We’re going to be blunt. If you haven’t been diligently readying your organization for the new global data privacy requirements of the EU’s General Data Protection Regulation (GDPR), you’re too late. The GDPR has been on its way for two years, and it’s now in force.
There’s a good chance that this applies to you: if your business has any global presence or EU customers, you probably have data that you shouldn’t. For example, you might have personal data — even just an email address or demographic information — about an EU resident that you’re retaining for a legal hold. If you don’t have the subject’s active consent to keep and use that information, you’re likely in violation of the GDPR. Unfortunately, you’re caught somewhat between the rock of the GDPR’s mandates and the hard place of your U.S. ediscovery obligations.
Your only choice now is to minimize your risks while you undertake the longer process of attaining full compliance. But how?
By being prepared to respond to the new demands that the GDPR will impose on businesses. These requirements range from how companies structure their client-facing policies and communications to how they respond to security breaches and data access requests. Companies that handle these demands competently are likely to avoid immediate investigations and their attendant sanctions.
Start your triage process here.
1. Learn what the GDPR entails
Read our GDPR overview. You can’t be prepared for the regulation if you don’t know anything about it. If you’ve had your head in the sand, resolve to spend just an hour today reading up about the new privacy requirements. Don’t assume that you don’t need to worry about it; if you’ve offered goods or services to even one EU resident and have thereby obtained any information that could be used to identify that customer, you’re subject to the GDPR. In today’s global internet-based economy, most businesses need to at least pay attention.
2. Update your customer-facing communications
The GDPR has strict requirements for privacy policies and consent forms. Revisit your privacy notice and ensure that it includes the following:
- what types of data you may collect,
- how you will share or use that data,
- how long you will retain personal data, and
- how customers can contact you with data access or erasure requests.
Under the GDPR, any consent to process personal data must be freely given, informed by clear and plain language, and entered into purposely. Consent cannot be inferred from a customer’s failure to act or to opt out. This is why your email inbox has been inundated lately with consent requests. If you haven’t already sent one, you can’t do it now, but you can at least update your consent form going forward. In the meantime, refrain from contacting customers unless you know that they’re not EU residents.
3. Prepare for rapid response to any security breach
Companies will have at most 72 hours to report any data breach that threatens the security of personal data. Now is the time to shore up your breach-detection practices and to develop a clear response plan that you can put into motion quickly. Check with any data partners you work with to ensure that they are also prepared — or at least preparing — to respond to data breaches.
4. Prepare for customer data requests
One of the key features of the GDPR is the enhanced access rights it gives to individual data subjects. EU residents have the right to access their information, correct mistakes in their data, and request that their data be “forgotten” or erased. Upon request, companies must be able to promptly identify, locate, and provide access to personal data, at no charge and within one month of the request. Designate someone to receive and respond to these data requests so that they don’t fall through the cracks. Educate that person about the tension between the GDPR and your U.S. ediscovery obligations; if you are asked to erase data that you are retaining for a legal hold, you’ll need to weigh the risks on either side.
5. Map and purge your data while being mindful of legal holds
To respond to customer requests, you’ll need to be able to find their data. If you don’t already have a strong, up-to-date data map, now is the time to make one. In the process, purge whatever outdated or unnecessary information you have, so long as it isn’t subject to an active legal hold.
If you can keep what personal data you do have secure, inaccessible, private, and protected, without actively using it, your risk of being investigated for violating the GDPR is probably low.
Meanwhile, you need to immediately prepare for the worst: being sanctioned — up to 4 percent of annual global turnover — for failing to comply with the new requests and demands that the GDPR brings. While these steps don’t represent everything you need to do, they should help minimize your exposure while you work toward full compliance.
- What Is GDPR? Everything You Need to Know Before the 2018 Deadline
- Everything You Need to Know About a New EU Data Law That Could Shake up Big US Tech
- What You Need to Know About GDPR, the New EU Privacy Rules That Have Silicon Valley Scrambling to Keep up
- Yes, the GDPR Will Affect Your U.S.-Based Business