For the past few months, it has been a race to the finish as companies across the globe spent a tremendous amount of time and resources preparing for the day on which the European Union General Data Protection Regulation became effective — May 25, 2018. Leading up to this date, in-house attorneys and outside counsel alike frequently invoked May 25 as a shibboleth and conjured up campfire chillers about companies being fined 4 percent of their annual global revenue or receiving nonstop barrages of access requests from millions of EU residents who suddenly awoke to new privacy rights. But the reality is that many companies were not in full compliance when the GDPR became law and many others who were substantially prepared will make missteps as they adjust to their new policies and practices. Fortunately, there is no need to panic. The sky did not fall on May 25, and companies should continue to work toward obtaining and subsequently maintaining compliance in the coming months and years.
Although there is no telling exactly how European regulators will enforce the Regulation, here are a few key items that your company should have in its tool box as it moves toward full compliance.
• Ongoing Compliance. The GDPR is ongoing and a “moving target” for compliance. For example, protecting personal information using reasonable, industry-standard technical safeguards will require companies to periodically evaluate and upgrade their systems because the safeguards that are reasonable in 2018 are likely to be outdated and below industry standards by 2021. Likewise, disclosures in a privacy policy may cease to be accurate if new services are introduced or new partnerships are entered into. Even the most rigorous compliance program requires maintenance to remain effective.
Toolkit Item: A written policy and procedure that includes a timetable for periodic evaluation of security and external policies on an ongoing basis.
• Privacy Shield: Companies must have a legal basis to export personal information of EU citizens outside of the EU. The EU-US Privacy Shield Framework predates the GDPR and is one example of this type of legal basis. Privacy Shield certification requires several steps and concludes with a formal filing to the U.S. Department of Commerce, as well as an annual recertification filing. Because Privacy Shield and the GDPR rely on several common principles, a company that allows its Privacy Shield certification to lapse could find itself in violation of the GDPR as well, especially if the company continues to claim that it is certified in its privacy policy.
Toolkit Item: An acceptable basis for exporting data out of the EU, such as a valid, current Privacy Shield certification as well as the required practices and policies to live up to the underlying obligations and maintain certification going forward.
• Privacy by Design and PIAs: The GDPR requires that companies apply certain principles, such as privacy by design, and utilize certain tools, such as Privacy Impact Assessments, on an ongoing basis. These principles and tools are intended to ensure that companies consider privacy when they are designing and deploying new products and services. A failure to use them (or keep records that they were used) would constitute a violation of the GDPR in some circumstances.
Toolkit Item: A template PIA or a variety of template PIAs for appropriate reviews for each new update, upgrade, or strategy.
• Breach Response Plan: Companies subject to the GDPR are required to report a data breach to the relevant European supervisory authority within 72 hours of discovering the breach. Even if a company has accounted for this notice in its breach response plan, it does not mean that the company will be able to execute the plan effectively and provide the notice as required. This is especially true if a company has grown or personnel has changed since the breach response plan was first deployed. It is thus important for a company to periodically re-evaluate its breach response plan and run tabletop simulations to ensure that all stakeholders react appropriately.
Toolkit Item: A written breach response plan and an identified “SWAT team” of individuals who are well-versed in the requirement of the plan.
• Responding to Data Subject Requests: Under the GDPR, a company is required to provide European residents with the right to access, correct, transport and delete personal information that the company has stored about them. Moreover, a company is required to facilitate these rights in a reasonable period of time. While compliance-minded companies may feel confident they can meet these requirements, doing so may be more complicated as a company grows or in the event of a merger, acquisition or restructuring. As such, it is not enough to simply establish a process and never revisit it until an access request is formally submitted.
Toolkit Item: A policy and agreed upon methodology for complying with access requests, including an internal data map of where information is stored and a published means to submit a request.
Looking Ahead
GDPR compliance is different for every company, and the same is true about ongoing efforts to maintain compliance. Fundamentally, it is important that companies remember that compliance requires effort, and that they ideally develop some kind of checklist or plan for ensuring that compliance does not lapse now that the Regulation is in force. Time, growth and change all add to the challenge of staying with the terms of the GDPR, but armed with a formal plan, companies can move forward with confidence.
— Esteban Morin is an associate and Ian O’Neill is a shareholder at Brownstein Hyatt Farber Schreck.