This article has been written by Andrea Wallack, CEO and Founder of NightOwl Discovery.
General Data Protection Regulation (GDPR) is scheduled to come into force on 25 May 2018. It will apply to all companies worldwide that process the personal data of European Union (EU) citizens –tightening the rules for obtaining valid consent for using personal information. GDPR compliance is a critical task for every professional services firm and will have an impact on other issues such as Brexit and international trade.
GDPR introduces new legal obligations in only just over a year’s time – and preparing to meet these obligations in time will be a challenge for many. The penalties are severe – failure is not an option. A two-tiered sanctions regime will apply. Breaches of some provisions, which lawmakers have deemed to be most important for data protection, could result in fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is greater. For other breaches, the authorities could impose fines of up to €10 million or 2% of global annual turnover.
The impact on legal businesses will be wide ranging. Data collection for legal discovery, for example, will be perilous due to the potential of enormous fines under GDPR. It looks likely that the UK and US will need some type of privacy shield framework to work under, similar to the Swiss-US privacy shield. Discovery work will need to be compliant with a vast array of regulations encompassing GDPR and any privacy shield that is set up.
GDPR opportunities
At the same time, the introduction of GDPR will provide a real opportunity for many businesses. Although the initial focus may be on preparing to comply with the regulations, the purpose of GDPR is to harmonise data protection law across Europe, ultimately making it far easier to share data across borders. At present, an organisation operating throughout Europe may have as many as 28 different legal data protection regimes to address; from May 2018, there will be a single consistent legal regime.
There are a number of best practices that can be put in place ahead of GDPR – and key stakeholders such as legal, IT, compliance and senior management teams should take ownership of these right now:
- Review current data collection activities. Privacy must become a board-level concern. GDPR provides for and strengthens a number of aspects of data privacy including the right to be informed of the collection and processing of data and the right of individuals to access the data and rectify any errors. There are also rights to erasure, to restrict processing, to ensure data portability, and to object to the collection of data. Finally, rights in relation to automated decision-making and profiling might affect the use of personal data in a number of systems.
- Appoint a Data Protection Officer (DPO). GDPR regulates data controllers and processors outside the EU whose processing activities relate to the offering of goods or services to or monitoring the behaviour of EU data subjects. All such organisations will need to appoint a representative within the EU even if they have no physical presence there. The DPO role can be outsourced if needed. The local DPO will work with the national data protection authority in the location of the ‘main establishment’ of the EU-related entity – although lawyers are likely to be thrashing out the definition of ‘main establishment’ for a while yet.
- Demonstrate compliance through record keeping. GDPR mandates ‘Privacy by Design’. The concept of privacy by design already exists, but it has now been given specific recognition and is linked to enforcement. Under the GDPR privacy by design requirement, companies will need to design compliant policies, procedures and systems at the outset of any product or process development. Legal firms will need to perform privacy risk impact assessments at every turn and make sure they are documenting everything potentially relating to GDPR compliance.
- Make sure your data processors are ready. The new regulations will extend liability for data processing activities beyond nominated data controllers to every individual and service providers who processes personal data. It is key to identify any potential data processors within your organisation and make sure that they are aware of their responsibilities, putting in place training as needed. Even if a firm provides services that simply process personal data on behalf of others, it will still need to comply with all the rules. That includes the necessity to erase data as required.
- Review consent and fair processing notices. The GDPR has additional requirements about information that should be provided to data subjects when requesting consent to process personal data. Most current consent mechanisms are not valid under GDPR. GDPR emphasises making privacy notices easy to understand and accessible. The UK information Commissioner's Office has further information about privacy notices under GDPR.
International ramifications
The implementation of GDPR will have international ramifications. EU data protection law will still apply to post-Brexit UK, which very well may have to adopt some form of GDPR law to remain compliant with EU standards so that businesses can continue to streamline trade with the EU.
When the regulations come into force, any European data protection authorities can take action against organisations irrespective of where they are based in the world. Globally, two thirds of firms are reviewing their business strategy ahead of GDPR. Law firms in particular should be well advanced in their preparations for the impact of GDPR on their own and client data processing activities –failure to assess every aspect of GDPR could be far reaching.
Andrea Wallack
CEO and Founder of NightOwl Discovery