European Parliament Adopts EU General Data Protection Regulation; 12 Steps Businesses Should Take Now

Ballard Spahr LLP
Contact

The European Parliament has voted to adopt the draft text of the General Data Protection Regulation (GDPR), which imposes enhanced requirements on organizations processing personal data in the European Union and transferring data from the EU. The April 14, 2016, vote completed the four-year legislative process for adoption of the GDPR, which is expected to take effect in mid-2018 and will replace the EU Data Protection Directive (EC/95/46).

The United Kingdom's Data Protection Authority, the Information Commissioner's Office (ICO), recently released a 12-step checklist of actions organizations should take to prepare for compliance with GDPR. The steps are:

  • Raise awareness that legislative change is coming. Organizations should make sure their decision makers and key people are aware that the GDPR will change existing law and should raise awareness of the impact the change will have on the organization. Organizations should start by assessing their risk register and identifying areas that could cause compliance problems under the GDPR.
  • Map personal data. Organizations should document the personal data they hold, where it came from, and with whom it is shared. This may require an organization to create a personal data map (also called an information audit) across the organization, or within particular business areas.
  • Amend privacy notices. Organizations should review their current privacy notices and develop a plan to make any necessary changes in time for GDPR implementation. Such a plan must comply with the GDPR's requirement that organizations communicate additional information to individuals, including the legal basis for processing data, the data retention periods, and the individual's right to complain to the ICO if the individual believes the data was mishandled.
  • Assess policies for compliance with individuals' rights. Organizations should check their policies procedures to ensure they take into account all the rights individuals have under the GDPR. These rights include: the right to access information; to correct inaccuracies; to have information erased; to prevent direct marketing; to prevent automated decision-making and profiling; and to data portability (i.e., provide data electronically and in a commonly used format).
  • Update procedures to provide timely response to subject access requests. Organizations should update their procedures and put in place or amend, as necessary, their data retention policies. Under the GDPR, organizations would need to disclose their data retention policies, respond to access requests within a month, and allow individuals to correct inaccurate information about them.
  • Assess legal basis for processing personal data. Organizations should look at the various types of data processing they carry out, identify their basis for carrying it out, and document the basis. Organizations will have to explain their legal basis for processing data in their privacy notice and when they respond to a subject access request.
  • Assess necessity for changes in method of acquiring subject consent. Organizations should review how they are seeking, obtaining, and recording consent and whether the consent is freely given, specific, informed, and unambiguous. They should also assess whether their audit trail for such consent is effective and whether they need to make any changes.
  • Assess whether children's information is processed. Organizations should consider putting systems in place to verify individuals' ages and to gather parental or guardian consent for any data processing activity involving children under 13 years of age. If such information is involved, the privacy notices will need to be drafted in a manner understandable by children.
  • Assess policies to investigate and report data breaches. Organizations should make sure they have the proper procedures in place to detect, report, and investigate a data breach in which individuals are likely to suffer some form of damage. This could involve assessing the types of data an organization holds; documenting which ones would trigger notice if there was a breach; and developing appropriate policies and procedures to this end.
  • Assess Data protection by design and data protection impact. Organizations should limit their data collection to the minimum necessary (data minimization) and adopt a "privacy by design" approach to projects, which promotes privacy and data protection compliance from the start. Organizations should also assess situations that pose high risk where it might be necessary to conduct a data protection impact assessment and should refer and implement the provisions of the ICO's guidance on Privacy Impact Assessments.
  • Appoint Data Protection Officers. Organizations whose activities involve the regular and systematic monitoring of data subjects on a large scale should designate a Data Protection Officer (DPO) who will take responsibility for data protection compliance and should assess where this role will sit within the organization's structure and governance arrangements.
  • Determine international authority. International organizations should determine which data protection supervisory authority the organization comes under. While in traditional headquarters this is easy to determine, it is more difficult with complex, multi-site companies.

Written by:

Ballard Spahr LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide