publications full of ideas
Ten Months And Counting: Five Things Your IT Department Needs to Know to Prepare for GDPR

6.27.2017

The hour cometh. The European Union’s General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) goes into effect on May 25, 2018. If a company processes or stores the personal data of EU residents (not citizens), it is subject to the Regulation. (The UK presents a special case, which will be the subject of a subsequent alert; in the meantime, we advise UK-affiliated clients to anticipate and prepare for full GDPR compliance).

The GDPR is an intricate regime that will potentially require affected companies to make both technological and procedural adjustments. In many cases, it will be no small undertaking to achieve compliance. Accordingly, the time to begin your compliance efforts is now.

With the hour of reckoning approaching, here are the key issues that senior management should be discussing with their information technology teams:

  1. Set Benchmarks to Meet Tight Breach Deadlines. Under Articles 33 and 34, GDPR mandates data breach notification to local regulators within 72 hours of the company’s determination of a breach. The notification must encompass an explanation of what has transpired, the nature of the data exposed, and the number of data subjects affected. These tight timeframes highlight the necessity of creating a data breach response plan (and periodically engaging in test-runs).
  2. Incorporate the Data Protection Officer into Company Processes: Under Article 37, companies whose business entails the processing of sensitive data must appoint a Data Protection Officer. Sensitive data includes details of an individual’s ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, biometric data, health, sex life, and sexual orientation. Articles 38 and 39 set up the DPO as an internal privacy ombudsman. This requires independence and job security protection. He or she must have access to both IT personnel and executive leadership to be a component in both tactical and strategic decision making.
  3. Enable Data Subject Control: The GDPR is premised on the idea that an individual should control his or her own data. Articles 15 and 21 give data subjects substantial control over their personal data. This control includes the right to cease processing (which gave rise to the famous “right to be forgotten”) and the right to portability. Compliance with these rights may require technological adjustments.
  4. Enforce Vendor Requirements: Article 28 contains a non-exhaustive list of requirements that must be incorporated in agreements with third party processors or vendors that process data on behalf of a GDPR-regulated entity. These requirements incorporate the GDPR vision of security, privacy and control: vendors are expected to protect data, limit access, cooperate with regulators, and be able to document their compliance with all requirements. All new contracts should reflect these requirements. Existing ones should be amended to reflect the same.
  5. Notice of and Limits to Processing: Articles 12 and 14 require that data subjects be notified of the nature and objectives of data collection and processing. The notification must be clear--i.e., using non-technical and non-legal language. IT should ensure that data is processed within the constraints set out in these notifications.

Both the legal and technical complexities of the GDPR regime mean that compliance is a long-term project. Companies who process EU resident data should be prepared to (1) educate their IT departments on the intricacies of the regime; and (2) develop a project plan encompassing the required technical, procedural, and training milestones that will have to be achieved before the stroke of midnight on May 25, 2018.

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601

related information

what's new at the firm

Justice Fund Dedication Ceremony for Mike McIntyre

11/9/2017

RALEIGH, NOVEMBER 9, 2017 – Last Thursday, on November 2nd, the North Carolina Bar Foundation (NCBF) held a ceremony to present the Douglas Carmichael “Mike” McIntyre II Justice Fund, which is a restricted endowment fund that establishes the McIntyre Youth Leadership Challenge.

Jesse St.Cyr Joins Poyner Spruill LLP

11/3/2017

RALEIGH, NOVEMBER 3, 2017 – Poyner Spruill is pleased to announce that Jesse St.Cyr has joined the firm as a partner on our Employee Benefits and Executive Compensation team.

Poyner Spruill LLP ranked in 2018 "Best Law Firms"

11/1/2017

Raleigh, NC, United States, NOVEMBER 1, 2017-- U.S. News & World Report and Best Lawyers, for the eighth consecutive year, announce the "Best Law Firms" rankings.

Poyner Spruill Profiled by Benchmark Litigation; Three Poyner Spruill Attorneys Named State Litigation Stars

10/27/2017

RALEIGH, NC, OCTOBER 27, 2017 – Benchmark Litigation has listed Poyner Spruill as a Recommended Law Firm and named three Poyner Spruill attorneys as State Litigation Stars in their 2018 edition.

UNC School of Law Career Trek 2017 Hosted by Poyner Spruill LLP

10/27/2017

RALEIGH, NC, OCTOBER 27, 2017 – Last Thursday, Poyner Spruill welcomed sixteen students from the University of North Carolina School of Law’s Center for Banking and Finance for their annual Career Trek. UNC’s Career Trek program seeks to give law students firsthand experience of what it is like to work in the legal realm of the banking and finance industry.