Now that the holidays are behind us, with the exception of a belated New Year's drink here and there, it's business as usual and thus time to dig a little deeper into the GDPR.
For those of you who have yet to completely recover from the holidays and don't remember what the GDPR is, we would like to remind you that in mid-December of last year, the European institutions reached a political agreement on the General Data Protection Regulation or GDPR. The final text will most likely be adopted early this year but will not apply for another two years.
The GDPR will apply to the processing of personal data in the context of the activities of an establishment of a data controller or processor in the European Union, regardless of whether the processing actually takes place in the European Union. In other words, all companies established in the European Union will have to comply with the GDPR.
In addition, it should be noted that the GDPR has a broad extraterritorial scope and will also apply to the processing of personal data related to data subjects residing in the European Union by controllers or processors notestablished in the European Union, when the processing activities relate to:
- the offering of goods or services, regardless of whether a payment of the data subject is required, to data subjects in the European Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the European Union.
The GDPR imposes a number of new obligations on businesses, such as an obligation to keep records of all data processing activities, to notify data breaches, and to perform privacy impact assessments under certain circumstances. Furthermore, business will need to review all existing privacy notices and policies as well as data processor agreements to ensure they include all required information.
The question most likely on everyone's lips is whether businesses should start preparing for the GDPR now. In our view, there's no straightforward answer. Much will depend on your current level of compliance with data protection legislation and the nature and size of your data processing activities.
For example, assume you want to run the New York Marathon in 2018. If you're already a long-distance runner and can easily run 20 kilometres, there's no rush to start training today. However, if you're out of breath after climbing only two flights of stairs, you may want to take immediate action by visiting a physician (to ensure that training for a marathon will not jeopardize your health), thinking about a training programme and, last but not least, investing in a good pair of running shoes!
In other words, businesses should first assess their current level of data protection compliance. In this regard, the following two questions are important:
- Do you have a clear overview of all data processing activities performed by your business?
- Do you currently fully comply with the applicable data protection legislation? If not, can you identify the gaps?
If the answer to both questions is no, it may be wise to start mapping your data processing activities and conducting a gap analysis immediately, which may take some time. Once you have mapped your data processing activities and performed a gap analysis, the next logical step is to prepare a compliance roadmap with clear points for action and milestones.
If you can answer both questions in the affirmative, however, you have a solid foundation in place and it will be easier to prepare for the GDPR. Of course, some preparation will still be required, but the need for action may be less urgent.
In conclusion, we would like to highlight two points which are, in our opinion, of the utmost importance.
First, in order to successfully prepare for the GDPR it's crucial to have management support. Preparation will require a substantial investment in terms of time and energy by the entire organization, and without management support, it will be tough to put in place a compliant data protection framework.
Second, it's imperative to ensure sufficient human and financial resources. Preparing for the GDPR is not something that can be done "on the side". If you will need to appoint a data protection officer, you may want to start recruiting one now so that this person can manage the preparation process. In addition, current budgets may not be sufficient, especially if compliance with the GDPR will require changes to your IT infrastructure.