publications full of ideas
Ten Months And Counting: Five Things Your IT Department Needs to Know to Prepare for GDPR

6.27.2017

The hour cometh. The European Union’s General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) goes into effect on May 25, 2018. If a company processes or stores the personal data of EU residents (not citizens), it is subject to the Regulation. (The UK presents a special case, which will be the subject of a subsequent alert; in the meantime, we advise UK-affiliated clients to anticipate and prepare for full GDPR compliance).

The GDPR is an intricate regime that will potentially require affected companies to make both technological and procedural adjustments. In many cases, it will be no small undertaking to achieve compliance. Accordingly, the time to begin your compliance efforts is now.

With the hour of reckoning approaching, here are the key issues that senior management should be discussing with their information technology teams:

  1. Set Benchmarks to Meet Tight Breach Deadlines. Under Articles 33 and 34, GDPR mandates data breach notification to local regulators within 72 hours of the company’s determination of a breach. The notification must encompass an explanation of what has transpired, the nature of the data exposed, and the number of data subjects affected. These tight timeframes highlight the necessity of creating a data breach response plan (and periodically engaging in test-runs).
  2. Incorporate the Data Protection Officer into Company Processes: Under Article 37, companies whose business entails the processing of sensitive data must appoint a Data Protection Officer. Sensitive data includes details of an individual’s ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, biometric data, health, sex life, and sexual orientation. Articles 38 and 39 set up the DPO as an internal privacy ombudsman. This requires independence and job security protection. He or she must have access to both IT personnel and executive leadership to be a component in both tactical and strategic decision making.
  3. Enable Data Subject Control: The GDPR is premised on the idea that an individual should control his or her own data. Articles 15 and 21 give data subjects substantial control over their personal data. This control includes the right to cease processing (which gave rise to the famous “right to be forgotten”) and the right to portability. Compliance with these rights may require technological adjustments.
  4. Enforce Vendor Requirements: Article 28 contains a non-exhaustive list of requirements that must be incorporated in agreements with third party processors or vendors that process data on behalf of a GDPR-regulated entity. These requirements incorporate the GDPR vision of security, privacy and control: vendors are expected to protect data, limit access, cooperate with regulators, and be able to document their compliance with all requirements. All new contracts should reflect these requirements. Existing ones should be amended to reflect the same.
  5. Notice of and Limits to Processing: Articles 12 and 14 require that data subjects be notified of the nature and objectives of data collection and processing. The notification must be clear--i.e., using non-technical and non-legal language. IT should ensure that data is processed within the constraints set out in these notifications.

Both the legal and technical complexities of the GDPR regime mean that compliance is a long-term project. Companies who process EU resident data should be prepared to (1) educate their IT departments on the intricacies of the regime; and (2) develop a project plan encompassing the required technical, procedural, and training milestones that will have to be achieved before the stroke of midnight on May 25, 2018.

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601

related information

what's new at the firm

McIntyre Leadership Challenge Excites, Ignites, and Inspires Youth

7/12/2017

Mike McIntyre recently announced at the NC Bar Association Annual Meeting, his new Youth Leadership Challenge. The Youth Leadership program will provide opportunities for civic engagement to High School students and community leadership.

Webinar: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks: HIPAA, HITECH, and ERISA Preemption of State Data Breach Laws

6/20/2017

This CLE webinar will provide guidance to employee benefits counsel on trends in data breaches for ERISA healthcare and retirement plans, lessons from recent BCBS/Anthem litigation, ERISA fiduciary obligations, ERISA preemption of state data breach laws, and contractual risk mitigation with third-party administrators (TPAs).

Poyner Spruill Attorneys Honored by Chambers USA in Seven Practice Areas

6/2/2017

RALEIGH - Chambers USA: America's Leading Lawyers for Business has ranked seven practice areas and sixteen Poyner Spruill LLP attorneys as leaders in their respective fields. Poyner Spruill received rankings, which identify the firm as a leader in North Carolina, for outstanding work in the following practice areas:

Charlie Davis Joins Poyner Spruill

6/1/2017

Charles E. “Charlie” Davis III has joined Poyner Spruill as an associate attorney practicing in the areas of estate and trust planning and administration, taxation, and business law.

Brett A. Carpenter joins Poyner Spruill

6/1/2017

Raleigh, NC – Brett A. Carpenter has joined Poyner Spruill’s Raleigh office as an associate, with a focus on helping clients with labor and employment law matters.