It’s coming. The European Union’s General Data Protection Regulation (GDPR) will come into effect on May 25, 2018. If your business involves processing EU citizen data, you will be subject to GDPR – even if your sole location is Morrisville, and you have never set foot in the European Union. Failure to comply with GDPR strictures will result in staggering penalties: as much as 4% of your global revenue or 20 million euros – whichever is higher.
Full compliance is complex and involves an exhaustive process. However, a company can begin to prepare immediately. The heart of the GDPR is consent: the premise that data belongs to the subject, and that it may only be collected with the full, informed, affirmative consent of that subject. The data subject may revoke consent at any time, may take their data to another service provider, and may limit how the data is used. With this in mind, companies must work with their IT departments to understand the following four things about their data practices:
- Inventory. In order to obtain informed consent, a company must know what data it has. This is particularly applicable because data may be retained in structures outside regular databases. It is often stored in myriad formats such as correspondence, spreadsheets, evaluations, documents, PowerPoint’s, and drafts. These must be documented in a searchable format. An accurate inventory is indispensable to comply with requests to edit, modify, or delete data. It is also necessary to furnish accurate disclosures to regulators and data subjects.
- Metadata. GDPR is premised on the notion that the data subject’s consent limits data retention to the time and purpose needed for business. That means that accurate metadata is necessary for compliance. Accurate metadata will enable you to tailor your data collection practices to conform to business needs and consent obtained. It will enable you to delete data where required. And it will enable you to efficiently reevaluate your data collection practices periodically to ensure that further retention or collection is required and, therefore, permitted.
- Protocols. A company’s internal processes should incorporate privacy by design. These protocols should encompass the entire data collection process: what is collected, where it is stored, personnel who have access, and the purposes and extent to which this access is granted. If an employee’s functions no longer require access to data, or require access only to a limited subset of data, the company’s protocols should reflect this.
- Constant vigilance. Companies are expected to have stringent security programs in place to protect against unauthorized data access. Company systems containing personal data should be auditing access activity at all times. This includes both internal access – employee behavior – and external attempts – hackers or espionage. The monitoring should be sufficient to detect incipient breaches. Failure to identify efforts to gain unauthorized access, or to report them can lead to mammoth fines.
- Yes, this is a bonus point. Recent trade industry surveys show that a third of all American companies have no designated individual in charge of privacy compliance. Privacy often lies in a nebulous “no-man’s land” between various departments: legal, information technology, operations or even human resources. This creates the obvious risk that privacy issues will fall through the cracks, which is an unacceptable risk under the GDPR regime. Fortunately, the solution is easy: Companies need ensure that privacy compliance falls within an individual’s mandate. Once the person is designated, companies need to make sure that he or she knows what to do, and ensure that he or she has a big enough “stick” (or institutional authority) to get it done.
Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or firstname.lastname@example.org. Mike may be reached at 919.783.2851 or email@example.com.
Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601 | © Poyner Spruill LLP. All rights reserved.