“Are we prepared for the GDPR?” Not nearly as many companies as should be are asking themselves this question. As such, we have prepared this short post for those that are barely or not at all prepared for General Data Protection Regulation (GDPR) compliance – as 25 May 2018, the day GDPR will enter into force, is just around the corner. This article is not meant to be complete, however, and the action steps outlined below are not necessarily sufficient for GDPR compliance, but they may provide some direction and ideas for a last-minute quick fix to “look good” on 25 May 2018.
For those companies yet unprepared, it is time to at least check: (i) whether privacy policies depicted on the company’s website fulfill GDPR requirements; (ii) if a Data Protection Officer (DPO) needs to be appointed; (iii) if there is a record of processing activities, and if there is not one, to start working on it; (iv) if data processing agreements are in place and if they require a GDPR compliant do-over; and (v) if processing is based on consent, whether such consent needs to be updated. As the GDPR is only weeks away, companies that have thus far made no arrangements can concentrate on these points, as these fulfillments are directly visible to customers and supervisory authorities.
Companies should assess their privacy policies. Quite frequently, privacy policies are incomplete and incomprehensible, or are mingled with General Terms and Conditions. Under the GDPR, privacy policies must clearly and concisely describe the categories of data processed and inform data subjects of their rights to information, access, rectification, erasure, restriction of processing and data portability, as well as the data subject’s right to object to the processing.
Record of Processing Activities
As of May 2018, all companies subject to the GDPR will be required to maintain a record of processing activities. Drafting a record of processing activities is certainly a long-term task, as this will have to be maintained and updated as long as personal data is being processed. For now, it is time to start working on the record by gathering the required information and filling in these records. This should be done, even if all the information has not yet been gathered.
Data Protection Officers
Companies should assess whether they are required to designate a DPO. Bear in mind that nowadays, almost all employees work with computers and may process personal data. Companies doing business in Germany will have to appoint a DPO if they are employing more than 10 persons.
Data Processing Agreements
Companies should check whether their data processing agreements are GDPR compliant. If there are not any data processing agreements in place, then it is time to enter into such agreements prior to 25 May 2018.
According to German supervisory authorities, consent based on old law may, in principle, be considered valid, if it is in line with the new (above-mentioned) GDPR requirements. Companies should be very careful here, however – the safest thing to do is to obtain a new consent designed according to the GDPR.