100 Days Until GDPR … Are You Ready?

Jonathan Maude
Vedder Price
Contact
LinkedIn
Facebook
X
Send
Embed

GDPR CalendarWhat Is GDPR?
The EU General Data Protection Regulation (GDPR),—described as “the most important change in data privacy regulation in 20 years”—becomes enforceable by law on May 25, 2018. After four years of preparation and debate, GDPR was approved by the EU Parliament in April 2016 to replace the Data Protection Directive 95/46/EC. According to the EUGDPR.org, the overarching purpose of GDPR is to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” Expected to comply are organizations located within the EU; that offer goods or services to, or monitor the behavior of, EU data subjects; and all companies processing and holding the personal data of data subjects residing in the EU.

Notification Requirements under GDPR
Among the new expectations for companies under GDPR is accelerated notification timing to the supervisory authority and to affected data subjects—within 72 hours of first becoming aware of the breach. The chart below outlines these requirements:

GDPR Image

Under GDPR, potential consequences for non-compliance with these notification requirements not only include hefty financial fines—up to €10 million or up to 2 percent of the total worldwide turnover of the preceding year—but also potentially significant impacts to brand reputation over the long term.

What Can Companies Do to Get Ready?

Gartner predicts only 50 percent of companies impacted by GDPR will be compliant by the end of 2018. So, what can organizations do to get ready?

Focus on Breach Prevention

  • Identify, assess and amend existing technical and organizational security measures (GDPR Article 32)
  • Review cyber insurance policies to ensure they sufficiently cover the costs of a data breach
  • For third-party vendors/processors:
    • Implement/amend existing due diligence procedures to cover data protection/security
    • Check existing contractual terms and incorporate new mandatory GDPR requirements, including specification of the mandatory breach-reporting obligation and specific security measures

Review and Enhance Your Plans

  • Review and update existing incident response and crisis communications plans to ensure they account for GDPR requirements
  • Develop protocols and processes to meet the 72-hour notification requirement

Educate and Equip Employees

  • Conduct Board training/education session
  • Inform, train and educate employees about the new regulations and impacts on data handling and breach notification

Test and Train the Team

  • Pressure test GDPR-related response protocols through a simulated exercise
  • Incorporate participation from core incident response team members, leaders andIT/forensics firm, crisis communications partner, notification mailing, call center and credit monitoring)
  • subject-matter experts from EU markets, and external partners (e.g., legal counsel,
  • Identify gaps and update/enhance incident response plans to address

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Vedder Price | Attorney Advertising

Written by:

Vedder Price
Vedder Price
Contact
more
less

Vedder Price on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide