• EU data protection law goes into effect May 25 • Companies should audit systems, update data policies and plans
Those living in the European Union are about to get a whole new set of data protections, including cookie notices on web browsers and a right to make large chunks of your digital trail disappear.
With the EU’s General Data Protection Regulation (GDPR) kicking in May 25, companies are having to reformulate how business is conducted online. Yet only 42 percent of 1,000 companies surveyed in the U.S. and the EU will be ready to comply with the GDPR on May 25, according to an April report by McDermott Will & Emery LLP and the Ponemon Institute LLC.
Just 10 percent of companies will be in compliance before the GDPR’s effective date, 40 percent will be compliant after, and 8 percent don’t know when they will achieve compliance, the study found.
The new regulation applies to companies that control or process personal data of EU individuals—no matter where they are located.
With the GDPR fast approaching, companies should immediately determine if the new law applies to them or a business partner. If it does, here are five of the most urgent steps they should take, data protection attorneys told Bloomberg Law.
Do you know where your data is? Or even what data you hold in the first place?
A company should have a clear understanding of what information it holds or processes—and with whom it shares data. Both are essential to learning about its potential risks—and how it must comply with the new regulation.
The GDPR under Article 4 defines data controllers and data processors, each with different roles.
A data controller means the person or organization that decides how and why data should be used. Data controllers have specific responsibilities and liabilities, under Article 24 of the GDPR, for any data a company processes and any data processed on its behalf.
A data processor stores, structures, or otherwise processes data on behalf of the controller. Companies will need to put in place practices that demonstrate that their processing activities are compliant.
Update Data Policies – Including Consent
Companies should ensure that data and privacy policies provide people with information about the collection and use of their data. Articles 12-14 of the GDPR outline the requirements for transparent information and communication, and stipulate what information is necessary to share with data subjects.
Businesses should make sure privacy notices and polices are clear about the processing of data, as well as concise, transparent, easily accessible, written in plain language, and in most cases free of charge.
User consent is also important. Companies must be able to show that an individual has consented to the processing of his or her data in most situations. Article 7 outlines the conditions for consent and other related concepts. Article 8 details the conditions for children’s consent. The GDPR also provides for non-consensual processing of personal information in limited circumstances, such as when it would be in the public interest or potentially related to criminal activity.
Requests for consent need to be clearly presented in an intelligible, easily accessible way in plain language. Individuals will also have the ability withdraw consent at any time, so companies will need methods for handling those requests.
Prepare for a Data Breach Emergency
Companies globally, including Uber Technologies Inc., Yahoo, and Equifax Inc., have increasingly been hit with data breaches in the past few years. The GDPR requires companies to notify supervisory authorities and, in some cases, data subjects after a breach. Companies should have protocols in place to respond to breaches that address timing and notice requirements.
After a breach, a company under Article 33 will need to notify a supervisory or public authority responsible for monitoring GDPR application within 72 hours of learning about the breach, unless it is unlikely to result in a risk to individuals. A company must notify data subjects if the breach is likely to result in a risk to their rights under Article 34.
Create a Plan for User Requests
Companies that hold EU individuals’ personal data will need plans for how data controllers respond to subject access, erasure, and portability requests.
Individuals under Article 15 will have the right to request access to personal data. Companies will be required to disclose the data to the individual making the request, in addition to information about the purposes of processing the data, and about data categories and recipients, among other details. other information.
Individuals under Article 20 will also have the right to receive data or require that the data be transferred to another controller, known as the “right to data portability.” Data controllers will need to have a process for handling such requests, such as if a user wants their personal data moved from one social media provider to a competing platform.
The GDPR also introduces the right for individuals to ask for their data to be permanently erased, known as the “right to erasure” or the “right to be forgotten,” under Article 17.
Companies should be prepared to erase individuals’ data in cases where the data are no longer necessary for the original purposes for which they were collected or processed, or if the individual withdraws consent from the data processing, among other scenarios.
Brace for Strict Enforcement
Data controllers and processors should brace for potentially large fines for non-compliance.
A company can be fined up to €20 million ($23.7 million),or four percent of its worldwide annual revenue, whichever is higher, for failing to comply with GDPR principles.