General Data Protection Regulation Preparing for change in four easy steps 2 GDPR - Preparing for change in four easy steps introdyction Introduction On 25 May 2018, Europe’s new General Data Protection Regulation (GDPR) will come into effect, bringing with it a raft of changes to Europe’s current data protection regime – including increased territorial scope, new obligations for processors, enhanced accountability requirements, and the threat of significant fines (up to 4% annual worldwide turnover) for those that get it wrong. Getting “GDPR ready” may seem a daunting task – but with careful planning, project management and prioritisation, it is an achievable one. Fieldfisher’s market-leading Privacy, Security and Information team is on hand to guide you through your GDPR readiness programme. 3 GDPR - Preparing for change in four easy steps How do you begin the task of getting GDPR ready? At Fieldfisher, we support our clients through this process using a simple, 4-step methodology: Keep calm and get GDPR compliant step2 Step 2: Assess what needs to change for compliance with the GDPR Once we understand how your business uses data today, we assess how the GDPR will impact your business and what measures you need to take for compliance. No two businesses are the same: the impacts of the GDPR will differ depending on whether you are a multinational pharmaceutical company, a cloud-based service provider, a financial services institution or a Silicon Valley start-up – the only thing guaranteed to be in common is the need for compliance. We start by addressing key strategic issues posed by GDPR compliance: Are you a controller or a processor? Is the data you process “ordinary” personal data or “sensitive” data (or both)? Are you within the territorial reach of the GDPR? Should you rely on consent or other lawful grounds to process data? What is your data export strategy and how does this impact your wider compliance model? Only once those key strategic issues have been addressed can the operational impacts of the GDPR then be accurately identified and addressed – a GDPR readiness programme will look very different for a controller handling sensitive data than it would for a processor handling only pseudonymous data. We identify these operational impacts by performing a gap assessment of your compliance as it exists today (taking into account the key strategic considerations) against the requirements that will apply to your business under the GDPR, and report to you on our findings. Step 1: Understand how the business uses data today No business can get GDPR compliant unless it first knows what data it collects today, how and where it uses that data, with whom it shares that data, and what existing compliance framework it has in place. We work with our clients to help them gather this information by formulating and asking the questions that need asking, liaising with internal stakeholders, and collecting and reviewing existing policies, notices and contracts as necessary. Collecting this information can be time-consuming, and tracking down answers to questions asked is not always easy. We recognise this, and so are equally experienced in educating Boards, senior managers and engineering teams on why getting GDPR compliant is so important – helping to create buy-in from the top that ensures your GDPR readiness program will succeed. step1 4 GDPR - Preparing for change in four easy steps Keep calm and get GDPR compliant 4 Step 4: Implement your GDPR readiness changes Once you know what actions need to be taken, and the order in which they need to be addressed, then the real work begins: implementation. Implementation measures may range from drafting notices, policies and contracts, to developing training and audit programmes, to supporting internal data mapping exercises, to implementing new data export mechanisms – the list goes on. Tackling all this on your own might seem overwhelming, but we have extensive experience supporting clients though all aspects of compliance implementation and are on hand to help you too. Our job is to make yours easier! Step 3: Prioritise the changes you will make In a perfect world, you would become fully compliant all at once, but real life doesn’t work that way. Compliance is a process, and necessarily entails prioritisation – identifying those compliance actions that will present the highest risk to the business if not taken and prioritising those risks over lesser important, technical compliance actions. We work with our clients to help them identify the GDPR issues that present the greatest risks to their business, taking into account both technical risk and actual likelihood of occurrence, and draw up a prioritised “plan of action” that takes account of practical implementation considerations – for example, what is actually achievable given the resource availability, existing infrastructure and risk tolerance of the business. step3 step 5 GDPR - Preparing for change in four easy steps experience How else can we help? In addition to the GDPR readiness service we provide, we also offer a wide range of related value add services, to help you understand the new regulation: Privacy, Security and Information blog: Our Privacy, Security and Information blog contains a wealth of material on the GDPR and wider data protection developments. Click here to see our blog. Our ‘Getting to Know the GDPR’ articles: The Fieldfisher Privacy, Security and Information team has published a series of ten articles discussing the key changes made by the GDPR and the practical implications of these changes. Click here to read more. Training videos: We have an online training video “Getting to Know the GDPR in under 60 minutes” available on YouTube. Click here to view. Essential viewing! Precedents: We have prepared a wide range of precedents for our clients to help get GDPR ready, ranging from fair information processing checklists, to template data processor terms, to record keeping requirements checklists and more! 6 GDPR - Preparing for change in four easy steps Nick Holland Partner t: +44 (0)20 7861 4977 e: [email protected] Felix Wittern Partner t: +49 (0)40 87 88 69 8 114 e: [email protected] About Fieldfisher’s Privacy, Security and Information team Hazel Grant Partner t: +44 (0)20 7861 4217 e: [email protected] Phil Lee Partner t: +1 650 513 2769 e: [email protected] Antonis Patrikios Partner t: +44 (0)20 7861 4353 e: [email protected] Fieldfisher’s Privacy, Security and Information team is a team of dedicated EU data protection specialists working across our offices in the UK, Silicon Valley, Belgium, France and Germany, and with wider ‘best of breed’ local privacy counsel relationships across more than 80 territories worldwide. We counsel our clients on all aspects of EU data protection law, including information governance, e-privacy, data security, regulatory outreach, and commercial transactions. We have worked with some of the biggest brands in the world and so have a unique perspective of how data protection issues are dealt with by different organisations. Our clients recognise us as thought leaders in this area, and trust us to advise them on the most complex of problems. We provide excellent value for money, advising not only on legal matters but on ways to get the most value out of your data. For more information, please contact any of the Fieldfisher Privacy, Security and Information partners: Mark Webber Partner t: +1 (650) 513 2684 e: [email protected]