2. Assign a data protection officer (DPO)
The GDPR focuses on the accountability of those processing PII. A key foundational element of this concept is demonstrating a company’s compliance with GDPR’s 99 Articles.
The responsibility for supplying proof of compliance will fall to the DPO, an important new position required by GDPR for organizations meeting certain requirements or if mandated by local law (GDPR Article 37). The DPO will oversee the mechanisms a company employs to comply with GDPR and interaction among the Regulation’s principle “personas.”
The DPO will also be responsible for maintaining primary oversight of data processing activities. If an EU resident requests access to their PII, it will ultimately be up to the DPO to ensure that the request is handled expeditiously and within the requirements of GDPR.
Likewise, if a breach is detected, the DPO will be responsible for overseeing their organization’s data breach notification scheme. Under GDPR guidelines, once a breach is detected, organizations have 72 hours to report the breach to supervisory authorities. That is not a lot of time, so DPOs must be ready to react very quickly.
3. Review data monitoring processes
GDPR Article 25, “Data protection by design and by default,” calls for the use of appropriate technical and organizational measures to ensure the protection of PII. While GDPR does not specifically spell out the tools that organizations must use for this purpose, the message is clear: data controllers must deploy whatever tools may be necessary to ensure the integrity of their data subjects’ PII. Furthermore, they must ensure that they have the right tools and capabilities in place to continuously monitor and control the security of their data subjects’ information. Those tools should themselves be GDPR compliant and possess robust security and data encryption capabilities.
It is worth noting that data processors – the third-party entities that controllers use to handle PII - are also responsible for maintaining the same levels of data integrity and security. Corporate legal departments must ensure that law firms and other legal service providers are adhering to the same stringent standards as they themselves are practicing, and share a commitment to using the appropriate tools and processes for data protection. This is not a “check the box” procedure; corporate legal departments must verify and agree with all the specific processes and tools vendors have in place to protect PII data.
4. Implement high data encryption standards
GDPR requires that organizations take appropriate technical and organizational measures regarding the protection of personal data. While this could be done in many ways, pseudonymization and encryption of PII are very effective ways to accomplish this mandate.
In fact, it is vitally important that corporate legal departments encrypt the type of data covered by GDPR whenever and wherever possible – certainly within databases and email communications, but also in regards to the types of web browsers that employees may be using. Some browsers may not use the right level of Secure Sockets Layer (SSL) protocols and thus may not be GDPR compliant.
Finally, before transmitting any PII beyond the EU, corporate legal departments should enter into EU-approved contractual clauses with their vendors. This is an important point for U.S. - based departments that might be doing business with law firms or other legal service providers in the EU.
5. Practice proper data management hygiene
Unlike other industries, such as financial services or healthcare, the legal industry is not required to discard personal data after a specific period of time. However, GDPR’s Principle 5, “Principles relating to the processing of personal data,” contemplates data retention periods and states that PII shall not be kept for longer than is necessary for the purposes for which the personal data is processed.
Corporate legal departments must practice good data management hygiene by discarding old data that is no longer relevant.
Teams should reassess their data retention policies to ensure that older information that is no longer needed is expunged. Meanwhile, print and digital archived case records that are still viable should meet the same level of security as required for new data.
Of course, under GDPR, data subjects have many rights. In addition to the “right to be forgotten,” they also enjoy the “right to access,” “right to portability,” and “right to rectification.” When an employee or any data subject demands access to their data (“access”), requests to take that data with them to a new job (“portability”), or to have it be corrected (“rectification”) or erased (“forgotten”), the data controller must respond in an expeditious manner. In the case of “right to access,” the data must be provided in electronic format. Organizations must have processes in place that allow them to do all of this accurately and effectively.
6. Update vendor contracts, end user licensing agreements (EULAs), and terms of use documents (TOU)
Data controllers within corporate legal departments should carefully review the contracts they have with their vendors to ensure that those agreements contain privacy language specific to GDPR and address the legislation’s Cross-Border Data Transfer limitations if the PII leaves the EU. If they do not, they should request that their vendors furnish them with updated contracts addressing these concerns. A corporate legal department should also review any EULAs or TOUs their corporations utilize with customers and end-users and update the terms of those documents to address GDPR requirements, with special attention spent on the privacy and data protection provisions.
Data controllers should also ensure that their organization’s lawyers and other end users who are using a vendor’s products are aware of the data that is being collected about them and how it is managed.
7. Perform a data protection impact assessment
As previously stated, corporate legal departments must ensure that law firms and other vendors they work with are GDPR compliant. Indeed, Article 35 of GDPR requires a Data Protection Impact Assessment (DPIA) “where a type of processing…is likely to result in a high risk to the rights and freedoms of a natural person.”
This requirement can be addressed by administering an electronic risk assessment questionnaire. The data controller can create a series of questions specific to their organization’s data privacy policy and requirements and ask their vendors to respond. This assessment helps determine which firms have acknowledged the privacy policy and are in compliance with GDPR, allowing corporate legal teams to open up an honest dialog with their legal service providers and encourage them to get on board. Corporate legal departments should establish a process to update this assessment at a certain frequency.
To learn more about how CT Corporation can help you better manage your compliance requirements, contact a CT Corporation specialist today.
This information is not intended to provide legal advice or serve as legal research to address specific situations.