publications full of ideas
Four Points And A Stick: What You Can Do Right Now to Prepare for the European Union’s General Data Protection Regulation

12.5.2016

It’s coming. The European Union’s General Data Protection Regulation (GDPR) will come into effect on May 25, 2018. If your business involves processing EU citizen data, you will be subject to GDPR – even if your sole location is Morrisville, and you have never set foot in the European Union. Failure to comply with GDPR strictures will result in staggering penalties: as much as 4% of your global revenue or 20 million euros – whichever is higher.

Full compliance is complex and involves an exhaustive process. However, a company can begin to prepare immediately. The heart of the GDPR is consent: the premise that data belongs to the subject, and that it may only be collected with the full, informed, affirmative consent of that subject. The data subject may revoke consent at any time, may take their data to another service provider, and may limit how the data is used. With this in mind, companies must work with their IT departments to understand the following four things about their data practices:

  1. Inventory. In order to obtain informed consent, a company must know what data it has. This is particularly applicable because data may be retained in structures outside regular databases. It is often stored in myriad formats such as correspondence, spreadsheets, evaluations, documents, PowerPoint’s, and drafts. These must be documented in a searchable format. An accurate inventory is indispensable to comply with requests to edit, modify, or delete data. It is also necessary to furnish accurate disclosures to regulators and data subjects.
  2. Metadata. GDPR is premised on the notion that the data subject’s consent limits data retention to the time and purpose needed for business. That means that accurate metadata is necessary for compliance. Accurate metadata will enable you to tailor your data collection practices to conform to business needs and consent obtained. It will enable you to delete data where required. And it will enable you to efficiently reevaluate your data collection practices periodically to ensure that further retention or collection is required and, therefore, permitted.
  3. Protocols. A company’s internal processes should incorporate privacy by design. These protocols should encompass the entire data collection process: what is collected, where it is stored, personnel who have access, and the purposes and extent to which this access is granted. If an employee’s functions no longer require access to data, or require access only to a limited subset of data, the company’s protocols should reflect this.
  4. Constant vigilance. Companies are expected to have stringent security programs in place to protect against unauthorized data access. Company systems containing personal data should be auditing access activity at all times. This includes both internal access – employee behavior – and external attempts – hackers or espionage. The monitoring should be sufficient to detect incipient breaches. Failure to identify efforts to gain unauthorized access, or to report them can lead to mammoth fines.
  5. Yes, this is a bonus point. Recent trade industry surveys show that a third of all American companies have no designated individual in charge of privacy compliance. Privacy often lies in a nebulous “no-man’s land” between various departments: legal, information technology, operations or even human resources. This creates the obvious risk that privacy issues will fall through the cracks, which is an unacceptable risk under the GDPR regime. Fortunately, the solution is easy: Companies need ensure that privacy compliance falls within an individual’s mandate. Once the person is designated, companies need to make sure that he or she knows what to do, and ensure that he or she has a big enough “stick” (or institutional authority) to get it done.

Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or sgul@poynerspruill.com. Mike may be reached at 919.783.2851 or mslipsky@poynerspruill.com.

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601

related information

what's new at the firm

Family Law in a Nutshell Webinar

3/2/2017

Join us for an instructional webinar on Family Law on March 2nd from 11:00am-12:00pm. Poyner Spruill divorce attorney Steve Epstein will explain the fundamental components of divorce, child custody, child support, alimony, equitable distribution, and alienation of affections. He will also answer questions submitted by attendees.

Join us for a breakfast discussion - Why have over 300 businesses formed captive insurers in NC

2/15/2017

Protect Your Business and Preserve More Income. You are invited to a panel discussion exploring what captives are, when you should consider setting up one, how the tax code can help the captive pay for itself, and more.

NCTA Lunch & Learn: Advertising Law 101 for Tech Marketing Professionals

2/14/2017

Advertising Law 101 for Tech Marketing Professionals This presentation will educate attendees on the "need-to-know" basics of advertising law. Marketing professionals in the Tech Industry regularly navigate issues that require a familiarity with truth in advertising, disclosure and endorsement rules for social media marketing, and privacy law - just to name a few. Knowing the basics of advertising law can insulate a company from a host of sanctions, fees, and other consequences.

Chase Johnson, Financial Services Lawyer, Joins Poyner Spruill LLP

1/20/2017

We are pleased to announce Chase Johnson has joined the firm as an associate lawyer in the Raleigh office. Her law practice involves representing investment banks and financial institutions in their roles as issuers, underwriters, and mortgage loan sellers in both public and private offerings of mortgage-backed securities.

Stephanie Sanders, Corporate and Real Estate Lawyer, Becomes Partner with Firm

1/18/2017

We are pleased to announce that Stephanie Sanders has been elected as Partner in the firm. She represents clients in connection with commercial real estate matters, including acquisition, disposition, financing, development and leasing of commercial real estate.