The Irish Data Protection Commissioner (DPC) has issued a 12-step checklist of actions companies can take now to better prepare for compliance with the General Data Protection Regulation (GDPR), the new EU privacy regulation which takes effect in May 2018. The DPC urged organizations to start preparing as soon as possible as that will make preparation less costly. Organizations are to conduct an analysis of current and future processing of personal data with a view to enhance protections where needed.

1. Becoming Aware

Organizations must become aware of the compliance changes required by GDPR, and identify areas in which processes should be augmented or modified to meet increased compliance requirements. To that end, they should conduct a review of current and future risk management processes, being mindful of increased resource needs that may accompany the GDPR-mandated enhancements.

2. Becoming Accountable

Organizations should take inventory of their data to understand the GDPR's applicability to that data. They should ask questions about how data is being used; how long it is being retained; the level of security attributed to it; and on what basis, if applicable, the data is being shared with third parties.

3. Communicating with Staff and Service Users

Organizations must perform an analysis of current data privacy notices alerting customers of their data collection policies, and determine whether they align with the organization's actual practices. GDPR requires, among other things, that customers, staff, and service users be made aware of how data will be processed, and the legal basis for such processing. Under the GDPR, such notices would need to be made clear, concise, and easy to understand.

4. Personal Privacy Rights

Personal privacy rights under the GDPR come with "significant enhancements." Organizations must ensure that their procedures cover all the rights individuals have, including how they would delete personal data or provide data electronically and in a commonly used format. They should also know how they would react to a request from a data subject to exercise their rights under the GDPR.

5. Access Request Changes

Under the GDPR, organizations, for the most part, may no longer charge for processing an access request. The GDPR also imposes shorter timeframes in which requests must be answered. To deal with the increased administrative costs, the DPC urges organizations to "develop systems that allow people to access their information easily online."

6. Legal Basis Analysis

Under the GDPR, the data subject's consent will be more difficult to use as justification for processing data. Therefore, organizations should review the justifications they use for processing data and be ready to provide and describe this legal basis. Government departments and agencies will need to cite specific legislative provisions authorizing their particular means of processing data.

7. Customer Consent-Driven Data Processing

If an organization relies on customer consent to process data, the GDPR requires that it revisit how it seeks, obtains, and records such consent and whether it needs to make any changes. Customers may not be forced to consent, or be unaware that they are consenting. Ultimately, the burden of proving consent lies with the organization.

8. Processing Children's Data

The GDPR contains specific provisions to protect children's data, especially with regard to social media and commercial internet services. Organizations must ensure that they have adequate systems in place to verify individual ages and gather consent from guardians.

9. Reporting Data Breaches

The GDPR makes data breach notifications mandatory, typically within 72 hours of the breach. The breach will need to be reported to the DPC, and individuals also must be informed when the breach is likely to cause them harm. Organizations should ensure they have the right procedures in place to detect, report, and investigate a data breach.

10. Data Protection Impact Assessments (DPIA) and Data Protection by Design and Default

The GDPR mandates DPIAs for organizations involved in "high-risk processing." A DPIA is a process of systemically considering what kinds of privacy implications exist for projects or initiatives. The DPC urges and the GDPR enshrines the adoption of a "privacy by design" or "privacy by default" approach, in which organizations must develop products and services with privacy considerations in mind first and foremost.

11. Data Protection Officers

The GDPR requires the designation of a Data Protection Officer for certain types of organizations. Organizations that fall within this requirement must designate an individual with sufficient knowledge, support, and authority to effectively carry out his or her duties.

12. International Organizations and GDPR

Multinational organizations will be allowed to deal with only one Data Protection Authority, known as a Lead Supervisory Authority (LSA), in the country where "they are mainly established." Organizations must determine where they make their most significant decisions about data processing to determine their "main establishment" and LSA.

Ballard Spahr's Privacy and Data Security Group provides a full range of counseling, transactional, regulatory, investigative, and litigation services across industry sectors. Our attorneys regularly work with multinational companies on structuring and properly documenting their cross-border data transfers. We also assist in drafting privacy policies, third-party vendor agreements, and information security policies and procedures as necessary to comply with the requirements of the GDPR and the EU–U.S. Privacy Shield.

Copyright © 2016 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.

Related Practices