The General Data Protection Regulation (GDPR) will take effect on May 25, 2018. Aimed at better protecting the privacy and security of all personal data collected about EU citizens and residents, GDPR requires compliance by any company or organization (regardless of location) that collects or processes Personally Identifiable Information (PII) of EU citizens or residents. The regulation consists of 99 articles that dictate how and why PII can be collected, and the methods for processing, securing and accessing an individual’s PII.

Complying is critical because companies can be fined up to €20 million or four percent of their annual revenue (whichever is greater) if they don’t. What could be even more costly is the negative impact to a company’s reputation for non-compliance.

Corporate legal departments will play a key role in ensuring that their organizations successfully meet all GDPR requirements. We recommend that legal departments take the following steps:

1. Assess Current Capabilities

Organizations will be required to ensure accuracy of the PII they control. This means taking stock of your data and ensuring that it is current, accurate, and protected. You must also examine your processes to ensure you’re able to maintain data integrity and respond to data subjects’ requests, including the “right to be forgotten” or to access their own PII.

2. Assign a Data Protection Officer (DPO)

Accountability is an important focus of GDPR. Some organizations (defined within the regulation’s articles) are required to appoint a DPO, who is responsible for maintaining primary oversight of data processing activities. The DPO ensures that PII-related requests from EU residents are handled promptly and within GDPR requirements.

3. Review Data Monitoring Processes

While GDPR does not specify particular tools you must use, it does require you to deploy any tools necessary to continuously monitor and control the integrity of PII data. Third-party entities that you use to handle PII are also responsible for maintaining the same levels of data integrity and security. You must therefore verify the specific processes and tools your law firms and other vendors have in place to protect PII data.

4. Implement High Data Encryption Standards

GDPR requires you to take appropriate technical and organizational measures to protect personal data. It is vitally important that legal departments encrypt this data whenever and wherever possible – certainly within databases and email communications, but also in any applications employees use. Your enterprise legal management provider should be able to help ensure that your organization is using the latest and most secure versions of their solutions.

5. Practice Proper Data Management Hygiene

GDPR states that PII shall not be kept for longer than necessary for the purposes for which it was collected. You must practice good data management hygiene by discarding old data when it is no longer relevant. In addition, you need processes to effectively respond when a data subject demands access to their data, or to have it corrected or erased.

6. Update Vendor Contracts and Other Agreements

Carefully review your vendor contracts to ensure that they include privacy language specific to GDPR and addressing Cross-Border Data Transfer limitations if the PII leaves the EU. You should also review any End User License Agreements or Terms of Use documents in use with your customers and end-users, updating the terms to address GDPR.

7. Perform a Data Protection Impact Assessment

To ensure that your law firms and other vendors are GDPR compliant, you should ask each of them to respond to an electronic risk assessment questionnaire. This is a series of questions specific to your data privacy policy and requirements, which should be periodically repeated. It helps you determine which firms are in compliance, allowing you to open a dialog with any that still need to make changes.

It is also critical for your enterprise legal management provider to comply with GDPR. Wolters Kluwer’s ELM Solutions is preparing, and helping our clients prepare, for this historic legislation. For more information on the recommended steps above, as well as insight into our preparations, download our white paper Preparing Your Corporate Legal Department for the Journey Toward GDPR Compliance.


About The Author

Kevin Caulfield

Kevin brings close to 20 years of product management, operations and software leadership experience in the enterprise and consumer markets. He is responsible for driving and leading product strategy and the discovery and validation of market needs and opportunities for the Passport ® and TyMetrix ® 360° product lines. Kevin holds an MBA from Boston University.