Is Your Firm Prepared for the New EU Data Protection Rules?
If you do business in the European Union — even if your organization is based elsewhere — get ready. The EU's upcoming General Data Protection Regulation (GDPR) delivers a long list of what one international law firm calls "onerous obligations."
Sure, regulators in Brussels mean well. Their aim, after all, is to protect the privacy and security of EU citizens. But for anyone doing business in Europe, this new regulation could also mean a lot of new work and some suggest businesses are in denial.
Smart IT and security officers will get started now. The new GDPR rules don’t take effect until May 2018. But preparing for compliance could take a great deal of time.
Wide ReachAre you among those affected by GDPR rules? Yes, if your organization meets any of the following criteria:
- Based in the EU
- Offer any goods or services — including those that are free — to EU citizens
- Monitor the behavior of EU citizens
- Hold and process data on EU citizens
- Notify the public of any data breach your organization suffers within 72 hours of discovery
- Prove your compliance with GDPR by providing documentation, impact assessments and data-protection designs
- Hire or contract a data protection officer (DPO) as part of your organization’s accountability program
- Allow EU citizens to easily withdraw their consent from letting your organization process their personal data — and be able to prove that you’ve granted them your consent
- Inform all EU data subjects on the risks of transferring their data before you move their data anywhere outside the EU
Preparation NeededSo what can you do now to start preparing for GDPR? A recent report from international law firm Allen & Overy recommends that you ask yourself 3 important questions:
- Under GDPR, what are our new obligations?
- Do we have GDPR gaps in our current compliance program? And if so, where?
- Assuming there are gaps, what changes will we need to make…how quickly…and at what cost?
- Get ready for breaches with new policies and procedures
- Establish an accountability framework
- Embrace privacy by design
- Analyze the legal basis of data you use
- Ensure your privacy notices and policies are clear and easy to understand
- Be prepared for data subjects to exercise their rights
- Consider whether you have new obligations to those you supply
- Ensure that you have legitimate reasons for transferring data across national borders