• Assemble your GDPR compliance team
    • Recruit a cross-departmental team representing your privacy, legal, IT, human resources, and other departments to prepare for the transition. Each member should act as a liaison with his or her respective department.
  • Know your data flows
    • This is one of the most fundamental components of your GDPR preparation plan. In order to determine what steps your company must take in order to achieve compliance, it is critical that you evaluate what data your company collects from customers and employees, and how that data is transmitted globally.
    • Get international office heads involved: find out what data each office is collecting from employees and customers, why they are collecting it, and how they are legitimizing their collection, processing, and transfer of that data.
    • You also should determine how your company currently legalizes its cross-border data transfers (i.e. Privacy Shield, standard contractual clauses, binding corporate rules).
  • Understand your footprint in the EU and around the world
    • Understanding the extent of your company's operations in Europe is essential, as it will allow you to determine your company's lead supervisory authority (a.k.a. its "one stop shop") in the EU or whether your company does not have a lead supervisory authority.
  • Consider whether you engage in profiling of individuals, monitoring of an area, large-scale processing of sensitive data, or "high risk" processing of personal data
    • A privacy impact assessment (PIA) may be required or advisable in these situations.
    • The Article 29 Working Party is expected to publish additional guidance relating to these areas.
  • Collect and review privacy notices (both customer- and employee-facing)
    • Evaluate how you are collecting consent, if at all, from customers and employees. Review the notices to ensure that you are providing required disclosures.
    • Review internal policies, i.e. employee handling of personal data, training, data retention, data security, breach notification, etc. Consider whether these policies need to be changed or updated.
    • Be prepared to revise these notices as needed (i.e. adding check boxes to obtain unambiguous consent).
  • Collect and review agreements with processors and third party vendors
    • Ensure that processors and third party vendors are contractually obligated to comply with the relevant GDPR requirements (i.e. the processor will notify controller of a breach "without undue delay").
    • Be prepared to renegotiate these agreements as needed.
  • Review protocols for diligence performed on processors and sub-processors
    • Confirm that procedures are in place to ensure that processors meet their obligations under the GDPR (i.e. implementing proper security measures, hiring a data protection officer if needed).
    • Consider additional factors, such as whether the processor properly trains its employees regarding data handling practices, whether a privacy impact assessment is required, etc.
  • Evaluate security protocols in light of the company's data collection and processing practices
    • Consider whether the company has in place "technical and organizational measures" that are appropriate given the nature/scope/purposes of processing, the state of the art, the costs of implementing security measures, and the risk to data subjects.
    • To that end, the GDPR encourages companies to consider pseudonymizing and encrypting data, as well as carrying out regular testing of security programs, among other measures.
  • Prepare to Observe the Rights of Data Subjects
    • Data subject rights mean that companies must be prepared to quickly identify, locate, and depending on the right being invoked erase or provide a copy of all personal data about that data subject to that person.
    • Right to be Forgotten: prepare to erase personal data "without undue delay" if the data subject objects to the processing, if the data is no longer needed, or if the processing is unlawful.
    • Data Portability: consider developing systems to quickly locate and compile requested data into a compatible "structured, commonly used and machine-readable format" on request.
    • Right of Access: provide a mechanism data subjects can use to request information about how their data is handled, as well as a method to verify the identities of data subjects making these requests.
    • Determine how long each type of data collected from data subjects will be stored and prepare to disclose this information to data subjects.
    • Consider whether data should be anonymized or pseudoanonymized. Also consider approach to privacy be design and privacy impact assessments (PIA).
    • Full compliance likely will require coordination with your company's IT department.
  • Determine whether you will need a data protection officer
    • Public bodies, as well as controllers or processors whose "core activities" involve (1) processing "special categories of data" (often referred to as "sensitive data") on a "large scale" or (2) regularly and systematically monitoring individuals must appoint a data protection officer.
    • Ensure that the DPO is properly qualified and/or trained for the job.
    • Consider whether you should appoint an employee to serve as DPO, hire a DPO from outside the company, or outsource the DPO function.
  • Develop a data breach notification strategy
    • Ensure that breaches can be detected and reported to authorities quickly.
  • Stay on top of the latest updates
    • Check Proskauer's Privacy Blog (http://privacylaw.proskauer.com/) for updates and analysis relating to the GDPR, Brexit, and other privacy topics.
    • In addition, the UK Information Commissioner's Office website has a GDPR page (https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/) that is a helpful resource for the latest guidance from both the UK and around the EU.
    • Expect additional guidance from the Article 29 Working Party on the topics of consent, transparency, profiling, high risk processing, certification, administrative fines, breach notification, and data transfers.