Key Steps to GDPR Compliance for U.S. Companies (Part 3)
Although the GDPR comes into effect on May 25, 2018, the breadth of its reach will continue to develop long after its effective date. Domestic companies should be aware that the rules will likely change over time. While this may make the applicability of the GDPR all the more elusive, there are a number of steps that domestic companies can take to best position themselves for compliance with the GDPR’s current and future states.
Part 1 of this series is intended to help domestic companies determine whether the GDPR will apply to them. Part 2 provides an overview of the GDPR’s key concepts and requirements. This article will discuss steps that domestic companies should be taking now to comply. When creating GDPR-compliant procedures, companies should make sure to ingrain the key GDPR privacy principles (e.g., lawfulness, fairness, transparency) into their policies. This Part III is not an exclusive list of steps to compliance, nor does it guarantee compliance with the GDPR.
1. Map out, identify, and categorize the data the company collects or processes.
Often, the first step is the most difficult but the most important. Before considering what a company needs to do in order to be GDPR-compliant, the company needs to determine what it is currently doing. This means making a thorough assessment of what data the company encounters and why. Some key questions the company may want to ask itself and document (securely) may include:
- Does the company ask for personal data from EU data subjects?
- How does the company obtain personal data from EU data subjects?
- What does the company do with the data? For what purpose?
- Does the company share or permit access to data with any third party? Under what contract?
- Who within the company encounters the data? For what purpose?
- Where is data being stored?
- How long is data being stored?
- Can the data be easily accessed for deletion?
- What is the company’s data destruction policy?
- Does the company have a process in place to respond to a data breach?
- What is currently being disclosed to data subjects?
This step is integral to compliance for a number of reasons, not least of which is to identify whether the company collects or processes “special categories of data,” which cannot be processed without explicit consent or another exception to the rule. Article 9 of the GDPR defines “special categories of data” to include “data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.” Companies should be weary when collecting or processing any such data.
2. Ensure that the company has at least one legal basis for every processing activity.
A key component to the GDPR principles is that companies limit the collection, storage, and use of personal data to the extent possible. Having a legal basis for processing activities helps ensure that personal data is being used for valid purposes. This does not mean that a company must choose one legal basis for all processing activities; however, the company should be able to rely on a distinct legal basis for each processing activity. Legal bases can include:
- The EU data subject gave explicit consent for the particular activity;
- Data is being processed pursuant to a contract;
- Data is being processed in order to comply with EU legal obligations;
- The data processing is necessary to protect vital interests of the EU data subject;
- The data processing is necessary in the public interest; or
- The data processing is necessary for a legitimate interest of the company that does not override the rights and freedoms of the EU data subjects.
3. Have company policies and procedures to allow EU data subjects to exercise their individual privacy rights under the GDPR.
Any GDPR-compliant system must provide data subjects ways to exercise their individual rights under the GDPR. This means that disclosures made to data subjects must include the company’s process to address such individual’s:
- Right of access;
- Right to rectify;
- Right to erasure, aka “right to be forgotten”;
- Right to restrict processing;
- Right to object to processing;
- Right to data portability;
- Right to not be subject to automated decision-making, including profiling.
Companies will need to plan ahead to ensure data subject requests are exercised promptly (most require data subject requests to take effect immediately, or “without undue delay”). This may prove more difficult for some than others. For example, if a company’s consumer data is held by a third party processor, who has a backup in cloud storage, and the company also holds backup data in a physical server, how long will it take a data subject’s information to be erased from all platforms? Both internal policies and contracts with third parties that encounter EU data must be considered. For more information on these rights, please see Part 2 of this series.
4. Put in place data processing agreements (contracts) with all third parties that handle EU personal data for the company.
As indicated in the section above, companies may violate the GDPR if there are not proper allocations of risk and delineation of responsibility in contracts with third party processors. Controllers should ensure that contracts with a third party data processor require that such third party:
- Only process data on the instructions of the company;
- Maintain confidentiality;
- Provide appropriate data security;
- Not engage subprocessors, or share data with any other party, without prior authorization;
- Assist your company with its GDPR compliance obligations (including when data subjects exercise their rights);
- Provide notification to the company immediately of any suspected data breaches;
- Delete or return all data to the company at the end of the engagement; and
- Be able to demonstrate compliance with privacy regulations and contractual obligations to the company.
5. Adopt GDPR-compliant privacy notices and make them available at all data collection points.
Publically-facing privacy policies (called a “privacy notice” in the EU) not only make key disclosures to data subjects, but also create a standard that the company must abide by. A domestic company’s failure to abide by its own privacy notice could put it in jeopardy of violating both domestic and foreign privacy laws. A GDPR-compliant privacy notice should address the following:
- Identity of the company and contact details,
- Purposes of processing and the legal basis for processing,
- Legitimate interests of processing if applicable,
- Categories of third party recipients of personal data,
- Existence of data transfers out of the EU,
- International data transfer mechanism in place for data transfers,
- Data retention periods or criteria for such,
- Existence of the individual rights,
- Right to lodge a complaint with the EU supervisory authorities,
- Whether the provision of data is required (and consequences for not providing it), and
- Existence of automated decision-making (if applicable).
6. Design and integrate appropriate data protection and security.
The GDPR requires companies to provide a “reasonable” level of protection for data subjects’ personal data, but punts the burden to companies to determine what “reasonable” means with respect to their business. Consequently, companies will need to make sure they take a “data protection by design and by default” approach both to the design and integration of their protection measures, which must be appropriate based on the sensitivity of the data and risk to data subjects. Compliance will require a holistic approach and synergy both internally and externally (e.g., with vendors).
Part of the holistic approach to data security includes implementing appropriate technical and organizational security measures appropriate to the risks to data subjects’ rights. Companies should, at minimum, consider where appropriate:
- Encryption, pseudonymization, anonymization, confidentiality, integrity, availability, resilience of systems, the ability to restore and access personal data in the event of incidents, and a process for regularly testing, assessing and evaluating the effectiveness of security measures;
- The risks that would be posed by accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access; and
- How to ensure that any third party data processors acting on your behalf provide appropriate data security.
7. Adopt and implement data breach response procedures.
Companies both within and outside the reach of the GDPR should implement a data breach/incident response plan. Most states in the United States have reporting requirements for a data breach of consumer data. The GDPR can require companies to make notifications of data breaches either to an EU Supervisory Authority (“SA”) or to the affected individuals.
- Notification to regulators: required unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Information can be reported as information is learned (likely to be the case given the tight deadline).
- Notification to affected individuals: required when the breach is likely to result in a high risk to the rights and freedoms of the individuals. Must be made without undue delay.
8. Conduct Data Protection Impact Assessments when necessary.
Article 35 of the GDPR mandates controllers to conduct Data Protection Impact Assessments (“DPIAs”) for any “type of processing in particular using new technologies…[that] is likely to result in a high risk to the rights and freedoms of natural persons.” The GDPR’s requirements For DPIAs include:
- Systematic description of the processing operations, their purposes, and the interests pursued by the company;
- Assessment of the need for, and proportionality of, the processing;
- Risk assessment with regard to data subjects’ rights; and
- Include safeguards and accountability measures to be adopted to protect personal data and comply with the GDPR.
If processing would result in a high risk in the absence of proposed mitigation measures, companies should contact an SA before commencing processing. SAs are authorized to provide written advice and may ban processing or transfers abroad, or take other actions.
9. Data Protection Officer (“DPO”)
While the designation of a Data Protection Officer (“DPO”) is not necessary for some, if not most domestic companies that regularly and systematically monitor EU data subjects on a large scale, or that process special categories of data (e.g., health, racial, political, ethnic) or personal data relating to criminal convictions and offences, should consider designating a DPO. In the absence of an official DPO, companies should still consider designating a responsible employee to monitor and maintain privacy governance for the company both internally and with third parties.
Taking the steps outlined above will provide your company with the information and processes that it will need to be compliant with the GDPR. We do expect that there will be adjustments and changes to the regulation, so stay tuned for information on changes as the regulation takes effect. Our final article in this series will discuss specific issues for human resources professionals and those who deal with data of EU employees.
- Jean Ohman BackOf Counsel
- Cecilia JeongAssociate