An immense volume of personal data (or personally identifiable information) is proliferating and flowing throughout the world. Personal data is an incredibly valuable asset to companies but data protection and privacy laws across the world are increasingly regulating its collection and use. In particular, the EU's General Data Protection Regulation (GDPR), which automatically takes effect in member states on May 25, will bring substantial new compliance requirements and potential large fines.
It is not just organizations with an EU establishment that need to be concerned with GDPR compliance; the GDPR has extra-territorial effect and non-EU established organizations will also be subject to the GDPR to the extent they process the personal data of individuals in the EU in relation to (i) offering goods or services to those individuals in the EU, or (ii) monitoring their behavior within the EU.
These organizations will need to evaluate their processes for handling employee and client personal data. Below are 10 steps they should take to ensure they are on the right track.
1. Conduct data mapping and gap analysis.
Identify categories and location of personal data, reason(s) for processing it, how long it is retained, third parties with whom it is shared and countries to which it is transferred.
2. Consider whether a Data Protection Officer is needed.
A Data Protection Officer (DPO) will be mandatory for some organizations, including those carrying out monitoring or processing of ‘special category’ data (e.g. data relating to health or ethnicity) on a large scale, but all organizations would be well advised to nominate someone with overall responsibility for data protection.
3. Identify lawful bases for processing.
Processing will only be lawful to the extent one of the lawful bases applies. Organizations should consider whether they can rely on consent, processing being necessary for the performance of a contract, for compliance with a legal obligation or the legitimate interests of the controller (where not overridden by the interests or fundamental rights and freedoms of the data subject). It should be borne in mind that consent under the GDPR must be specific, informed and freely given and can be withdrawn at any time. Employers will not be able to rely on consent to process employee personal data.
4. Amend data protection language in contracts for EU employees.
Remove references to employee consent from contract templates for new hires and replace with simple language referencing the privacy notice and relevant data protection policies.
5. Review/draft privacy policies and privacy notice.
Review or draft a privacy notice for customers/clients and EU employees as well as policies for data protection, breach notification and document retention.
6. Review/draft addendum for third party contracts.
Identify third parties that process personal data, check that they are aware of their obligations under the GDPR and, where necessary, update contracts with those third party processors to ensure that they are GDPR compliant.
7. Ensure safeguards are in place for transfer of data out of the European Economic Area (EEA).
Ensure the basis relied on for international transfers are clear and lawful. Review existing safeguards applicable and consider if any additional safeguards are required, such as the Privacy Shield, Binding Corporate Rules or Model clauses.
8. Ensure IT systems are compatible with data subject rights.
Check processes for: keeping personal data up-to-date; deleting it when appropriate; and responding to a request to delete or restrict the processing of personal data or a data subject access request (within one month of receipt).
9. Arrange training for all staff.
One of the ways in which organizations can demonstrate compliance with the GDPR (‘accountability’) is by arranging training for staff which is tailor-made to the organization.
10. Maintain records of processing activities.
Data controllers and data processors must maintain records which document: the purposes of processing; categories of data subjects, personal data and recipients of data; transfers of data outside the EEA; time limits for erasure; and descriptions of security measures.