Seven steps to GDPR compliance for corporate legal departments

With the introduction of the General Data Protection Regulation (GDPR) the European Union (EU) Parliament has set an impressively high standard for data privacy.

Set to take effect on May 25, 2018, GDPR requires any organization that collects or manages the personally identifiable information (PII) of any European citizen or any person residing in an EU country to adhere to an extensive set of requirements. It replaces Directive 95/46/EC (DPD) of 1995 by imposing a set of more stringent controls that give EU residents greater control of their personal data.

GDPR also introduces some potentially costly penalties for non-compliance. These include fines of up to €20 million (21.4 million dollars) or four percent of an organization’s annual revenue (whichever is greater) – financial penalties that are significantly higher than what was possible under the DPD. Non-compliance can also result in intangible damages, including irreparable harm to an organization’s reputation, which can be extraordinarily detrimental in the long run.

GDPR and its implications

GDPR is a sweeping Regulation designed to protect the PII of all citizens and residents of the EU. It is composed of 99 Articles that dictate how and why PII can be collected, and the methods for processing, securing and accessing an individual’s PII. It applies to all organizations that do business in the EU or manage PII on EU citizens or residents; it does not apply to U.S. based organizations if they do not hold data on those individuals. However, any organization doing business with a company based in the EU, or holding PII of any EU citizen anywhere in the world or any current resident of the EU, must adhere to the requirements of GDPR.

GDPR effectively puts control of PII directly in the hands of the individual whose personal data is being collected. In order for the processing of PII to be lawful, a data controller must have the consent of a data subject or another lawful basis to do so under GDPR. Even then, PII can only be collected for a very specific purpose, and that purpose must be clearly articulated to the individual. EU citizens and residents have the right to demand their information be deleted by the organizations collecting their information, including any third-party partners, and can request access to their PII at any time.

GDPR compliance requires having a combination of the right tools and processes in place. For example, an entity (which can be either a business or person or both) that processes PII subject to GDPR may need to deploy specific types of tools to ensure that their email communications containing PII are encrypted. They may also need to develop a notification process and incident response plan to follow in the case of a breach, implement a system for responding to requests from data subjects for copies of their PII, and institute a process to correct inaccuracies in their PII.

Seven steps to GDPR compliance

The EU bills GDPR as “the most important change in data privacy regulation in 20 years.” Indeed, with the regulation, corporate legal departments will face an entirely new world of data management requirements that go far beyond anything that has ever been implemented before. As such, preparing for and maintaining compliance with GDPR will undoubtedly prove challenging for many corporate legal departments, particularly mid-market or smaller organizations that may not be currently equipped to handle GDPR’s rigorous requirements.

2. Assign a data protection officer (DPO)

The GDPR focuses on the accountability of those processing PII. A key foundational element of this concept is demonstrating a company’s compliance with GDPR’s 99 Articles.

The responsibility for supplying proof of compliance will fall to the DPO, an important new position required by GDPR for organizations meeting certain requirements or if mandated by local law (GDPR Article 37). The DPO will oversee the mechanisms a company employs to comply with GDPR and interaction among the Regulation’s principle “personas.”

The DPO will also be responsible for maintaining primary oversight of data processing activities. If an EU resident requests access to their PII, it will ultimately be up to the DPO to ensure that the request is handled expeditiously and within the requirements of GDPR.

Likewise, if a breach is detected, the DPO will be responsible for overseeing their organization’s data breach notification scheme. Under GDPR guidelines, once a breach is detected, organizations have 72 hours to report the breach to supervisory authorities. That is not a lot of time, so DPOs must be ready to react very quickly.

3. Review data monitoring processes

GDPR Article 25, “Data protection by design and by default,” calls for the use of appropriate technical and organizational measures to ensure the protection of PII. While GDPR does not specifically spell out the tools that organizations must use for this purpose, the message is clear: data controllers must deploy whatever tools may be necessary to ensure the integrity of their data subjects’ PII. Furthermore, they must ensure that they have the right tools and capabilities in place to continuously monitor and control the security of their data subjects’ information. Those tools should themselves be GDPR compliant and possess robust security and data encryption capabilities.

It is worth noting that data processors – the third-party entities that controllers use to handle PII - are also responsible for maintaining the same levels of data integrity and security. Corporate legal departments must ensure that law firms and other legal service providers are adhering to the same stringent standards as they themselves are practicing, and share a commitment to using the appropriate tools and processes for data protection. This is not a “check the box” procedure; corporate legal departments must verify and agree with all the specific processes and tools vendors have in place to protect PII data.

4. Implement high data encryption standards

GDPR requires that organizations take appropriate technical and organizational measures regarding the protection of personal data. While this could be done in many ways, pseudonymization and encryption of PII are very effective ways to accomplish this mandate.

In fact, it is vitally important that corporate legal departments encrypt the type of data covered by GDPR whenever and wherever possible – certainly within databases and email communications, but also in regards to the types of web browsers that employees may be using. Some browsers may not use the right level of Secure Sockets Layer (SSL) protocols and thus may not be GDPR compliant.

Finally, before transmitting any PII beyond the EU, corporate legal departments should enter into EU-approved contractual clauses with their vendors. This is an important point for U.S. - based departments that might be doing business with law firms or other legal service providers in the EU.

5. Practice proper data management hygiene

Unlike other industries, such as financial services or healthcare, the legal industry is not required to discard personal data after a specific period of time. However, GDPR’s Principle 5, “Principles relating to the processing of personal data,” contemplates data retention periods and states that PII shall not be kept for longer than is necessary for the purposes for which the personal data is processed.

Corporate legal departments must practice good data management hygiene by discarding old data that is no longer relevant.

Teams should reassess their data retention policies to ensure that older information that is no longer needed is expunged. Meanwhile, print and digital archived case records that are still viable should meet the same level of security as required for new data.

Of course, under GDPR, data subjects have many rights. In addition to the “right to be forgotten,” they also enjoy the “right to access,” “right to portability,” and “right to rectification.” When an employee or any data subject demands access to their data (“access”), requests to take that data with them to a new job (“portability”), or to have it be corrected (“rectification”) or erased (“forgotten”), the data controller must respond in an expeditious manner. In the case of “right to access,” the data must be provided in electronic format. Organizations must have processes in place that allow them to do all of this accurately and effectively.

6. Update vendor contracts, end user licensing agreements (EULAs), and terms of use documents (TOU)

Data controllers within corporate legal departments should carefully review the contracts they have with their vendors to ensure that those agreements contain privacy language specific to GDPR and address the legislation’s Cross-Border Data Transfer limitations if the PII leaves the EU. If they do not, they should request that their vendors furnish them with updated contracts addressing these concerns. A corporate legal department should also review any EULAs or TOUs their corporations utilize with customers and end-users and update the terms of those documents to address GDPR requirements, with special attention spent on the privacy and data protection provisions.
Data controllers should also ensure that their organization’s lawyers and other end users who are using a vendor’s products are aware of the data that is being collected about them and how it is managed.

7. Perform a data protection impact assessment

As previously stated, corporate legal departments must ensure that law firms and other vendors they work with are GDPR compliant. Indeed, Article 35 of GDPR requires a Data Protection Impact Assessment (DPIA) “where a type of processing…is likely to result in a high risk to the rights and freedoms of a natural person.”

This requirement can be addressed by administering an electronic risk assessment questionnaire. The data controller can create a series of questions specific to their organization’s data privacy policy and requirements and ask their vendors to respond. This assessment helps determine which firms have acknowledged the privacy policy and are in compliance with GDPR, allowing corporate legal teams to open up an honest dialog with their legal service providers and encourage them to get on board. Corporate legal departments should establish a process to update this assessment at a certain frequency.

To learn more about how CT Corporation can help you better manage your compliance requirements, contact a CT Corporation specialist today.

This information is not intended to provide legal advice or serve as legal research to address specific situations.