On September 26, Priori technology and privacy attorney, Sid Rao, led a roundtable discussion for in-house counsel on compliance with the General Data Protection Regulation (GDPR), which comes into effect on May 25, 2018. The recap of the first part of Sid’s talk is here.
Key takeaways from the second part of the event are below:
How does GDPR affect your organization?
GDPR applies to every organization and department differently because GDPR is activity focused. Accordingly, in order to understand how GDPR applies, the first question should be what activities a company engages in.
For companies, the next question relates to the category into which these activities should be classified. There are three possibilities: (i) Data Subject, i.e. the person who could be identified by the information; (ii) Data Controller, i.e. the owner of the data; and (iii) Data Processor, i.e. the entity processing the data. Each type of “person” has different rights and obligations under the GDPR.
In general, the key categories concerning companies are Data Controller and Data Processor. For example, in a case where an employer collects employee data (with a valid purpose for doing so) and then subsequently sends that data to a payroll service, the employer is a Data Controller and the payroll service is a Data Processor.
A Data Controller is obligated to (i) honor a request to transfer data to another controller, (ii) implement the right technology and organizational measures and demonstrate that the processing is performed or could potentially be performed in compliance with the GDPR, (iii) keep records of processing activities (because, as the Data Controller, the entity is instructing Data Processors to engage in specified activities), and (iv) comply with the GDPR's mandates regarding encryption and pseudonymization in collection of data.
A Data Processor is obligated to (i) anonymize data by encrypting or removing personally identifiable information from data sets, so that the information about the data subjects remains anonymous, and (ii) ensure that all vendor contracts (i.e. sub-processing contracts) comply with the same requirements as the Data Processor. By contrast to Data Controllers, Data Processors are not obligated to demonstrate compliance to any supervisory or regulatory authority and are not required to retain records of activities undertaken as Data Controller.
What should your company consider doing?
- Key GDPR compliance steps include:
- Internal data protection officer. This person can have other responsibilities but can’t simply hold the title. Internal data protection officers must have some familiarity with GDPR.
- Policies and procedures. Create policies and procedures around personally identifiable information, particularly regarding special categories of data. Consider implementing a training program.
- Data impact assessment. Conduct data impact protection assessments for current and contemplated activities.
- Classification. Separate data into what is personally identifiable, what is not personally identifiable, and what is neither.
Both outside and in-house counsel can play important roles in GDPR compliance:
The in-house lawyer has a unique view of all potential problem points across business units and can create a cross-functional team to implement policies and procedures and to get buy-in from all stakeholders.
Outside counsel can spearhead data protection, impact assessments, and gap analyses. Further, outside counsel can translate business objectives into actual compliance strategy and play a critical role in documenting compliance.
As organizations grapple with GDPR implementation, three challenges for all involved lawyers are: (i) how to make notice and consent explicit at the point of data collections; (ii) how to ensure that any data transfer (particularly to third-parties) is consistent with the purpose of collection; and (iii) how to implement processes that enable data subjects to exercise their rights.