As 2017 comes to a close and companies look to planning initiatives for 2018, there is one date that should be front and center for privacy professionals: May 25, 2018. That is the date that the EU’s General Data Protection Regulation (GDPR) goes into effect, meaning that any company dealing with EU consumer data needs to have a plan in place. The GDPR has been looming for almost two years now (since its adoption on April 27, 2016), so hopefully most companies impacted by the regulation have already begun to implement compliance mechanisms. But if not, it’s not too late.
We have written previously in this space about what the scope of the GDPR requirements. The question now is what companies covered by the GDPR should be doing as they head into 2018. Here are some critical steps to make sure you are on track to ensure GDPR compliance:
-
Data Protection Officer: If your company is processing a significant volume of data or processing “sensitive data,” you may be required to appoint a data protection officer (DPO) to monitor GDPR compliance. The regulations do not require the DPO to be a unique, stand-alone position, but if your company is required to have a DPO and does not already have someone in-house with the ability and willingness to take on that role, it may be necessary to make a new hire.
-
Consent issues: The GDPR expressly states that prechecked opt-in boxes are not adequate to establish consent. Thus, companies relying on prechecked boxes need to adjust their efforts to obtain consumer consent. Additionally, affected businesses need to have protocols in place that give customers the ability to transfer their data to another company upon request and the right to have it erased. These are foreign concepts to many U.S. companies and may require significant modifications to your systems and procedures. Accordingly, this is an issue that should be addressed now, before a business receives a consumer request.
-
Appropriate technical and organizational measures: There is no express set of requirements to meet the standard of “appropriate technical and organizational measures” under the GDPR, but the regulators will look at things like encryption, ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. Now is the time for companies to assess the adequacy of the data protection mechanisms.
-
Breach notification procedures: It is important to have a system in place to provide data breach notifications promptly and efficiency. The GDPR requires disclosure to regulators within 72 hours and notice to affected customers without unreasonable delay. Businesses covered by the GDPR can ill afford to be developing data breach response protocols and strategy after an incident has already occurred.
-
Ongoing assessment: The GDPR requires having a system in place to conduct privacy impact assessments and compliance reviews on a regular basis. Thus, affected companies that have not implemented such mechanisms should have a plan for doing so before May 25, 2018.