of your company with the various requirements, and to “demonstrate compliance” -  in  accordance  with  the new specific regulatory requirement. We will also help you company in the ongoing training of your different teams (such as IT, marketing, legal and compliance) of the regulation and compliance risks..

We encourage you to take the appropriate steps to address the legal requirements stemming from the new Regulation.