Ready or not, it is coming.

On May 25th, 2018, the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) will come into force, effectively repealing Directive 95/46/EC (General Data Protection Regulation). As General Counsel, it is important that you understand the key legal obligations and risks that could affect your business, and provide the necessary leadership to navigate your company towards compliance.

GCs need to play a pivotal role in planning and preparing for the changes under GDPR, which include strategic decisions to improve internal processes and IT systems.

Here are seven ways GCs can prepare for GDPR and guide their company towards compliance:

1. Allocate responsibility for GDPR within your organisation and raise awareness.

Raise awareness with key decision makers and ensure they appreciate the impact this will have. Additionally, some organizations may be required to appoint a DPO - a person responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements. Since DPOs are in a leadership position to provide education and training, many organizations may want to appoint a person with related tasks (without the DPO designation) as a best practice.

2. Document the personal data you hold across the business

As part of your preparations, you should conduct a full audit to document what personal data you have, where it came from and with whom you share it. While we often think about this in terms of customer data, GCs should also document how other personal data - like employee or partners data - is being collected, stored, and used. Tip: If you use a legal repository, you can register and report on all of your data processes, as required under GDPR.

3. Asses your risks

Once you have registered your data processes, look at how your organization's processes affect or might compromise the privacy of the individuals whose data you hold. Under the GDPR, organizations must conduct a Data Protection Impact Assessments (DPIAs) when there is high risk involved. However, it is recommended you perform a risk assessment for all processing activities.

4. Review your privacy policy and contracts

Review your current privacy policy and put a plan in place for making any necessary changes in time for GDPR implementation. You should identify the lawful basis for your processing activity (ie. consent), document it and update your privacy notice to explain it. Organizations also need to re-examine their agreements with data processors to ensure that they meet the requirements with the GDPR. New agreements should be drafted with the GDPR’s requirements in mind.

5. Review your procedures to ensure "privacy by design"

To comply with GDPR, you should be aware of the requirements for "privacy by design" and "data protection by default". What this means is that privacy cannot be an after-thought. GCs should work with department heads and IT to ensure that technical and organizational measures are in place to ensure that – by default – personal data is collected and processed properly. For example, you cannot use "pre-ticked" boxes for marketing purposes or use data for purposes not specified.

6. Review how you manage consent and rights of Data Subjects

Under GDPR, the rules for obtaining valid consent from individuals are stricter. If consent is the legal basis for any of your data processing activity, you need to ensure you request, obtain, record, track, and amend it as required under the GDPR. If you market to children, you will need to understand what process to put in place to verify age and to obtain parental or guardian consent. Additionally, you need to check your procedures (technical and administrative) to ensure you are capable of providing the rights individuals have, including the right to be deleted or the right to data portability.

7. Update procedures relating to the detection and reporting of breaches

In the event of a data breach, you will still need to provide notification to data subjects and authorities. However, what is new under GDPR is that you are also required to record information about any data breaches that occur. This documentation must be ready to share with a DPA, upon request. Again, if you use a legal repository, you can record your data breaches, allowing you to run a historical report on demand. Furthermore, it is important to note that if your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority and document it.

When it comes to preparing for GDPR there is no "one size fits all" method, but there are best practices for minimizing risks associated with non-compliance. To learn more about how legal risk management can help you prepare for the GPDR, register for our free webinar "Managing risks in the context of the GDPR".