By Robert J. Kerwin
On May 25, 2019 we will be celebrating the one-year anniversary of the European Union’s largest change in data protection known as the General Data Protection Regulation (GDPR). GDPR has reportedly caused major disruption in the ways companies manage customer data both in and out of the EU.
If your company is processing credit card information or other personal data from EU Citizens, you ought to be examining compliance and whether you must maintain a personal representative resident in the EU to receive, among other things, service of process or inquiries as to compliance. Only if the processing of data is really "occasional" and is unlikely to risk the rights of EU citizens, may you consider claiming an exemption from this requirement.
For those companies not resident in the EU, many are surprised that the GDPR regulation applies to their business where it is shown that the business processes personal data of EU data subjects. Translation: if a company is collecting, holding, monitoring or processing personal data of any person physically with the EEA (EU, Iceland, Norway, Liechenstein) the GDPR most likely applies.
Companies need to determine whether they are "controllers" or "processors" of personal data acting on behalf of the controller. GDPR treats the data controller as the principal party responsible for collecting consents from the data subjects, managing the revoking of consents, enabling rights of access and assuring adequate data security. The European Data Protection Board expects processors to take reasonable steps to secure data using tools such as encryption, pseudonymization, stability and uptime, backup and disaster recovery and regular security testing. If a data breach occurs, processors must notify data controllers without undue delay upon learning of data breaches. Companies may allow transfer of personal data to a third country only if legal safeguards are obtained.
Getting one’s arms around GDPR compliance is no easy task. With apologies to David Letterman (who, technically, has not been hosting the Late Show for four years), provided below are the top eight things to consider for GDPR compliance:
NO. 8. If you are not in GDPR compliance, penalties up to 20 million Euros (or more for companies over 500 million in total revenue may technically apply under applicable EU law).
Since most U.S. states separately require written information security protocols to be in place, the FDA and other applicable federal agencies expect data protection to be a central portion of your compliance program, the GDPR penalty may be a catalyst for non-EU companies but there are already other far-reaching data security requirements.
No. 7. GDPR compliance includes addressing four key ingredients: Data governance, breach response, risk assessment and finally compliance management.
So one needs to assess your company’s governance of personal data and develop a road map. This may involve mapping current processes and designing management tools and standards. After your company is "transformed" or perhaps deemed to be operating in accordance with appropriate data management processes, one must undertake appropriate audits to assess how your company’s risk is being managed and what remediations need to be undertaken.
No. 6. Even if you are presently not compliant, establish a timetable and monitoring program.
Each company’s journey will be different and each assessment of how personal data is being managed. Examine closely how your data governance program is being undertaken (be sure, among other things, that you are managing your data in accordance with your own policies). What protections do you have in place? What training programs do you have in place?
No 5. In assembling the GDPR roadmap, make certain individual owners are accountable for important aspects, including data breach reporting, anonymization, structuring data, privacy, privacy shields and cross-border data transfers.
Map out who is directly responsible and who is responsible for enforcement. Identify the impacts and the priority areas.
No. 4. Identify your core areas of GDPR focus.
You may have more areas of focus but be sure to include breach notification, data portability, consent, profiling, right to object, the responsibilities of the data privacy officer, and how third-party vendors may impact your compliance with GDPR.
No. 3. Undertake a gap analysis.
Depending Upon the size and complexity of your business this could involve an extensive inquiry, complete with addressing what controls are currently implemented, what is the maturity of the controls, how does one validate evidence, and who is responsible for governance. The gap analysis should include identifying (i) policies and procedures that govern the collection and processing of data subject information;(ii) assessing whether you are transparent in communicating what the information will be used for; (iii) have you set explicit limits in the use of information; (iv) do you only have relevant information that aligns with your original lawful purpose for collection; (v) do you have appropriate safeguards on the personal information that will be processed ?
No. 2. Changing organizational culture to comply.
You must organize internal processes, including designating a driver for the management of information and documentation of compliance.
No. 1. Recognize that the management of GDPR compliance is ongoing.
As more and more businesses transform to electronic commerce, the management of data is ongoing and continuing.
I know it’s a lot and it is impactful on your business, but it’s the law, and most likely if you do business with EU and EEA, it applies to you.
About the author: Robert J. Kerwin is general counsel for IAMERS, the International Association of Medical Equipment Remarketers and Servicers.