Last month’s QuickLaunch University webinar focused on European data privacy legislation and more specifically, the ambitious General Data Protection Regulation (GDPR) that goes into full effect on May 25, 2018. WilmerHale Partners Dr. Martin Braun and David Gammell discussed the key issues that emerging companies should consider as they prepare to comply with the new requirements. Here are a few things you need to know to prepare for the GDPR today:
- Understand the definition of “personal data.” Personal data includes name, email, and telephone numbers for example, but under the GDPR it can also include IP address or device ID. The GDPR also applies to other types of data subject to additional protection, such as health data, sexual orientation and racial background, if it can be attributed to an individual.
- Document your data. Under the GDPR, the entity controlling the processing of personal data needs to be prepared to demonstrate compliance with the requirements, which is called the accountability principle. Understand your systems and the type of data you have, and document who has it, why they have it and who has access—this is a crucial preparation step.
- Communicate. We expect to see many updated website terms and conditions and privacy policies over the next few months. Review your current policies, including those related to consent, and assess whether any changes are required before May 2018.
- Make data privacy a boardroom issue. Fines for noncompliance with European data protection regulations will increase dramatically under the GDPR and your ability to comply with the GDPR may affect how investors view your company. Ensure that everyone in your organization understands the company’s obligations and the steep risks associated with noncompliance.