publications full of ideas
Four Points And A Stick: What You Can Do Right Now to Prepare for the European Union’s General Data Protection Regulation

12.5.2016

It’s coming. The European Union’s General Data Protection Regulation (GDPR) will come into effect on May 25, 2018. If your business involves processing EU citizen data, you will be subject to GDPR – even if your sole location is Morrisville, and you have never set foot in the European Union. Failure to comply with GDPR strictures will result in staggering penalties: as much as 4% of your global revenue or 20 million euros – whichever is higher.

Full compliance is complex and involves an exhaustive process. However, a company can begin to prepare immediately. The heart of the GDPR is consent: the premise that data belongs to the subject, and that it may only be collected with the full, informed, affirmative consent of that subject. The data subject may revoke consent at any time, may take their data to another service provider, and may limit how the data is used. With this in mind, companies must work with their IT departments to understand the following four things about their data practices:

  1. Inventory. In order to obtain informed consent, a company must know what data it has. This is particularly applicable because data may be retained in structures outside regular databases. It is often stored in myriad formats such as correspondence, spreadsheets, evaluations, documents, PowerPoint’s, and drafts. These must be documented in a searchable format. An accurate inventory is indispensable to comply with requests to edit, modify, or delete data. It is also necessary to furnish accurate disclosures to regulators and data subjects.
  2. Metadata. GDPR is premised on the notion that the data subject’s consent limits data retention to the time and purpose needed for business. That means that accurate metadata is necessary for compliance. Accurate metadata will enable you to tailor your data collection practices to conform to business needs and consent obtained. It will enable you to delete data where required. And it will enable you to efficiently reevaluate your data collection practices periodically to ensure that further retention or collection is required and, therefore, permitted.
  3. Protocols. A company’s internal processes should incorporate privacy by design. These protocols should encompass the entire data collection process: what is collected, where it is stored, personnel who have access, and the purposes and extent to which this access is granted. If an employee’s functions no longer require access to data, or require access only to a limited subset of data, the company’s protocols should reflect this.
  4. Constant vigilance. Companies are expected to have stringent security programs in place to protect against unauthorized data access. Company systems containing personal data should be auditing access activity at all times. This includes both internal access – employee behavior – and external attempts – hackers or espionage. The monitoring should be sufficient to detect incipient breaches. Failure to identify efforts to gain unauthorized access, or to report them can lead to mammoth fines.
  5. Yes, this is a bonus point. Recent trade industry surveys show that a third of all American companies have no designated individual in charge of privacy compliance. Privacy often lies in a nebulous “no-man’s land” between various departments: legal, information technology, operations or even human resources. This creates the obvious risk that privacy issues will fall through the cracks, which is an unacceptable risk under the GDPR regime. Fortunately, the solution is easy: Companies need ensure that privacy compliance falls within an individual’s mandate. Once the person is designated, companies need to make sure that he or she knows what to do, and ensure that he or she has a big enough “stick” (or institutional authority) to get it done.

Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or sgul@poynerspruill.com. Mike may be reached at 919.783.2851 or mslipsky@poynerspruill.com.

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601

related information

what's new at the firm

Webinar: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks: HIPAA, HITECH, and ERISA Preemption of State Data Breach Laws

6/20/2017

This CLE webinar will provide guidance to employee benefits counsel on trends in data breaches for ERISA healthcare and retirement plans, lessons from recent BCBS/Anthem litigation, ERISA fiduciary obligations, ERISA preemption of state data breach laws, and contractual risk mitigation with third-party administrators (TPAs).

Poyner Spruill Attorneys Honored by Chambers USA in Seven Practice Areas

6/2/2017

RALEIGH - Chambers USA: America's Leading Lawyers for Business has ranked seven practice areas and sixteen Poyner Spruill LLP attorneys as leaders in their respective fields. Poyner Spruill received rankings, which identify the firm as a leader in North Carolina, for outstanding work in the following practice areas:

Charlie Davis Joins Poyner Spruill

6/1/2017

Charles E. “Charlie” Davis III has joined Poyner Spruill as an associate attorney practicing in the areas of estate and trust planning and administration, taxation, and business law.

Brett A. Carpenter joins Poyner Spruill

6/1/2017

Raleigh, NC – Brett A. Carpenter has joined Poyner Spruill’s Raleigh office as an associate, with a focus on helping clients with labor and employment law matters.

Five Poyner Spruill Attorneys Recognized for Pro Bono Efforts

5/31/2017

Raleigh, NC – Four Poyner Spruill attorneys have been inducted into the inaugural cohort of the Pro Bono Honor Society by the N.C. Supreme Court.