GDPR and data – what lawyers need to know

Having just spent some a great deal of quality time with lawyers in both the US and the UK educating the legal community about eDiscovery and the cloud, I noticed that there is still a proverbial elephant in the room – the European Union’s General Data Protection Regulation (GDPR).

While opinions and knowledge of the GDPR varied, there were a number of questions that kept cropping up from the legal experts that I spoke to:

  • What do my clients need to know about GDPR, and how can I advise them best?
  • How can I advise clients on new technologies like the cloud to ensure compliance?
  • Are my clients underestimating the amount of work required around GDPR?

GDPR Explained

GDPR creates a unified set of laws and stricter regulations for EU citizen data processing, and it also specifies steep penalties for non-compliance. These penalties are in the form of administrative fines and can be imposed for any type of GDPR violation, including those that are purely procedural. Fines range from €10 million or 2% of global annual turnover to €20 million or 4% of global turnover.

The primary reasons for the new regulation are:

  1. To provide EU citizens with more power over how their own personal data is used
  2. To strengthen trust between digital services providers and the people they serve
  3. To provide businesses with a clear legal framework under which they can operate, removing any regional differences by creating a uniform law across the EU single market.

GDPR goes into effect on May 25, 2018 – which leaves companies less than a year to prepare for drastic changes in how they handle the personal data of EU residents. From a legal perspective, there are a lot of changes required across businesses for compliance. This is not just a technology issue, but will involve companies looking at their existing relationships and contracts in a lot more detail.

GDPR First Steps

Is your business subject to GDPR?

GDPR applies to a larger scope of organisations than the Data Protection Directive (Directive 95/46/EC), its predecessor. Many businesses that were not subject to European privacy laws will, in fact, need to comply with GDPR. Here’s how to determine if you must comply:

  • GDPR applies to all organisations with a presence in the EU, where personal data is processed during the performance of business activities. Even a minimal footprint – such as having a single EU-based employee – suffices.
  • If a company without a physical presence in the EU is targeting EU residents to offer them goods and services, GDPR applies. “Targeting” includes using a European language or currency, tailoring products to EU residents, or aggressive marketing within the EU. “Monitoring” is defined as tracking people online to create profiles or analyse and predict personal preferences, patterns of behaviour, or attitudes.

Is your company required to have a Data Protection Officer (DPO)?

Different from a compliance officer or legal counsel, a DPO reports to the executive board and has authority to monitor the company’s data processing. Organisations with 250 or more employees that handle sensitive data or criminal records must appoint a DPO. Organisations with fewer than 250 employees may or may not have to appoint a DPO, depending on whether they process sensitive data.

Are there processes in place to respond to requests to delete/amend/provide copies of data?

In addition to the rights prescribed by the Data Protection Directive—such as access to copies of data, the right to amend, and the right to restrict processing—GDPR also includes the right to online information erasure and the right to data portability, or allowing people to transfer their data to another service provider. This means your company must develop thorough procedures to respond to these types of requests.

Does your company have an incident response plan that meets GDPR requirements?

GDPR includes a data-breach notification requirement. Data breaches are subject to a 72-hour notification deadline of the supervisory authority if there’s a risk of harm to people. The affected data subjects also must be notified without “undue delay.”

What are your organisation’s data transfer mechanisms?

If your company hasn’t determined how personal information is transferred from the EU, it’s a good time to examine your transfer mechanisms, as they are subject to administrative penalties. If your organisation transfers data from the EU to the US, your options are:

  • EU-US Privacy Shield certification
  • Inclusion and execution of model clauses
  • Binding rules for intra-company data transfers

The common thread in all these requirements is the allocation of more resources for data protection and governance. This involves companies taking a more proactive approach to privacy and security for the records on customers that they create.

However, while GDPR will force all companies to take data protection more seriously, it should not impact business activities too seriously. For some companies, this will be “business as usual” for them as they will already have strong information management and data protection processes in place. For others, the implementation of GDPR-compliance processes around data handling will be more onerous.

The challenge here for companies is that customer data can exist in multiple locations and on devices. Keeping track of this data will be essential over time. Re-evaluating existing processes and contracts around data handling will be one important step for compliance, while looking at data protection technologies will also be required.

By Andrew Nielsen, Chief Trust Officer and Eugenia Bergantz, Head of Legal, Legal Counsel  at Druva


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.