No matter where you are in the world, the EU’s General Data Protection Regulation (GDPR) applies to you if you are collecting or processing personal information (PI) of any EU individual. Of special significance are transfers of such information from the EU to the US or elsewhere. The law goes into effect in May 2018, and the following is an outline of some initial steps. Compliance must be viewed as a business necessity in that penalties may be as much as 4% of annual revenue (turnover). Senior management and directors may face personal liability for non-compliance under certain circumstances.
Get familiar with GDPR vocabulary. Processing means “any operation” involving PI, including collecting, storing, transmitting, disseminating, recording, organizing, and altering. The “controller” determines the purposes and means of PI processing. The “processor” processes the PI on behalf of the controller.
Designate responsible persons. The GDPR requires “appropriate technical and organizational measures” to ensure compliance. This means documented (for example in meeting agendas and minutes), ongoing oversight and deliberation by an organization’s board of directors or other supervisory body. Deference to technical staff will not suffice. A data protection officer (DPO) may be required depending on the scope and nature of data collection (e.g., large scale or involving sensitive data). Board of Directors’ oversight is essential considering, among other things, the onerous penalties for non-compliance. While there remains some ambiguity regarding formal requirements, many companies may mitigate their exposure by designating a representative physically situated in the EU to receive pertinent notices.
Map your data. Chart your data flows, both incoming and outgoing. For each data category, ask and record: Why and how is it collected? Is collection/retention in identifiable form necessary, and if so, for how long? Who is accountable? Where is it stored – i.e. server location? Could it be more prudent to store on servers located in the EU in order to avoid any transfer? Who has access to it? With/to whom is it shared/disclosed? Consider affiliates, suppliers, vendors and IT providers. For each incoming and outgoing flow, a permissible mechanism must be in place such as affirmative data subject consent, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), a qualifying derogation, or adherence to an approved certification (Privacy Shield).
Update your contracts. Controllers must ensure that data subjects provide affirmative, knowing and “unbundled” consent that can be withdrawn. Contracts with suppliers may need updating to reflect an approved transfer method (e.g., Privacy Shield, SCCs, BCRs). If you are a processor, be prepared to negotiate and update your controller-facing contracts (and your data practices as needed) to address the GDPR’s requirements (such as with SCCs) and/or consider certifying to the Privacy Shield.
Update your incident response plan. Like the US, the GDPR contains requirements to report data breaches to authorities and data subjects in certain circumstances, usually within 72 hours. Your incident response plan will need to incorporate required notifications and time frames.
The foregoing is not a complete path to compliance, but taking these steps will in the least demonstrate good faith efforts to comply with the GDPR. There remain some grey areas with the GDPR (such as EU member state implementing legislation, GDPR-specific SCCs, etc.), so compliance will be an ongoing exercise for a period of time.