It's not hyperbole to say that the General Data Protection Regulation's May 25th enforcement date marks one of the largest shifts in the history of privacy laws.
GDPR presents companies with an intimidatingly broad compliance obligation and the risk of jaw-dropping fines for noncompliance. Most companies that plan to work toward GDPR compliance anticipate spending at least $100,000 to prepare, but by all accounts, a majority of companies are not ready. Despite the costly risks of noncompliance, many companies have only recently started thinking about GDPR compliance. This article is designed to provide a last-minute guide to approaching GDPR for companies that have only recently begun to grapple with it.
Determine Whether GDPR Applies
U.S. companies should first consider whether GDPR applies to them. Considering the fact that the fines for noncompliance can reach 4% of a company's global annual revenue, companies should not assume that GDPR does not apply to them simply because it is a European Union regulation. In general, GDPR applies in obvious situations, such as a company that has a physical location in the EU, and also in less obvious situations, like a company that monitors individuals located in the EU or offers goods or services to them. "Monitoring" need not be an involved process and can be as simple as collecting information about people who visit your website. Many U.S. companies will be surprised to find themselves technically within the scope of GDPR.
Goal: A Defensible Position
Companies have frequently said that they will not be "GDPR ready" by May 25th, and enforcement authorities have even admitted their lack of preparedness. If your company is beginning its GDPR preparation, its first goal should be to take a risk-based approach and arrive at a defensible position. Data protection authorities have stated that the biggest fines for noncompliance will likely occur where businesses are taking shortcuts or deliberately avoiding their GDPR obligations. A defensible position is not perfect or final, but it could be the difference between a maximum fine for noncompliance and a less damaging penalty (or avoiding a fine altogether).
Create a Plan
The first step on the path to a defensible position is making a plan. Create a list of compliance requirements, translate it to a timeline, and create a roadmap. Companies should form a team to tackle GDPR. The team should include:
- A legal and compliance expert who can initially provide an understandable summary of GDPR and its requirements;
- Key employees who can understand GDPR's requirements and plan their implementation; and
- Key IT staff (or the company's IT vendor) who can implement required processes.
Keep in mind that GDPR compliance is not a process with clean handoffs. It will require diligence and continued input from the entire team. Companies should be cautious of attempting to "outsource compliance" by hiring a one-size-fits-all technology solution or vendor. The most practical approach for many companies is to perform an initial data mapping and inventory (see below), and then begin a tailored approach where a member of the GDPR compliance project team sits down with the departments that hold sensitive data. Those discussions will form the foundation of the team's GDPR plan.
Prioritize Foundational Issues and Enforcement Initiatives
Businesses should focus their efforts on issues that are (1) foundational to GDPR or (2) likely to receive heightened scrutiny from data protection authorities. Foundationally, if a company has not completed a data mapping and inventory effort to understand what data it holds, how it is transferred, who has access, and who needs access, now is the time. The company team working toward GDPR compliance will refer back to the data map and inventory frequently while addressing GDPR's requirements.
Some of the likely enforcement priorities of data protection authorities include:
- The right of individuals to demand access, portability, and deletion;
- Whether a company has obtained appropriate consent from individuals before collecting and processing data;
- Whether a company complies with GDPR's strict breach notification standards, including notifying data protection authorities within 72 hours of a breach; and
- Whether companies who are required to appoint a Data Protection Officer under GDPR have done so.
Finally, we recommend that companies embarking on a GDPR compliance plan stay abreast of what will likely be a rapidly changing landscape of enforcement news and updates from enforcement authorities to anticipate risks.
The implications of GDPR are far-reaching and your company may run into issues even without a European location. Contact a Foster Swift business attorney to help you develop a strategy to ensure your company is in compliance with GDPR, or if you have any questions regarding your company’s GDPR compliance initiative.