Over the past two years, we have been assisting clients from all sectors to prepare for the implementation of the General Data Protection Regulation (“GDPR”), which will become enforceable on May 25, 2018. Whilst many companies are racing full throttle to be fully compliant by May 2018, others are just about to start the process or are still questioning whether they need to do anything.
In the following we highlight five recurring key issues that companies of all sizes encounter during the GDPR compliance process and how best to remedy them.
1. Understand the GDPR’s scope of application
Non-EU companies in particular struggle to understand whether or not the GDPR applies to them. This is partially due to some of them not being familiar with the broad notions of personal data and processing under the GDPR. Others are simply not aware of the extraterritorial effect of the GDPR, and thus wrongly assume it requires no attention. And yet, the GDPR, once enforceable, will not only apply to organizations with an establishment in the European Economic Area(“EEA”), but to virtually any organization anywhere in the world that processes personal data related to the offering of goods or services to individuals in the EU or monitors their behavior. This is irrespective of whether this personal data is being processed inside or outside the EU.
Companies need to get familiar with the GDPR and take the time to assess, if need be with the assistance of external counsel, whether and to what extent it applies to them.
2. Assess the GDPR’s impact on your organization
Companies often underestimate the significant impact that the GDPR will have on their organization and their existing data processing practices, as well as the efforts (and changes) that are required to to be GDPR compliant.
An audit or self-assessment can help determine the existing level of compliance and the compliance gaps. This assessment will also form the basis to develop a roadmap or workplan to address any identified non-compliances and to prioritize remediation measures.
3. Recognize the importance of data governance and embed data protection in your organization
Many companies have not assigned responsibility for data protection internally and do not have an overview of their key data processing, data flows and international data transfers. They do not conceptualize, let alone integrate, data protection from the start.
Even companies that are not subject to the obligation to designate a data protection officer should consider creating a network of data protection champions, across the relevant corporate functions and business units and regions, with the support of senior management. This will ensure accountability and will facilitate effective compliance management. In addition to allocating tasks and responsibility, the data protection principles must be reflected in the companies’ internal policies and procedures. Companies need to ensure that their staff is educated on the requirements and (continuous to) receive appropriate training. Integrating data protection obligations from the start helps meet the data protection requirements and avoids the need for costly and time-consuming subsequent changes to tools, services, products and practices.
The preparation of an adequate and comprehensive inventory of the key data processing and use cases as well as internal and external data flows is rather time consuming. Organizations should dedicate the necessary resources to create such records, thus facilitating compliance going forward.
4. Dedicate sufficient time to put in place appropriate contracts for data sharing
Many organizations have no clear view with whom they share personal data and, more often than not, lack the appropriate contractual framework. The GDPR allows data sharing with other controllers only if there is a legal basis for data processing. The GDPR also imposes specific obligations on companies that want to outsource data processing to a processor, including ensuring that the duly selected processor is subject to a processor agreement covering mandatory minimum provisions. In case the third parties with whom the personal data is shared are established outside the EEA, the organizations must also comply with the rules on international data transfers.
Companies should create an up-to-date list of their existing service providers as well as other third parties with whom they share personal data and gather all existing agreements. As a first step, the role of the third parties (controller, joint controller, processor) must be assessed and, if need be, the existing contract amended to reflect the said mandatory provisions. This can require significant time and efforts, depending on the number of vendors and their willingness to accept the proposed changes to the contract. Companies must also not forget to put the required contractual assurances in place for intra-group data sharing.
5. Create a records retention schedule
Many organizations do not have a comprehensive records retention schedule and keep certain data indefinitely, although there is no legal requirement nor a business need to do so. Data protection law requires that personal data be kept no longer than necessary, without specifying the relevant retention periods. Instead, the retention periods are determined by various other national laws, including employment, social security, trade, company and tax laws, which lay down statutory retention periods, as well as the organization’s reasonable business needs. Creating and implementing a records retention schedule is a major multi-jurisdictional project, which cannot be started soon enough.
The aforementioned list provides only a glimpse of the key challenges that many organizations are facing, not to mention creating and updating notices to individuals, consent forms and mechanism (where necessary), data protection impact assessments, establishing a personal data breach notification procedure, etc.
Organizations should not take the GDPR’s requirements and implications lightly. On the contrary, companies should create a roadmap and workplan with deliverables, timelines and allocation of responsibilities and dedicate sufficient resources to the complex process which requires work in several areas in parallel. The organization will need to involve key stakeholders from all departments or business units that deal with personal data or other aspects of data protection compliance, typically comprising HR, IT, Legal/Compliance, Marketing, Sales, Finance and Procurement. It is important to obtain the buy-in from the board or senior management at the outset in order to meet the ambitious timeline.
Our firm’s Data Privacy & Cybersecurity Practice Group offers a “one-stop shop” for any organization that needs support in relation to GDPR compliance or assistance in other data protection and e-privacy related issues in the EU and beyond. We have substantial experience advising companies of different sizes in many different sectors and regions of the world on GDPR compliance across the EU/EEA.