What Will Compliance with
the GDPR Really Look Like?
Thomson Rueters identifies the pain points for corporate legal departments entering the upcoming GDPR compliance requirements in May 2018.
by Sterling Miller
As we start to go deeper into 2018, there are a number of mysteries hanging out there on the minds of many good people: Does Bigfoot exist? Why is it called soccer? When will the next Game of Thrones book come out? And perhaps most importantly – what will compliance with the GDPR actually look like? As general counsel of a company that processes a good bit of personal data, I can tell you it is a question of high interest for my team and myself. As we approach, the May 25th effective date for the GDPR, the view of compliance post-GDPR, weights heavily on the minds of more and more corporate counsel.
I’ve been involved with data privacy issues since the mid-1990s. I’ve met and dealt with many privacy regulators over the years and have been responsible for privacy compliance before the 1995 EU Privacy Directive was first published. Using this insight, I hope to share some ideas into what’s coming and what in-house legal departments should be doing to comply with the GDPR. Granted, none of us know how the various EU officials will actually enforce the dense text of the GDPR, but there are some things experience and common sense tell us we should focus on. To start, keep in mind the core principles of the GDPR:
These are your guiding star to GDPR compliance. Additionally, you need to understand whether you are a Data Controller (the individual or company determining the purposes for and means of processing Personal data) or a Data Processor (the individual or company processing data on behalf of a Controller), or both. Your obligations and exposure under the GDPR depend on your classification.
In my experience, regulators rarely act arbitrarily when enforcing a statute, especially one as new as the GDPR. Instead, what they generally want is proof you are working in good faith to comply and that you respect the process, including your interactions with the regulators themselves. If you are deliberately not complying or you disrespect the process (and the regulators), your company can find itself in a mess of problems. Below are 10 suggestions on where companies should focus first to comply with the regulation:
The first thing to understand is whether or not the GDPR covers your company. The question isn’t whether your company operates in the EU; the question is whether your company processes the personal data of an EU citizen. If you do so directly (Controller) or on behalf of another company (Processor), you are covered – no if, ands, or buts. If you’re not covered, you can stop reading here. For the rest of us, you need to place your bets. By this I mean, are you going to try to comply or are you going to ignore it or sit back and wait to see what happens? The latter is a strategy some companies are utilizing (both here in the United States and elsewhere), but this is a risky choice. First, if for some reason you fall under the regulator’s gaze, you will have absolutely no defense to claims you violated the law (and the fines can be quite high now, especially for those showing no effort to comply). Second, if you are a Processor, your customers must be asking whether you are GDPR compliant or not. If not, your business relationship may be shorter than you wish or you may start to struggle to get business. Third, if you are a publicly traded company and have not disclosed your lack of compliance, you can find yourself on the wrong end of a lawsuit if you get caught. If you are covered, make the effort to comply. Perfect compliance is not the standard, at least not by May 25. Good faith, substantial, and constantly improving compliance should be the goal coming out of the gate.
Under GDPR Article 37, if data processing is a core activity of your company, or your company processes a large amount of special category (e.g., sensitive) data, then you need to appoint a Data Protection Officer (DPO). Note, however, there is little guidance on what level of volume qualifies, so you need to decide where to draw the line. You can also voluntarily appoint a DPO if you want to demonstrate a positive attitude toward GDPR. If you process a good amount of personal data, you should appoint a DPO and not risk it. The DPO can be an outside party or an internal employee, but needs to be an expert on data protection laws and practices. The DPO is responsible for:
You must ensure the DPO can operate independently, reports to senior management, receives appropriate resources to perform his/her job, and cannot be fired because he/she is doing his/her job.
Your Data Protection Officer is charged with ensuring compliance with the GDPR and your company’s data protection related policies. The best way to do this is by establishing a robust training program to ensure your company’s employees are aware of data protection and privacy issues. The most effective way to train employees (including senior management) is to establish a yearly privacy training course that must be completed and passed by all employees. This can easily be done online. There are lots of “out of the box” training modules and if they can be modified, you can increase comprehension by including data protection/privacy examples specific to your company’s business. Additionally, regular company-wide reminders from the DPO about the company’s policies and expectations are helpful. Finally, be sure to spend extra time (in person, if possible) with groups of employees working with data or in marketing, as they are most likely to conceive of a use of personal data that may be problematic. If you train them to reach out to the DPO, at the “idea stage,” you can avoid a lot of problems.
Sterling Miller has spent almost 25 years as an in-house lawyer, including three stints as General Counsel. His is certified by the IAPP (CIPP/US). You can read his award-nominated blog “Ten Things You Need to Know as In-House Counsel” at www.TenThings.net and follow his regular posts on LinkedIn or Twitter @10ThingsLegal. His second book, Ten Things You Need to Know as In-House Counsel: Practical Advice and Successful Strategies , was published by the American Bar Association in 2017.
How Thomson Reuters Practical Law Connect Can Help You Prepare for the Future of Legal
Successfully managing change in the workplace begins with you. Influence the change process in your legal department by experiencing firsthand how this integrated, innovative offering can save you valuable time by bringing together the legal resources you need to advise, negotiate and structure your business dealings; all from a single solution.
With Practical Law Connect you can:
Enter the future of legal practice with Practical Law Connect.