With the EU’s General Data Protection Regulation (GDPR) coming our way in May of this year, U.S. companies are facing an ever-shortening timeline to prepare for all the ways in which it will affect their business operations.
For the uninitiated, GDPR is a new set of rules and regulations designed to protect private citizen data in the digital age. In particular, the new rules amend data management practices initially set in the mid-90s and will standardize across the EU (and eventually other regions) how governments and businesses in virtually every sector or industry treat, manage, and secure data such as names, addresses, emails and credit card numbers.
While the U.S. does not yet have a similar overarching regulation in place, the increase in globalization has rendered information technology virtually borderless, and brought to light growing concerns about data protection worldwide--what it means, who it impacts, and how to address it.
In other words, there’s no escaping the need for companies to have a plan for EU mandated compliance, but also for when the time comes for similar legislation to come into play in other parts of the world.
Who’s on notice?
If your company does business in the EU—be it physically or digitally— data privacy and data transfer will continue to require both scrutiny and action as they always have. Any business endeavors within EU that collects any kind of data will need to comply with GDPR standards, along with any additional local regulations, and the U.S.’s industry-specific data regulations such as HIPAA for healthcare and GLBA for the financial sector when applicable.
But even if you don’t do business in Europe per se, simply having a web presence requires you to pay attention. For example, U.S.-based companies in hospitality, travel, software services, and even e-commerce will certainly have to take a closer look at their online marketing practices, particularly if the company has identified a market in an EU country and has localized Web content or operations for that market.
While much of the work to meet GDPR seems as though it should solely fall in the laps of IT administrators buried in the bowels of data centers (or even sales and marketing teams seeking to collect customer data upfront), your security and legal teams will also play a huge role in preparing and protecting your organization.
Already responsible for protecting assets and practices, managing risk, and meeting compliance, your legal team will have to figure out ways of incorporating GDPR standards language and practices into contracts, terms and negotiations--in new documents and very likely retroactively into existing ones as well.
So how can you lay the groundwork in the months ahead to ensure you’re ready for GDPR?
Automating legal processes for greater security and control
One way to prepare your legal team for the uphill battle ahead is to automate workflows and processes around contract lifecycle management (CLM), which touches on key factors such as contract creation, storage, version control, user permissions, and data access.
Automating your CLM allows for greater security and control in a number of ways, beginning with the contracts themselves. Any contract requested can be populated with pre-approved terms and conditions to comply with GDPR standards, helping to ensure that all new contracts are developed with the most up-to-date and accurate clauses specifying how, when, and where sensitive data is addressed.
At the same time, this approach will save your team time and headaches when it comes to amending or reissuing existing contracts because they’ll be able to easily slide those same clauses into documents in force without having to completely rewrite them from scratch.
CLM automation solutions also feature customizable role and permission levels, enabling legal teams to further assert greater control over data access and governance and formalizing it within corporate cannon. Specifically, role-based access control (RBAC) identifies who can access documents and data and under what circumstances, which can easily be adapted to meet evolving regulatory standards. In addition, all actions and changes to documents can be tracked to produce a digital paper trail, sanctioning version control and allowing for in-depth audits of all user activity.
And, perhaps most importantly, CLM systems boast virtually unlimited document storage capabilities, providing a central repository for current and expired contracts to create a digital audit trail for compliance verification. As with other regulations, GDPR has its nuances, such as the “assumed consent” to use implied from existing legal agreements that make having on-demand access for legal teams and authorized personnel to update, edit, or otherwise amend--including retroactively--legal documents to consistently remain compliant with GDPR and other standards a necessity.
How to make a smoother transition
Navigating GDPR will certainly take time and effort, and it will not be without its pitfalls. But your legal team can help avoid some of them by doing the following:
- Get involved right away. No organization can fully meet GDPR compliance without experienced legal counsel at the helm.
- Look at your company as a whole. Which teams and business processes will be most affected by the changes? What do each of them need to do individually to meet compliance? What risks exist now or may present themselves later that legal will need to mitigate?
- Map out how data is used. Sit down with IT, Marketing and your Security or Privacy teams to get a picture of how data is collected, shared, and used in your organization, where it lives, and who is responsible for it.
- Work with the experts. Whether your organization has multiple, disparate systems and applications, or special business contingencies, the probability is high that you’ll need to bring in outside help or experts to uncover data protection and privacy gaps and make recommendations.
Safeguarding the future
With the EU breaking new ground on long-overdue data protections, it’s likely the U.S. will follow suit at some point by modernizing and widening our existing regulations, calling for corporate legal and other teams to adapt quickly and comprehensively to avoid serious fines and litigation.
But modernization always begins locally, so automating your company’s business and legal processes first and foremost will give you a secure technical foundation from which to pivot and adjust as needed, helping you keep up with fast-moving targets in new, domestic data standards and compliance and beyond.