The last time there was a major change to EU data privacy laws, back in 1995, 0.4% of the world's population used the internet. Now 49% of people across the globe are online.
The new General Data Protection Regulation (‘GDPR') will be fully implemented in May 2018 and will affect companies across the globe. Under GDPR companies can be fined up to €20 million if they misbehave with customer data.
GDPR will affect U.S. companies that do business in Europe because GDPR applies to all companies outside the EU if they offer goods and services to customers within the EU. So, for an example, a U.S. watch company that offers its watches for sale in the EU and processes the personal data of EU customers is caught by the regulation and could be caught by massive fines if it breaches GDPR.
As an in-house data protection lawyer, I have been helping to lead a GDPR project across a Group of 30 companies with over 1 million customers. I have tried to distil what I have learned on this project into five main tips:
1. Cybersecurity is everything – GDPR is a mammoth regulation and companies have been speculating about the provisions that will hit them hardest. For example, there has been much discussion about two new customer rights under GDPR: the ‘Right to Erasure ‘and the ‘Right to Data Portability' (the right to wipe your personal data and the right to ask a company to hand it over to a new service provider). I suspect these have been over-hyped by the media because I do not believe they will be very widely used by customers. The major fines and liabilities for companies under GDPR will be around cybersecurity and the failure to keep customer information safe.
Under the new rules, companies will have to be skilled at breach detection because certain breaches have to be reported to the data authorities within 72 hours (Article 33 GDPR). There are also added responsibilities under GDPR (Article 3 GDPR) when companies process data on behalf of other companies and their cybersecurity should reflect this.
2. Don't get caught up in the paperwork – The CEO of the Dana Corporation, Rene McPherson, famously replaced 22 inches of company policy manuals with one page. He knew that short and simple is always better when you are communicating with staff and customers. Similarly, the U.K. Privacy regulator (the ICO) wants companies to be clear and succinct when communicating with customers. For example, when you are drafting customer terms and conditions about GDPR it pays to give them a clear overview rather than hitting them with a blizzard of clauses spelling out all the obscure details of GDPR.
3. Keep it together – This sounds obvious but it is crucially important: when you are implementing a GDPR project you should make sure all departments in your company are working together on the plan in an integrated way rather than each department working on the project independently. You should have a single Project Document or “Grid” that lists each task under the GDPR project. The Grid should give details on roles, sequencing and deadlines. It is crucial that each Department can see and work from the same Grid so that everyone will know what their task is and when they are expected to complete it.
4. Record, Record, Record – Under Article 5(2) of GDPR companies must “demonstrate compliance”. This means they have to be able to be able to produce the homework they have done on GDPR to regulators.
I suggest having a simple table to record all of the work your company has done on GDPR.
You can record issues such as:
- the supplier contracts you have changed
- the company policies you have revamped
- the IT security improvements you have made
Record a summary of changes you have made along the date you have made these changes and keep it in a safe place. It may be useful if a regulator ever comes knocking.
5. Talk to the right people – Drafting policies and procedures are important but it is crucial to get out into your organization to talk to the people on the ground. You will often find that these people know much more about the subtleties of your business than you do. I met people across my Group in London and across the U.K. on this project including people from marketing, finance, compliance and internal audit. I asked them “how would you approach this?” Their answers were a huge help to me in understanding how to move the project forward.
To summarize: Cybersecurity is everything, don't overdo the paperwork, keep it together, record everything and talk to the right people. You might find that GDPR is not as intimidating as you thought.
Patrick O'Kane is a barrister and compliance counsel and has written for a number of publications on data privacy issues.
