Privacy turned upside down

The most transformative data privacy law ever will soon take effect

Counsel's Corner

Dennis C. Garcia is an assistant general counsel for Microsoft Corp. based in Chicago. He provides a wide range of legal support to Microsoft’s sales, marketing and operations groups across the United States. Please follow Garcia on Twitter @DennisCGarcia.

December 2017

In less than six months the most transformative and comprehensive data privacy law ever will finally take effect.

Enforcement of the European Union General Data Protection Regulation will begin on May 25, 2018. This article provides a basic overview of the regulation and some steps to help guide your organization to regulation readiness.

The regulation officially became law in April 2016 and a two-year transition period was established to provide time for organizations that are subject to the regulation to achieve compliance. The regulation replaces the EU Data Protection Directive, which has been effect since 1995. While the newer directive retains aspects of the older standard, the requirements of the new regulation are much more expansive in nature.

The regulation has broad applicability to organizations of all sizes and across all industries that offer goods and services to people in the EU or that collect and analyze personal data regarding EU residents — regardless of where those organizations are located.

Without getting into substantive detail, the new regulation centers on these four key areas:

  • Enhanced personal privacy rights: The regulation provides individuals with greater control, access and interaction with their personal data.
  • Increased responsibility to secure data: This includes stricter and more rigorous guidelines for confidentiality, record-keeping and more transparent practices for data-handling.
  • Unique data protection requirements: These include mandatory data breach reporting (notification to regulators within 72 hours of detecting a data breach), privacy personnel training and the appointment of a data protection officer for larger organizations.
  • Significant repercussions for noncompliance: Companies that do not comply with the new regulation potentially face stiff penalties. The maximum fine for serious violations will be the greater of 20 million euros or 4 percent of an organization’s annual global revenue. The new regulation also empowers consumers (and entities acting on their behalf) to bring civil litigation against organizations that breach the regulation.

Knowing that the regulation is quickly looming on the horizon, what should your organization do if it has not already prepared itself for compliance? Here are a few suggestions:

Discover, manage, protect and report

Begin your journey to compliance by focusing on the four key steps of discover, manage, protect and report:

  • Discover: Your organization first needs to determine if the new regulation applies to your organization, and if so, to what degree. Accordingly, it is important to identify what personal data your organization has and where it resides. An important best practice is to conduct a thoughtful inventory regarding the landscape of your organization’s data.

The regulation contains a broad definition of personal data. If your organization retains such data (even if stored outside of the EU) or wants to collect it — and the data pertains to EU residents — then your organization needs to comply.

  • Manage: To comply with the regulation your organization needs to appropriately govern how personal data is used and accessed. The new standard provides data subjects, individuals to whom data pertains, with additional levels of control regarding how their personal data is acquired and used.

It is critical for organizations to establish a meaningful data governance plan, so they can fulfill data subject requests to transfer or delete their personal data.

  • Protect: The new regulation requires organizations to undertake appropriate technical and organizational measures to protect personal data from loss or unauthorized access or disclosure. As a result, extensive data security controls that serve to prevent, detect and respond to intrusions and data breaches must be embraced.
  • Report: The new rule breaks new ground in the areas of transparency, accountability and record-keeping. To be regulation compliant, organizations will need to execute upon data requests, report data breaches and retain required documentation.

Obtain competent privacy law advice

The new standard is a comprehensive and complex law that has been built over an extensive period of time. It is critically important that your organization obtains the advice of privacy law specialists that can help you navigate toward compliance.

Partner with a technology provider

If your information technology providers require access to your information that can trigger regulation compliance, make sure you clearly understand how they plan to comply with it. Such providers ought to be willing to make contractual commitments to your organization that provide key regulation-related assurance about their services.

If the regulation applies to your organization, best of luck in achieving compliance and earning the trust of your employees, customers, partners and others in protecting personal data.