In less than 100 days, the General Data Protection Regulation (GDPR) will go into effect. This means that as of May 25, 2018, each national Supervisory Authority will have the authority to apply and enforce the GDPR.
The GDPR raises the bar in terms of requirements substantially higher than the Data Protection Framework Directive. For instance, it recognizes new rights for data subjects (e.g. right to be forgotten and right to data portability), introduces data breach notification requirements, introduces the concept of a Data Protection Officer, and brings enhanced accountability obligations.
Given these new challenges, as well as the extraterritorial scope of the GDPR, companies around the world are working towards compliance. However, a recent study revealed that only 6% of the companies are ready for the GDPR. The survey particularly focused on North American business technology professionals in various sectors like financial services, government, healthcare, IT, and telecommunications. This is an alarming finding given the heavy sanctions for non-compliance (up to EUR 20 million or 4% of global turnover, whichever is higher).
Shared Experience – What We Are Seeing
In Alston & Bird’s Brussels-based EU Privacy practice, a large percentage of our time goes towards making sure international organizations across industries will be ready for the GDPR when it enters into force on May 25. Much of this work is done from our Brussels office, in combination with our lawyers in the U.S., working to serve U.S.-based multi-national companies. For companies who are attempting to prioritize their compliance work in the 100-day home stretch, we offer our insights into the items we have seen requiring significant ramp-up or implementation time.
- Creating the DPO Office: International organizations often find themselves subject to the requirement to appoint a Data Protection Officer (DPO). Determining how to structure a DPO office across affiliates and subsidiaries can be a challenging task, especially if a companies’ EU entities have had their own DPO(s) in place for some time. Also, identifying and appointing a DPO who has sufficient internal authority to speak to upper management on privacy matters – while being free of conflicts of interest – can take time.
- Updating Customer and Vendor Agreements: Article 28 of the GDPR requires companies to update agreements with their vendors to include a number of new, mandatory privacy terms – and some companies find themselves with 10,000+ vendor agreements needing a GDPR refresh. At the same time, most companies act as a service provider to other companies, and thus need to consider how they will provide GDPR-required terms to their own customers. This can require strategic planning and teamwork with procurement, sales, and internal contracts groups.
- Creating an Overview of Processing Activities. Article 30 of the GPDR requires organizations to create an overview of their processing activities and present it to supervisory authorities upon request. Given market pressures, most companies create, launch, and/or purchase applications on an as-needed basis, without maintaining broad overviews of how data flows within their organization and how it is processed. It can take some time for companies to assess whether to build their own “Processing Inventory” or to purchase a third-party tool, and even more time to populate the inventory comprehensively.
- Enabling Fulfillment of Data Subject Rights. If a French citizen sent an email to your Privacy Office asking for a copy of all data your organization holds about her, would you be able to locate it and provide it to her within 30 days? Would you be able to find it and delete it upon request? This is the GDPR requirement. Satisfying this requirement can require intense teamwork with IT, especially in international organizations that operate through a combination of global and local IT assets. Enabling rights fulfillment can require application changes, which usually need significant advance notice, internal approval, and dedicated IT resources.
- Information Security. Due to U.S. breach reporting requirements and the dangers of class actions, many U.S.-based organizations are already well on their way to implementing the GDPR’s information security requirements. But European subsidiaries and affiliates may not be as far along, and again, implementing information security requirements can require application changes.
- Privacy Impact Assessment Procedures. The GDPR will expect companies to implement “privacy by design”, i.e. integrating privacy into projects from the start (and not just in pre-launch review). Organizations have fulfilled this requirement by implementing Privacy Impact Assessment (PIA) procedures. Sometimes, existing security risk assessment procedures can be expanded to meet GDPR requirements. But in some organizations, a new enterprise-wide process must be implemented, which requires significant internal communication and ramp-up time. Whether built onto existing processes or newly created, this process also needs to ensure that “high risk” projects are subject not just to PIAs, but to GDPR-mandated Data Protection Impact Assessments (see Art. 35 GDPR) that have appropriate involvement from the DPO.
- Updating Model Clauses. If your organization uses EU Model Clauses to support its international transfers, are all members of your corporate family signatories to those clauses? Some organizations require a refresh – and collecting signatures from the authorized representatives of every affiliate takes time. It is advisable to get this done before May 25, as supervisory authorities can demand production of Model Clauses and fine 4% of worldwide turnover for missing signatures.
- Retention Program Refresh. Nearly every company has a retention program and a retention schedule. Going forward under the GDPR, retention programs need a refresh. All EU-origin personal data needs to be subject to mandatory deletion and/or purge periods. Getting an overview of a company’s current retention practices can take time, and for implementation, teamwork with internal stakeholders such as records management and internal audit is usually required.
Additionally, when companies start prioritizing their compliance strategy, they should also keep track of local laws in the EU since the GDPR allows EU Member States for specifications to and deviations from certain rules. For instance, the new German Data Protection Act (BDSG-Neu) provides for DPO requirements that deviate from the GDPR. To help businesses keep track of this potentially disparate framework, the Brussels Privacy & Data Security team at Alston & Bird has created a GDPR Tracker tool summarizing all local legislative provisions that either deviate from or further specify the GDPR. This allows businesses to get a high-level overview of how national implementation diverges across Europe, and to consider a strategy accordingly.
It remains still unclear what the enforcement attitude and culture of the Supervisory Authorities will be and how the European Data Protection Board (EDPB) will steer international enforcement. However, the new national implementing laws which constitute the new Supervisory Authorities indicate that there will be more intense litigation than before. For instance, the new Belgian Supervisory Authority will harvest a specific dedicated litigation chamber – Read more here.
Alston & Bird and its Brussels-based EU Privacy Team is closely following the GDPR implementation and is routinely assisting multinational companies with their GDPR compliance efforts. For more information, contact Jim Harvey or David Keating