On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) will take effect. Many of the steps your organization should take to come into compliance with GDPR requirements are also fundamental to effecting a more mature information governance (IG) program. In this client alert, we highlight the critical actions that need to be taken now to comply with the May 25 deadline, and how each action fits into a robust IG program aimed at strategically managing data in your organization’s possession and control.
What is the GDPR?
On April 14, 2016, the European Parliament enacted the General Data Protection Regulation (GDPR), which replaces the 1995 EU Data Protection Directive. The GDPR will become effective on May 25, 2018, and imposes significant penalties for noncompliance. Violations can result in fines of up to 4 percent of an entity’s global revenues.
The GDPR applies to entities that collect or process personal data of EU residents, and imposes restrictions and obligations on companies’ interactions with individuals whose data they collect (“data subjects”). Data subjects include individual consumers as well as individuals in their business capacity. The GDPR will have significant bearing for all companies doing business in the EU, or offering products or services to individuals or companies in the EU.
The GDPR requires that all collection and processing of personal data must be pursuant to an applicable legal basis, such as necessary for the performance of a contract, or to comply with a legal obligation, or pursuant to the clear and affirmative consent of the data subject. Before any collection of personal data from data subjects, whether they are individual consumers or individuals in their business capacity, the data subject must receive a detailed notice about the collection and use of their data. There are stricter requirements that apply to the processing of sensitive categories of personal data, including, for example, race, ethnic origin, and genetic or health data. Personal data may only be used for specific purposes and may not be further processed in a manner that is incompatible with those purposes for which it is collected.
Processing includes any activities performed upon personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. The GDPR distinguishes between controllers of data – those entities that determine the purposes and means of processing personal data – and processors of data – those entities that process personal data on behalf of a controller. Each role carries different responsibilities with respect to the data subjects whose personal data is processed.
Under the GDPR, data subjects have specific rights pertaining to data about them, including the right to receive a data privacy notice when data is collected; the right to request and obtain copies of such data; the right to obtain correction of inaccurate data; in certain cases, the right to object to the processing of data; the right to request erasure of data; and the right to request that data be sent to a third party.
The GDPR imposes accountability obligations on those who collect and process personal data, restricts the transfer of personal data, and requires that data breaches be reported within 72 hours. Companies must also maintain internal records of processing activities, including information concerning processing purposes, data sharing, and retention periods. The documentation of all processing activities is linked to the GDPR principle of accountability and will help entities demonstrate compliance with the GDPR.
How can GDPR preparations advance information governance?
Information governance and the GDPR are mutually reinforcing. At the heart of both is the need to understand what information an organization has, how it is used, how it needs to be managed, how it needs to be protected, and its importance to the organization’s operations. For those organizations looking for a catalyst to advance information governance, the GDPR is the perfect stimulus. For those organizations with mature information governance programs, preparing for the GDPR will be more streamlined.
The GDPR requires coordination amongst a myriad of stakeholders within the organization to make sure that information is being collected, used, protected and discarded appropriately. Stakeholders from privacy, security, records management and business lines should all be involved in GDPR compliance efforts. Incidentally, this kind of coordinated approach to information governance mirrors how we counsel people to manage their data regardless of regulation. Organizations should collectively develop strategies for managing company information to ensure that the solutions employed work for all facets of the organization.
What are the key action items for organizations to consider in moving toward GDPR compliance and a more mature IG program?
(1) Understand where data is located.
Fundamentally, the GDPR requires that entities know what data they have, where it came from, and where it resides. Good data governance will allow an organization to meet its GDPR obligations, including fulfilling data subject requests.
The obligations of controllers and processors differ with respect to fulfilling data subject requests, but any organization controlling or processing personal data of EU data subjects will benefit from an increased ability to find data where it lives and act on it accordingly. Likewise, understanding data flows and information repositories is a key factor in ensuring compliance with international data transfer requirements. All of these concepts are also key to advancing information governance at an organization. By knowing where company records reside and how information flows through an organization’s systems, companies can properly manage that data from privacy, security, and records management perspectives.
(2) Ensure that retention and disposition policies are up to date and that business lines are adhering to retention periods defined in the company’s records retention schedule.
Organizations subject to the GDPR should revisit their retention and disposition policies to ensure that they address the concept of data minimization and emphasize the importance of deleting information in accordance with company policies and procedures. The GDPR generally requires that personal data be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” While this directive does not provide specific timeframes, it does imply that organizations should assess the purpose of collecting personal data and dispose of the data once that purpose has been fulfilled.
Regarding an organization’s records retention schedule, organizations can take the following steps to align retention practices with the GDPR requirement to minimize the retention of personal data:
- Gather internal policies and procedures that include retention and disposition directives.
- Consult industry associations and resources to identify common retention and disposition practices.
- Interview stakeholders and document business needs to retain personal data.
- Research relevant laws and regulations to ensure the company understands its obligations to retain and dispose of information in accordance with mandated retention minimums and maximums.
- Revise policies and procedures as needed to align with identified business needs and regulatory requirements, with the understanding that personal data should not be retained longer than is necessary to fulfill the purposes for which it was collected.
In addition to updating policies and procedures, organizations (and any vendors who process data on behalf of the organization) will need to demonstrate that they are complying with their records retention schedules and deleting data in accordance with their policies. In the past, retention periods for company records may have been viewed by business lines as representing only retention minimums, when in fact they were always meant to embody retention minimums and maximums. Bringing practices in line with policies and procedures will help demonstrate compliance with the GDPR. In this way, the GDPR can also be a catalyst for improving information governance at an organization.
(3) Implement policies and procedures that limit access to personal data of employees.
Any organization with personal data of EU employees must adequately protect such data by establishing policies and procedures that limit access to the data, and by implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Organizations should specify in their policies the acceptable repositories for storing personal data of employees, and ensure that those repositories limit access to only those persons within the company who need to reference the information (e.g., human resources, upper-level management, direct supervisors). Different types of EU personal data may need different types of protection or access restrictions, depending on the sensitivity level of the information and the needs of certain personnel within the organization to reference the information. As much as possible, organizations should block administrators (e.g., IT personnel) and others who normally have broad access to information systems from accessing repositories with personal data of employees.
Even if an organization does not have EU personnel, it is advisable to wall off systems that hold personal data of employees because of the sensitive nature of the information and the potential for other protections to apply (e.g., data privacy and security safeguards for U.S. persons’ medical records required by the Health Insurance Portability and Accountability Act (HIPAA)). Safeguarding information through access controls is one way to mitigate the risk posed to the individual when the company needs to retain such data to fulfill other business or legal needs. From an information governance standpoint, an organization should consult all stakeholders involved in referencing and managing personal data to develop systems and solutions for storing, accessing and disposing of personal data of employees.
(4) Review existing capabilities for searching and retrieving data.
The GDPR grants EU data subjects several rights with respect to their data that makes it necessary for an organization to understand its capabilities to locate, edit, export or delete individuals’ information from its systems. Organizations should assess their ability to search for and retrieve data from information systems, and identify areas where they may need to amend policies or procedures for storing data to support better search-and-retrieve capabilities. Organizations should also consider the information systems within which data is stored and determine whether those systems support the company’s needs for managing its information. Systems that cannot support search-and-retrieve capabilities may need to be updated or decommissioned if they are likely to hold large amounts of EU personal data.
The GDPR breathes new life into information governance, as it compels organizations to have a better understanding of how to locate data within their information systems and act on that data in specific ways (e.g., edit, export, delete). Effecting company policies and procedures as they relate to privacy, security and records management takes on a heightened level of importance when the data is subject to GDPR requirements, because the expectations on the data do not originate from the company alone but from external sources that have the ability to demand compliance. In this way, organizations can use the GDPR as a justification to enhance their information governance programs from abstract and policy-based to programs in which companies act on their data in accordance with company policies and procedures.
(5) Establish protocols for evaluating and acting on requests for rectifying, restricting, accessing, exporting and deleting personal data.
As stated, the GDPR grants EU data subjects the right to request rectification of their data, restrict the processing of their data, access copies of their data, or export data to other controllers. Organizations will need to establish protocols for fulfilling each type of request and communicate these protocols throughout the organization so that employees understand the company’s obligations that relate to EU personal data.
Understanding where personal data is stored within company systems will be the first step in fulfilling data subject requests. As much as possible, organizations should endeavor to tag or otherwise designate data in ways that support streamlined search and retrieval of individuals’ data. A company may decide that a request for restriction or rectification is not workable, in which case it may decide to delete the individual’s data from its systems. Authenticating requests to ensure that the data subject request is coming from the same individual whose personal data is at issue will be important to ensure proper data governance, privacy and security.
Only through robust data governance will an organization be in a position to satisfy data subject requests. The data governance necessary to comply with the GDPR (e.g., tagging or encoding) will likely prove helpful in advancing an information governance program’s ability to move toward automation of its policies and procedures. In this way, the GDPR could be a huge boon for an organization’s information governance maturity.
Barring an exception, Article 17 of the GDPR guarantees EU data subjects the right to have controllers erase their personal data without delay, otherwise known as “the right to be forgotten.” Where the controller has made the personal data public, the controller must make reasonable efforts to inform other controllers that are processing the personal data that the data subject has requested erasure. Organizations must be prepared with protocols to receive and adjudicate erasure requests from data subjects. Data subjects requesting erasure could include employees, former employees or customers.
It is important for organizations to establish protocols for assessing erasure requests because there are a number of circumstances where an organization is not required to delete data pursuant to a request. Organizations do not need to delete data to the extent processing the data is necessary for:
- Exercising the right of freedom of expression and information.
- Compliance with a legal obligation that requires processing by EU or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Reasons of public interest in the area of public health.
- Archiving purposes in the public interest, scientific, or historic research purposes or statistical purposes in so far as erasure would render impossible or seriously impair the achievement of the objectives of the permissible processing contemplated by the regulation.
- The establishment, exercise or defense of legal claims.
The myriad of exceptions to the right to be forgotten means that organizations will need to have protocols in place for evaluating erasure requests from EU data subjects to ensure that data must in fact be deleted pursuant to a request. Protocols to assess requests related to company information are often used by information governance programs to support proper management and ensure compliance with policies and procedures. Using protocols to achieve GDPR compliance will also strengthen an organization’s information governance program.
(6) Implement data breach protocols.
In the event of a data security breach where EU personal data is accidentally or unlawfully lost, destroyed, altered, accessed or disclosed, the GDPR requires organizations to notify supervisory authorities and, in some cases, the affected data subjects. The supervisory authority must be notified within 72 hours of the organization becoming aware of the breach unless the breach is “unlikely to result in a risk to the rights and freedoms of natural persons.” Organizations should put data breach protocols in place that identify who will lead the response, who will assist from various business functions that could be implicated by the breach, who will assist from outside the organization, and who will report to supervisory authorities and data subjects. Organizations should test their data breach protocols to ensure they are ready to meet the tight timelines imposed by the GDPR.
Information governance is about bringing together all facets of an organization to put good data governance policies and procedures in place. In the event of a data breach, organizations will want to have designated individuals ready to coordinate to respond appropriately to protect the company and the individuals whose data was involved. Because of the reputational risks and the potential harm to employees or customers, every organization should have data breach protocols in place. Once again, organizations that are subject to the GDPR can use the data breach requirements to advance this aspect of information governance within the company.
Article 37 of the GDPR requires the appointment of a data protection officer (DPO) by certain organizations. Among other duties, the designated DPO is to monitor the organization’s compliance with the GDPR, including compliance with company policies that relate to the protection of personal data. This will require processes for measuring compliance, which could include internal audits, external audits, self-assessments or programmatic assessments.
Article 35 also mandates that a Data Protection Impact Assessment (DPIA) be conducted where data processing “is likely to result in a high risk to the rights and freedoms of natural persons.” Additionally, under Article 30 of the GDPR, information controllers must maintain extensive records of processing activities under their responsibility, and processors have a similar set of obligations.
Assessing compliance is an important aspect of information governance, as it takes data governance out of the theoretical space of policies and procedures and examines whether personnel are taking actions in relation to the data in accordance with those policies and procedures. Through appointment of DPOs and the creation of DPIAs, where required, the GDPR has the power to move an organization’s information governance program out of the abstract and into concrete practice by motivating organizations to comply with their own data governance policies. In doing this, the GDPR will advance information governance for the organization, which will allow information governance to play a major role in achieving GDPR compliance.
How does implementing an effective IG program assist with ongoing GDPR compliance?
Effective information governance programs can provide ongoing support to GDPR efforts using various strategies. An IG program could serve a strategic or advisory role where practitioners of GDPR compliance consult the IG program to better develop policies, procedures and protocols. An IG program could establish a body with responsibility for GDPR compliance that brings together stakeholders from across the organization. An organization’s IG program may also take the lead on the tactical preparations for the GDPR through the establishment of working groups or task forces focused on various aspects of GDPR compliance. The model that will work best for an organization will depend on the state of maturity of the company’s IG program and the extent of the organization’s obligations under the GDPR.
Organizations should assess how an existing IG program can best assist with GDPR compliance and consult stakeholders in defining what role the IG program will have in carrying out responsibility for the GDPR.
What are the sanctions for GDPR noncompliance?
Penalties for noncompliance with the GDPR can be severe. Violations of a controller or processor’s obligations with respect to recordkeeping, security, breach notification, and/or DPIAs may be subject to a maximum administrative penalty of €10 million or 2 percent of the entity’s global gross revenue, whichever is higher. Violations of a controller or processor’s obligations with respect to having a legal justification for processing, complying with the rights of data subjects, and cross-border data transfers may be subject to a maximum penalty of €20 million or 4 percent of the entity’s global gross revenue, whichever is higher.