For the past few months, it has been a race to the finish as companies across the globe spent a tremendous amount of time and resources preparing for the day on which the European Union General Data Protection Regulation became effective — May 25, 2018. Leading up to this date, in-house attorneys and outside counsel alike frequently invoked May 25 as a shibboleth and conjured up campfire chillers about companies being fined 4 percent of their annual global revenue or receiving nonstop barrages of access requests from millions of EU residents who suddenly awoke to new privacy rights. But the reality is that many companies were not in full compliance when the GDPR became law and many others who were substantially prepared will make missteps as they adjust to their new policies and practices. Fortunately, there is no need to panic. The sky did not fall on May 25, and companies should continue to work toward obtaining and subsequently maintaining compliance in the coming months and years.
Although there is no telling exactly how European regulators will enforce the Regulation, here are a few key items that your company should have in its tool box as it moves toward full compliance.
Toolkit Item: A written policy and procedure that includes a timetable for periodic evaluation of security and external policies on an ongoing basis.
Toolkit Item: An acceptable basis for exporting data out of the EU, such as a valid, current Privacy Shield certification as well as the required practices and policies to live up to the underlying obligations and maintain certification going forward.
• Privacy by Design and PIAs: The GDPR requires that companies apply certain principles, such as privacy by design, and utilize certain tools, such as Privacy Impact Assessments, on an ongoing basis. These principles and tools are intended to ensure that companies consider privacy when they are designing and deploying new products and services. A failure to use them (or keep records that they were used) would constitute a violation of the GDPR in some circumstances.
Toolkit Item: A template PIA or a variety of template PIAs for appropriate reviews for each new update, upgrade, or strategy.
• Breach Response Plan: Companies subject to the GDPR are required to report a data breach to the relevant European supervisory authority within 72 hours of discovering the breach. Even if a company has accounted for this notice in its breach response plan, it does not mean that the company will be able to execute the plan effectively and provide the notice as required. This is especially true if a company has grown or personnel has changed since the breach response plan was first deployed. It is thus important for a company to periodically re-evaluate its breach response plan and run tabletop simulations to ensure that all stakeholders react appropriately.
Toolkit Item: A written breach response plan and an identified “SWAT team” of individuals who are well-versed in the requirement of the plan.
• Responding to Data Subject Requests: Under the GDPR, a company is required to provide European residents with the right to access, correct, transport and delete personal information that the company has stored about them. Moreover, a company is required to facilitate these rights in a reasonable period of time. While compliance-minded companies may feel confident they can meet these requirements, doing so may be more complicated as a company grows or in the event of a merger, acquisition or restructuring. As such, it is not enough to simply establish a process and never revisit it until an access request is formally submitted.
Toolkit Item: A policy and agreed upon methodology for complying with access requests, including an internal data map of where information is stored and a published means to submit a request.
GDPR compliance is different for every company, and the same is true about ongoing efforts to maintain compliance. Fundamentally, it is important that companies remember that compliance requires effort, and that they ideally develop some kind of checklist or plan for ensuring that compliance does not lapse now that the Regulation is in force. Time, growth and change all add to the challenge of staying with the terms of the GDPR, but armed with a formal plan, companies can move forward with confidence.
— Esteban Morin is an associate and Ian O’Neill is a shareholder at Brownstein Hyatt Farber Schreck.