The General Data Protection Regulation (GDPR) will take effect on May 25, 2018. Aimed at better protecting the privacy and security of all personal data collected about EU citizens and residents, GDPR requires compliance by any company or organization (regardless of location) that collects or processes Personally Identifiable Information (PII) of EU citizens or residents. The regulation consists of 99 articles that dictate how and why PII can be collected, and the methods for processing, securing and accessing an individual’s PII.
Complying is critical because companies can be fined up to €20 million or four percent of their annual revenue (whichever is greater) if they don’t. What could be even more costly is the negative impact to a company’s reputation for non-compliance.
Corporate legal departments will play a key role in ensuring that their organizations successfully meet all GDPR requirements. We recommend that legal departments take the following steps:
1. Assess Current Capabilities
Organizations will be required to ensure accuracy of the PII they control. This means taking stock of your data and ensuring that it is current, accurate, and protected. You must also examine your processes to ensure you’re able to maintain data integrity and respond to data subjects’ requests, including the “right to be forgotten” or to access their own PII.
2. Assign a Data Protection Officer (DPO)
Accountability is an important focus of GDPR. Some organizations (defined within the regulation’s articles) are required to appoint a DPO, who is responsible for maintaining primary oversight of data processing activities. The DPO ensures that PII-related requests from EU residents are handled promptly and within GDPR requirements.
3. Review Data Monitoring Processes
While GDPR does not specify particular tools you must use, it does require you to deploy any tools necessary to continuously monitor and control the integrity of PII data. Third-party entities that you use to handle PII are also responsible for maintaining the same levels of data integrity and security. You must therefore verify the specific processes and tools your law firms and other vendors have in place to protect PII data.
4. Implement High Data Encryption Standards
GDPR requires you to take appropriate technical and organizational measures to protect personal data. It is vitally important that legal departments encrypt this data whenever and wherever possible – certainly within databases and email communications, but also in any applications employees use. Your enterprise legal management provider should be able to help ensure that your organization is using the latest and most secure versions of their solutions.
5. Practice Proper Data Management Hygiene
GDPR states that PII shall not be kept for longer than necessary for the purposes for which it was collected. You must practice good data management hygiene by discarding old data when it is no longer relevant. In addition, you need processes to effectively respond when a data subject demands access to their data, or to have it corrected or erased.
6. Update Vendor Contracts and Other Agreements
7. Perform a Data Protection Impact Assessment
It is also critical for your enterprise legal management provider to comply with GDPR. Wolters Kluwer’s ELM Solutions is preparing, and helping our clients prepare, for this historic legislation. For more information on the recommended steps above, as well as insight into our preparations, download our white paper Preparing Your Corporate Legal Department for the Journey Toward GDPR Compliance.