Five Preliminary Steps for U.S. Organizations to Comply With the GDPR
After coming into effect on May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) poses a compliance challenge to U.S. organizations that handle or control personal data on people who are in the E.U. The GDPR imposes comprehensive requirements to protect the rights of data subjects and allow them to influence the use of their personal data. In an increasingly data-driven and globalized economy, U.S. organizations need to determine if they are affected by the GDPR, understand their obligations, and construct processes and policies to comply with the GDPR and avoid substantial fines. If you know your organization is a GDPR-regulated “controller” of personal data, here are five steps you can take to begin the process of compliance:
1. Conduct a data inventory and identify lawful bases. Using questionnaires and interviews of knowledgeable employees, take inventory of the personal data you have and identify its sources, what you do with it, and with whom you share it. As you inventory the personal data, identify your legal bases for using the data; three commonly relied-upon bases are: (1) you need to use the data to perform a contract with the data subject, (2) the data subject has consented to the use of the data, and (3) you have a legitimate interest in using the data that is not outweighed by the data subject’s countervailing interest in protecting the data.
2. Update privacy notices. After identifying the purposes and lawful bases for data collection and processing, you must communicate this information to data subjects. Legal counsel can ensure that your privacy notices comply with the GDPR (in form, content, and method of delivery), and can help create consent agreements that are non-ambiguous, in plain language, and require an affirmative act to “opt-in.”
3. Amend vendor contracts. The GDPR requires certain clauses in vendor contracts and outlines specific duties that vendors must fulfill when handling the data you give them. It is your responsibility to make sure that contracted vendors agree to comply with the GDPR’s requirements. Negotiate contract amendments with each vendor addressing each GDPR requirement and clearly define your organization’s instructions on data processing.
4. Develop systems and policies to quickly facilitate compliance. Establish systems and policies so that you can timely respond to data subjects’ requests, respond to potential data breaches, communicate effectively with regulators, reduce your organization’s potential liability with regards to third-party contracts and understand the nuances of the GDPR.
5. Designate GDPR leadership. Because of the array of obligations that the GDPR imposes, the numerous individuals and departments involved in compliance will need to be managed. The GDPR will require some entities to assign a data protection officer to oversee these various actors and processes—even organizations that are not required to create that role may still benefit from an individual maintaining a similar position. If you work for a U.S.-based organization with no presence in the E.U., you should appoint an E.U.-based representative to act as a contact point for the regulators to address GDPR compliance matters.