Be Ready for New EU Privacy Regulations
New EU Privacy Regulations
New EU Privacy Regulations were approved in 2016. There is a transition period and the new Directive takes effect in May of 2018. The new Directive is known as the EU General Data Protection Regulation (GDPR). A summary of the Directive can be found at http://ec.europa.eu/justice/data-protection.
This article is a summary of some of the factors that corporations and law firms need to consider in planning for GDPR. In planning for GDPR organizations should have a detailed understanding of GDPR requirements.
The GDPR contains new protections for EU residents and threatens significant fines and penalties for noncompliance. A key change to EU data privacy comes with the extended jurisdiction of the GDPR, as it applies to all organizations processing the personal data of data subjects residing in the EU, regardless of the organization’s location. Issues addressed in the new Directive include:
- Cross Border data transfers and where data can be maintained
- Data subject consent, there are several requirements, including;
- Must be “freely given”
- Must be “specific”
- Must be “informed”
- Silence is not consent
- Data Subject rights under GDPR, such as:
- The Right to be Forgotten
- The Right to Access
- The Right to be Forgotten
- Data Portability
- Breach notification
While GDPR is not a technology issue, data management and use of technology is an important element. In addition to the substance of the practice, GDPR can impact several functional areas within an organization, including:
- Marketing – Business Development
- Information Governance
- Technology – including cross border data transfer issues – Under GDPR, any access to data in the EU from outside of the EU, even for system management purposes is considered a potential cross border data transfer. The transfer of personal data to recipients outside the EU is generally prohibited unless:
- the jurisdiction in which the recipient is located is deemed to provide an adequate level of data protection;
- the data exporter puts in place appropriate safeguards; or
- an exemption applies.
Data can be stored outside of the EU if certain conditions can be met, including by following the EU Privacy Shield requirements.
GDPR is More Than a Technology Issue
Firms should also prepare to address technology the other non-technology related requirements under GDPR. These include, but are not limited to:
- Staff consent, including communication with clients and customers as to data retention and security
- Ensuring that the Firm is meeting GDPR requirements for data subject rights
- The need for a Data Protection Officer
- Website notification language
- Other information governance and communication policies required under GDPR such as breach notification
There are several steps that should be taken to prepare for GDPR.
- Identify the functions within the organization that are likely to be impacted (as noted above these include HR, Accounting and Marketing)
- Raise awareness with key stakeholders
- Assign responsibilities
- Assess the impact of GDPR on the organization and specifically what data needs to be addressed under GDPR, this should include:
- Document relevant data and data flows
- Assess risk
- Develop and implement a plan to comply with GDPR