“So, have I missed the boat to get ready for the GDPR?” “Will I get fined for not being fully up to speed?” “What is the worst thing that can happen if I am not complying by May 2018?” These are some of the most frequently asked questions currently accompanying the efforts (or lack of them) to prepare for the GDPR.
The GDPR is an ambitious, complex and strict law that will transform the way personal information is collected, shared and used globally. The organisational changes required to comply with this framework will be substantial and the potential consequences of not doing things properly can be severe. Therefore, it is not surprising that the climate around the GDPR and its compliance requirements is one of panic.
It is probably fair to say that some of this may have been exacerbated by over-zealous lawyers and other providers keen to service the market. The constant references to stratospheric fines and fiercely empowered regulators have only contributed to unsettle the situation. But yet, the GDPR was in the making for several years and the end result is not a million miles away from the original legislative proposal all those years ago.
For this reason, it is not only advisable, but imperative to approach GDPR compliance in a calm and organised way. As a starting point, it is essential to appreciate what is significant about the GDPR for the organisation and identify the priorities for compliance in each case. Then, it is a matter of implementing a practical and realistic compliance programme taking into account those priorities, the resources available and the timeframes involved.
Prioritising what matters
Something important to understand at the outset is the overall aim underpinning the GDPR: putting people in control of their data. This is a theme that is present throughout the text and is emphasised by the strengthening of “consent” in relation to the use of data. When relied upon as a justification for the use of data, consent will need to meet very high standards. Assessing the lawful grounds for processing and, to the extent necessary, the right consent mechanism will always be at the top of the list.
Individuals’ control over their data is also visible through significantly reinforced rights, including:
- information to be provided to individuals at the point of data collection or within a reasonable period afterwards;
- right of access for the data subject;
- right to rectification;
- right to erasure, also known as “right to be forgotten”;
- right to restriction of processing;
- right to data portability;
- right to object to the processing altogether; and
- right not to be subject to a decision based solely on automated processing.
Transparency, erasure and portability in particular are likely to emerge as crucial tools for individuals to use in the face of an ever-growing hunger for our digital data. Therefore, preparing for compliance with these rights is likely to feature quite highly on the To Do list of most organisations.
Focus on practicalities
From a practical perspective, one of the most notable novelties of the GDPR is the various requirements to make businesses more accountable for their data practices. Brand new responsibilities include:
- implementation of data protection policies;
- data protection by design and data protection by default;
- record keeping obligations by controllers and processors;
- co-operation with supervisory authorities by controllers and processors;
- data protection impact assessments;
- prior consultation with data protection authorities in high-risk cases; and
- mandatory data protection officers for controllers and processors for the public sector and Big Data processing activities.
On the data security front, highlights include:
- Extremely detailed requirements for controllers to impose contractually onto vendors acting as processors. From a day-to-day compliance perspective, this will be one of the toughest challenges, particularly when engaging cloud services or any of the off-the-shelf solutions on which every business relies to communicate and store data.
- Data breach notification to data protection authorities within 72 hours of spotting an incident. This obligation does not apply if there is no risk for individuals, but if the risk is high, controllers and processors will need to notify the individuals as well.
Given the emphasis given by regulators to practical compliance and the fact that these responsibilities are new, it is very likely that a degree of effort will need to be devoted to dealing with these issues.
Another critical aspect that must not be forgotten is the restrictions on data transfers to non-EU jurisdictions. Aside from transfers to jurisdictions that are officially declared by the European Commission to be adequate, both controllers and processors may only transfer personal data outside the EU if they put in place appropriate safeguards. Given the increased attention given by regulators to this issue, identifying the right legal mechanism – typically a contractual solution or Binding Corporate Rules – to deploy those safeguards will also be essential.
Getting started
For some organisations, it may be obvious which aspects of the GDPR have a greater impact on them. But in any event, it will always be a good idea to carry out some sort of GDPR compliance assessment following this type of approach:
Information gathering. In the first instance, it will be necessary to gather the relevant information about the data processing operations and privacy practices taking place.
Compliance gap analysis. After all the necessary information has been gathered, it should be reviewed in detail (together with any documentation provided) to determine the key areas for compliance and identify any compliance gaps to address.
Project plan. It should then be possible to decide what specific steps the organisation must take to comply with the GDPR. Any identified actions will need to be considered from the point of view of both resources and timing, so that they can be prioritised accordingly.
GDPRnow
Time for the plug now. To assist with this process, Hogan Lovells has launched GDPRnow, a mobile application that provides organisations with assistance to identify practical steps to comply with the new framework. Conceived entirely in-house by the firm’s Privacy and Cybersecurity team, GDPRnow is the first mobile app ever aimed at generating a GDPR compliance action plan specific to an individual business’s activities.
Businesses and organisations seeking to ensure compliance before the deadline for GDPR implementation are able to download a bespoke report with practical actions and priorities automatically generated on the basis of answers to a series of questions about their data activities. The app, free to download to iOS, Android and Windows devices, also contains a wealth of information and practical guidance on the GDPR.
GDPRnow is the result of Hogan Lovells’ experience working with companies across all industry sectors that are looking for a clear roadmap for compliance. The GDPR clock is ticking and affects all businesses. GDPRnow provides a fast, simple and effective tool to identify what matters the most and what compliance steps should be prioritised.
The coming months will be critical to prepare for compliance with what promises to be a game-changing piece of legislation. EU regulators are certainly getting ready for it, so the time for action is now.
Eduardo Ustaran is a partner in the Privacy and Cybersecurity practice of Hogan Lovells and an internationally recognised expert in privacy and data protection law. Email eduardo.ustaran@hoganlovells.com. Twitter @EUstaran.
Image cc by Tomkie sFastyne on Flickr.