Make no mistake. GDPR compliance is a legal issue. In-house legal teams need to prepare now.
While it’s true that organizations face potential fines of up to 4% of worldwide turnover, for most organizations, the greatest threat of GDPR is the tidal wave of litigation and settlements it will trigger. There are two provisions that every GC and CLO must understand.
1. Article 77 | Right to lodge a complaint with supervisory authority
Under GDPR, anyone, including current and former employees as well as customers, can lodge complaints with a Data Protection Authority (DPA) if they feel their rights have been infringed.
2. Article 82 | Right to compensation and liability
Article 82 provides sufficient motivation for individuals to file complaints. Under this article, “Any person who has suffered material or nonmaterial damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” It will be easier for individuals to file private claims.
How will you respond WHEN THE DATA PROTECTION AUTHORITIES SHOW UP?
DPAs are required to investigate and follow up on every complaint. In-house counsel must be prepared to respond. There are three critical and foundational obligations legal must ensure are effectively addressed to respond to DPA questions and to demonstrate an effective level of diligence and evidence of controls.
The Three Critical Obligations
The GDPR has 99 Articles and one clear intent: Protect the personal data of EEA/EU citizens!
GDPR applies equally to personal data processed internally, manually, electronically and by third parties. You can’t effectively meet GDPR obligations if you haven’t assessed your information practices internally and externally. And the most egregious GDPR violations will hit organizations that have over-retained personal data.
In-house legal plays a critical role in ensuring these three obligations are effectively addressed and can stand up to regulatory and legal scrutiny.
The first 50 GDPR Articles outline corporate obligations that cannot be met without a comprehensive data inventory and accompanying data maps. There are several reports and data maps needed to comply with GDPR.
DPAs investigating a complaint against your organization will want to see your Article 30 Record of Processing and the logic used to define your processes.
GDPR Article 28 makes organizations accountable for all third parties that process personal data. Most organizations simply don’t know what vendors they have and which ones have access to systems or personal data.
DPAs will ask what information you share with third parties and how you assess those third parties. Your answer needs to be reasonable, and you’ll need to demonstrate evidence of your controls.
GDPR Article 5 and Article 25, Part 2 mandate that personal data retention be limited to a strict minimum. Most organizations retain 10 to 20 times more data than necessary for legal or business purposes and most of that data contains some kind of sensitive content.
DPAs will asses your routine, systematic program for retaining and deleting information. You need to ensure your program accounts for legal and business obligations to retain records containing personal data.
Data mapping | Assessment for GDPR Risks
To demonstrate effective diligence and meet your obligations, organizations must develop and maintain a series of comprehensive data maps.
Data maps must be available that identify the locations, usage, movement and access levels of information, along with the types of personal data inherent in every application and record type.
GDPR requirements are too important to rely on inefficient and error-prone processes. Old-fashioned consulting methods are too slow, too inaccurate and too expensive. This makes it impossible to keep your data mapping obligations up-to-date.
Compliance will never be sufficient or sufficiently defensible for organizations that rely on the sudden proliferation of empty-shell applications which don’t provide the level of diligence necessary to protect your organization’s legal and financial position.
A professional services approach is needed that leverages best practices, deep domain knowledge and predictable, defensible results in an efficient and accurate way.
Required Data Maps, Reports & Insights
In less than 45 days.
Article 30 Record of Processing
Data Minimization Alerts
Article 9 Special Categories
Article 5, 13 & 25 Data Retention
Media Types & Storage Locations
Article 9, 28 & 30 Data Access
International Retention Standards
Article 28 Third-Party Processors
Data Subject Consent & Notice
VENDOR DILIGENCE | Vendor Risk Assessment
Full-scale vendor risk assessments are no longer optional.
1. Organizations should only use vendors that provide sufficient guarantees to meet the requirements of GDPR. 2. The limited number of vendors being assessed today are unlikely your greatest risks.
GDPR expands the scope of liability for infringements to both controllers and processors. If a complaint is filed against your organization and the personal data in question is shared with a third party, expect DPAs to question your controls and oversight of third party vendors.
Legal must ensure an effective diligence process is in place that covers all vendors including low-risk vendors, law firms and high-risk vendors. Anything less is insufficient and will not stand up to scrutiny.
CONSIDER THESE QUESTIONS…
1. Do You Risk Assess all Vendors, Not Just High-Risk Vendors? Many high-profile data breaches originated from perceived “low-risk vendors.” Your vendor risk assessment process should include conducting a Vendor Risk Profile for all vendors to surface unknown risks.
2. Are Risk Assessments Conducted Using Complex Spreadsheets? Relying on manual spreadsheets to conduct risk assessments is resource-intensive, error-prone and limits your reach. Your process must be streamlined, well-documented and cover all vendors at the appropriate level.
3. Can You Demonstrate Effective Diligence? A streamlined, well-documented process provides legal with the audit trail and documentation to demonstrate effective, systematic and appropriate oversight of all vendors, which is critical under GDPR.
4. Does Your Risk Assessment Process Meet Regulatory Obligations? Beyond GDPR, there is an explosion of laws and regulations that are similar to GDPR. NY DFS, FAR, DFAR and the Dubai Data Protection Law all require organizations to conduct risk assessments of their third parties.
Data minimization | Information Compliance Standards
There are three aspects to consider under the GDPR:
1. Only collect the minimum amount of personal data needed. 2. Only retain personal data for the “absolute” minimum time required. 3. Prepared to respond to Right-To-Be-Forgotten Requests.
Over-retaining personal data will not be defensible under GDPR. Organizations must systematically dispose of records containing personal data once they have fulfilled their obligations unless there is an overriding regulatory requirement. Understanding your legal requirements to retain records is critical when faced with right-to-be-forgotten requests and responding to a Data Protection Authorities.
Data minimization requires organizations to establish and then systematically enforce a document retention program across all media types. It’s an easy problem to solve in less than 45 days using proven standards and approaches.
Best Practices Drive Defensible Deletion
Industry Specific. Worldwide Standards.
Leverage Proven Retention & Disposal Standards. Adopt retention standards that are industry-specific and processes that are highly effective and defensible.
Dispose of Over-Retained Data. Appropriately and defensibly eliminate vast amounts of unnecessary records, emails and other data.
Communicate Program Expectations. Automate the distribution, tracking and compliance levels of related policies, training and compliance notices with verified responses at the user level.
Establish Ongoing Controls. Leverage proven experience, standards and technology to streamline your program and ensure defensibility.
TYING IT TOGETHER | 45 Days to Dramatic Progress
There is a clear path forward:
Develop and maintain an accurate data inventory and data maps then act on the insights gained. Assess all third parties – including high-risk vendors, law firms and low-risk vendors – to identify and correct insufficient practices. Eliminate all eligible data – especially any records containing personal data – under an approved and enforced retention program.
This doesn’t have to be confusing or complicated. The requirements are clear, and the processes and best practices are in place and ready for rapid, accurate deployment.
45 days isn’t very long. With the right approach, you will be better prepared to meet your obligations and protect your organization’s legal and financial interests in ways unmatchable with any other viable alternative.
Professional Services. Perfectly Delivered. World-Class Standards. Completed in 45 Days. Unlimited Reach.
Jordan Lawrence has been helping organizations around the world manage their information compliantly and defensibly for more than 30 years. GCs, CLOs and senior executives rely on our services to help them meet pressing regulatory obligations while reducing risks and costs.
Data Mapping to identify and address information risks and meet data privacy, cybersecurity and litigation requirements.
Vendor Diligence to effectively assess third-party cybersecurity and data protection risks and demonstrate evidence of controls.
Data Minimization to establish and implement defensible retention and deletion programs for all media types including email and ESI.
Our innovative service delivery model provides predictability, accuracy and speed for every client. Our industry benchmarking and world-class best practice standards are relied upon and proven defensible in the most vital areas of corporate risk.
For the last 12 years, The Association of Corporate Counsel has selected Jordan Lawrence as an exclusive ACC Alliance Partner to help their members meet their legal obligations, mitigate risks and reduce the costs of information compliance and control.
CONTACT US 636.821.2222 firstname.lastname@example.org www.jordanlawrence.com/gdpr
Interested in learning more? Sign up for one of our webcasts: