Back in January, we posted about the circumstances in which your company, even if based in the US, must comply with the EU General Data Protection Regulation (GDPR), taking effect in May 2018. Now we get down to business. If your organization is covered, how do you start the process of preparing for compliance? There appear to be so many moving pieces, where to begin? Here we will provide a high level checklist to help you start down the path of GDPR readiness. As usual, this is not legal advice, just information based on the resources available from the EU authorities thus far designed to help you get your ducks in a row and start planning.
First, a reminder. Due to the extraterritorial jurisdiction provisions of the GDPR, your company is covered by the law even if you have no establishment in the EU if you process personal data of data subjects in the EU and that processing relates to (a) the offering of goods or services to those data subjects, irrespective of whether a payment of the data subject is required; or (b) the monitoring of those data subjects’ behavior as far as their behavior takes place in the EU. Processing means any operation which is performed upon personal data, whether or not by automatic means, including collection, recording, organization, storage, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, combination, blocking, erasure and destruction. Personal data is also broadly defined and includes not only what we think of as traditionally personally identifiable information connected to a name or person, but also information connected to a particular device or even IP address. EU regulators can assess administrative fines of €20 million or up to 4% of the total worldwide annual turnover of the preceding fiscal year, whichever is higher.
If your organization is covered by the law, here is a list of things to consider — and the sooner the better (with barely over a year to become compliant). Each of the following points will be the subject of a more detailed overview in a series of forthcoming blog posts over the next few months.
Determine If You Are a Data Controller or Data Processor, or Both
- When are you determining the purposes for which and the manner in which any personal data are processed?
- When are you processing the data on behalf of the data controller?
- Are you acting in both capacities with respect to some personal data?
Appoint a Data Protection Officer (DPO)
- Do you need one?
- Should he/she be internal or external?
- Should he/she be a lawyer?
Prepare Personal Data Inventories for Consumer and HR Personal Data
- What are the data flows involving personal data of EU data subjects?
- What kinds of data are involved?
- Where does the data enter the organization? Where does it go and how is it used? With whom is it shared? When is it deleted?
- Should this be done manually or using data mapping software?
Identify Legal Bases for Data Processing
- Why are you processing personal data?
- Can you limit your collection and processing?
- Do you have a legal basis under GDPR to do the processing?
- Do you have “legitimate interests” that justify the processing?
- Do you need consent? If so, are your existing mechanisms for obtaining consent GDPR-compliant?
- Do you have other legal bases for processing?
Conduct Data Protection Impact Assessments (DPIA)
- Are you engaged in high risk processing that requires a DPIA?
- How will this process be completed and who will be involved?
- How will you get it done before the processing begins?
Review and Revise Privacy Notices
- Are your privacy notices GDPR-ready?
- Do they accurately and completely describe your data flows and address all applicable data subject rights under GDPR?
Review and Update Your Agreements
- If you share personal data with vendors of any kind, do your agreements include the protections required by the GDPR?
- If you are a service provider yourself, have you updated your form agreements to account for GDPR compliance? How will you make sure your subcontractors are required to abide by the same requirements?
- How will GDPR requirements be addressed in the procurement process? How will you build them into your RFPs?
Establish Procedures for Handling Data Subject Requests to Exercise Rights
- Have you identified each of the data subject rights that you will need to address?
- Which of the rights apply to you and in what circumstances?
- Right to Transparency
- Right of Access
- Right to Rectification
- Right to Erasure
- Right to Be Forgotten
- Right to Restrict Processing
- Right to Object
- Right to Data Portability
- Data Profiling Rights
Implement Appropriate Data Security Measures
- Have you implemented the “reasonable security” measures already required of your organization under US law? (including federal laws like GLBA and HIPAA, state laws like the Massachusetts data security regulations, regulator guidance from the Federal Trade Commission and State Attorneys General, and contractual standards such as PCI?)
- Have you mapped your security controls against standards such as ISO or NIST?
- Are your security measures appropriate based on the nature and sensitivity of the data?
- Do you have a Written Information Security Program?
Develop an Incident Response Plan (IRP)
- Do you have an IRP designed to comply with applicable US data breach notification laws and standards?
- Does it need to be updated to address the shorter notification to regulator time frames built into the GDPR?
Make Sure Your Data Transfer Mechanisms Are Lawful
- Are you Privacy Shield certified?
- Do you need Controller to Controller or Controller to Processor Standard Contractual Clauses for some kinds of transfers?
- Should you consider Binding Corporate Rules?
- Are there any derogations that might apply to facilitate transfers?
Train Your Personnel
- Do you have existing privacy and data protection training for personnel?
- How will you educate your personnel on the differences between EU and US laws?
- Who should be trained and by whom? How frequently?
- How will you handle onboarding?
Maintain Appropriate Documentation
- Can you document all of the foregoing in a way that will be acceptable to EU regulators?
- How should you deal with attorney — client privileged communications when it comes to preparing such documentation?
The foregoing is obviously not set in stone and your GDPR checklists should ideally be broken out into multiple projects and will be ongoing.
The time to get started is now, GDPR compliance will not happen overnight. It is a process, and will be an ongoing process even after May 2018. US companies of all sizes are well advised to start identifying the relevant stakeholders within their organizations to tackle each of the foregoing items and get the ball rolling on multiple fronts.