by Kevin Caulfield, Wolters Kluwer's ELM Solutions
The General Data Protection Regulation (GDPR), which takes effect on May 25, 2018, sets a high standard for data privacy that affects all companies that do business in the European Union (EU) or with its citizens. GDPR effectively puts control of personally identifiable information (PII) directly into the hands of the individual whose data is being collected, including a company’s own employees. The 99 articles of the regulation dictate how and why PII can be collected, as well as the methods for processing, securing and accessing an individual’s PII. U.S.-based organizations must comply if they hold PII on any EU citizen anywhere in the world or on any current resident of the EU.
The costs for non-compliance could be significant. Companies can be fined up to €20 million or 4 percent of their annual revenue (whichever is greater) for not complying. In addition, intangible damages in the form of reputational harm can be even more costly in the long run.
Taking Action on Compliance
The EU calls GDPR “the most important change in data privacy regulation in 20 years.” Indeed, corporate legal departments will face an entirely new world of data management requirements. To help ensure their compliance, we recommend that legal departments take the following key steps.
1. Assess current capabilities
GDPR Article 5, “Principles relating to processing of personal data,” requires that organizations do their utmost to ensure the accuracy of the personal data they are controlling. Inaccurate data must be “erased or rectified without delay.” To do this, legal departments must take stock of their data and ensure that it is current and accurate.
Legal departments must also examine current processes to ensure that they are equipped to maintain the integrity of data and respond to data subjects’ requests, including the “right to be forgotten” and to access their own PII.
2. Assign a data protection officer (DPO)
GDPR focuses on the accountability of parties that process PII. A key element of this concept is demonstrating a company’s compliance with GDPR’s 99 articles. The responsibility for supplying proof of compliance falls to the DPO, an important new position required by GDPR for organizations meeting certain requirements, or if mandated by local law. The DPO oversees the mechanisms a company employs to comply with GDPR and maintains primary oversight of data processing activities.
If an EU resident requests access to his or her PII, it is up to the DPO to ensure that the request is handled promptly and within GDPR requirements. Likewise, if a breach is detected, the DPO is responsible for ensuring that authorities are notified within 72 hours.