Is your business affected?
On 25 May 2018, the new EU General Data Protection Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the GDPR) will enter into force.
If you want to know whether your business might be affected, take five minutes to reply to the following three short questions.
1. Do you collect, store, handle or otherwise process data relating to natural persons?
Data relating to natural persons may, for example, comprise information allowing the identification of clients, employees, staff members of vendors, individual investors, etc.
2. Are you established in the European Union (EU) or offering goods/services to EU-based individuals?
Being established in the EU does not just mean that you have a corporate entity incorporated under the laws of an EU member state. A simple representative office or even the use of an EU-based service provider that is involved in the processing of personal data on your behalf may trigger the application of the GDPR (and potentially additional national laws).
Offering goods/services to EU-based individuals includes for instance targeting customers by offering services in EU languages via a dedicated website, accepting payments in Euros, launching marketing initiatives in one or more EU countries, etc.
3. Are you acting for your own account or as a service provider on behalf of clients (or both)?
When using, storing or otherwise processing personal data based on means and purposes defined alone or jointly with others (e.g. to fulfil contractual obligations towards individuals such as employees or clients, to comply with legal obligations such as AML checks, to send marketing communications for your own goods and services, etc.), you will be acting as a data controller and the GDPR will fully apply to you.
A service provider will generally act upon the instructions of its clients (the data controller) with little room for manoeuvre as regards the processing of personal data controlled by the service provider’s clients. Service providers (so-called “processors”) have their own, enhanced obligations under the GDPR.
If you have replied yes to all three questions above, your business is most likely caught by the GDPR and you will need to start your preparations to ensure that you comply with the GDPR.
The three main compliance phases include:
1. Data mapping
The starting point should be to check what kind of personal data is processed within your business, who may access such data, whether service providers are involved in the data processing, whether data is transferred to or accessible from outside of the EU, etc. This can be done for instance with the help of questionnaires prepared for this purpose. These questionnaires can then be used as a basis for creating the processing records required under the GDPR.
Consider creating a task force within your company that will be in charge of this phase (together with external advisors if needed).
2. Gap analysis and specific steps
Compare the status quo against the requirements set by the GDPR and create a road map on the required implementation measures and the timing for each step.
If you come to the conclusion that you are under an obligation to appoint a data protection officer (DPO), do so quickly so that (s)he will be involved in the GDPR project at an early stage. This person will then be in charge of monitoring compliance with the GDPR.
The elements to be covered here will depend on the outcome of the gap analysis. It is likely that you will have to at least perform the following steps:
Check the basis for the processing of data: if you were relying on consent, reconsider whether this is the right basis.
Revise the contracts with your service providers to ensure they include the additional required language.
Implement processes for answering access and other requests from individuals; complying with data breach notification/information; new vendor on-boarding; privacy impact assessments; etc.