One of the most important things on the agenda of any corporate law team this year will be making sure their company is compliant with Europe’s General Data Protection Regulation (GDPR) by 25th May 2018, when it will be enforced.
At many companies, the legal team is responsible for data privacy, and so there’s ample reason to prioritize this. Given the EU views data privacy as a human-rights issue, and that firms have had a two-year run-up to the May deadline next year, privacy experts predict that data protection authorities will be on the lookout for egregious examples of non-compliance so they can single them out and begin enforcement.
Most companies are not yet ready for the legislation, which applies to any company that processes the personal data of EU residents. It’s not that they haven’t started. A study of 244 privacy professionals by the International Association of Privacy Professionals (IAPP) late last year showed that “more than 90% of organizations with privacy professionals in place have begun preparations.”
More recently, however, a survey of 2,500 senior executives in the US, Europe, the Middle East, Africa, and Asia Pacific regions, showed that 54% of companies have not “advanced their GDPR readiness.” Giovanni Buttarelli, the European Data Protection Supervisor, has suggested that firms should have plans in place by now. Buttarelli told CEB in October that companies must “start thinking now, but acting no later than the middle of 2017”.
What to Do
Failing to comply with the new rules could cost firms a lot of money. Depending on the nature of the violation, penalties can be 2% of global revenue or €10 million, whichever is bigger. At the upper end, fines go to 4% of global revenue or €20 million, whichever is bigger. That amounts to billions of dollars for some firms.
If they haven’t already, firms should focus on two important tasks to get “GDPR ready.”
Appoint a data protection officer: The requirement for a data protection officer is one of the most significant changes in the regulation. All public authorities and controllers or processors whose activities involve “regular and systematic monitoring of data subjects on a large scale,” as well as entities that conduct major processing of “special categories of personal data” must appoint a DPO.
The GDPR does not list precise credentials for the DPO position, but it does require the executive to have “expert knowledge of data protection law and practice.” In addition, the regulation says the DPO must report to upper management, have access to the organization’s personal data and processing operations, and, crucially, be independent.
This requirement leaves plenty of room for flexibility. The European Union further clarified in its final guidelines that while only one DPO can be appointed, the official can be backed by a team. It also suggested that the DPO should be located in the European Union unless an organization “has no establishment within the European Union.”
Conduct privacy impact assessments: A privacy impact assessment is a formal process to assess the privacy risks inherent in a particular business project or initiative and implement appropriate controls and mitigation steps. The process should be broken down into five steps: project intake, risk triage, impact assessment, control selection and monitoring (see chart 1).
Chart 1: Privacy impact assessment process map Source: CEB analysis