The European Parliament has voted to adopt the draft text of the General Data Protection Regulation (GDPR), which imposes enhanced requirements on organizations processing personal data in the European Union and transferring data from the EU. The April 14, 2016, vote completed the four-year legislative process for adoption of the GDPR, which is expected to take effect in mid-2018 and will replace the EU Data Protection Directive (EC/95/46).

The United Kingdom's Data Protection Authority, the Information Commissioner's Office (ICO), recently released a 12-step checklist of actions organizations should take to prepare for compliance with GDPR. The steps are:

  • Raise awareness that legislative change is coming. Organizations should make sure their decision makers and key people are aware that the GDPR will change existing law and should raise awareness of the impact the change will have on the organization. Organizations should start by assessing their risk register and identifying areas that could cause compliance problems under the GDPR.

  • Map personal data. Organizations should document the personal data they hold, where it came from, and with whom it is shared. This may require an organization to create a personal data map (also called an information audit) across the organization, or within particular business areas.

  • Amend privacy notices. Organizations should review their current privacy notices and develop a plan to make any necessary changes in time for GDPR implementation. Such a plan must comply with the GDPR's requirement that organizations communicate additional information to individuals, including the legal basis for processing data, the data retention periods, and the individual's right to complain to the ICO if the individual believes the data was mishandled.

  • Assess policies for compliance with individuals' rights. Organizations should check their policies procedures to ensure they take into account all the rights individuals have under the GDPR. These rights include: the right to access information; to correct inaccuracies; to have information erased; to prevent direct marketing; to prevent automated decision-making and profiling; and to data portability (i.e., provide data electronically and in a commonly used format).

  • Update procedures to provide timely response to subject access requests. Organizations should update their procedures and put in place or amend, as necessary, their data retention policies. Under the GDPR, organizations would need to disclose their data retention policies, respond to access requests within a month, and allow individuals to correct inaccurate information about them.

  • Assess legal basis for processing personal data. Organizations should look at the various types of data processing they carry out, identify their basis for carrying it out, and document the basis. Organizations will have to explain their legal basis for processing data in their privacy notice and when they respond to a subject access request.

  • Assess necessity for changes in method of acquiring subject consent. Organizations should review how they are seeking, obtaining, and recording consent and whether the consent is freely given, specific, informed, and unambiguous. They should also assess whether their audit trail for such consent is effective and whether they need to make any changes.

  • Assess whether children's information is processed. Organizations should consider putting systems in place to verify individuals' ages and to gather parental or guardian consent for any data processing activity involving children under 13 years of age. If such information is involved, the privacy notices will need to be drafted in a manner understandable by children.

  • Assess policies to investigate and report data breaches. Organizations should make sure they have the proper procedures in place to detect, report, and investigate a data breach in which individuals are likely to suffer some form of damage. This could involve assessing the types of data an organization holds; documenting which ones would trigger notice if there was a breach; and developing appropriate policies and procedures to this end.

  • Assess Data protection by design and data protection impact. Organizations should limit their data collection to the minimum necessary (data minimization) and adopt a "privacy by design" approach to projects, which promotes privacy and data protection compliance from the start. Organizations should also assess situations that pose high risk where it might be necessary to conduct a data protection impact assessment and should refer and implement the provisions of the ICO's guidance on Privacy Impact Assessments.

  • Appoint Data Protection Officers. Organizations whose activities involve the regular and systematic monitoring of data subjects on a large scale should designate a Data Protection Officer (DPO) who will take responsibility for data protection compliance and should assess where this role will sit within the organization's structure and governance arrangements.

  • Determine international authority. International organizations should determine which data protection supervisory authority the organization comes under. While in traditional headquarters this is easy to determine, it is more difficult with complex, multi-site companies.

Attorneys in Ballard Spahr's Privacy and Data Security Group regularly work with multinational companies with businesses in Europe on structuring and properly documenting their cross-border data transfers. We also assist in drafting privacy policies, third-party vendor agreements, and information security policies and procedures as necessary to comply with the requirements of the GDPR and the EU–U.S. Privacy Shield.

Copyright © 2016 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.

Related Practice