publications full of ideas
Ten Months And Counting: Five Things Your IT Department Needs to Know to Prepare for GDPR

6.27.2017

The hour cometh. The European Union’s General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) goes into effect on May 25, 2018. If a company processes or stores the personal data of EU residents (not citizens), it is subject to the Regulation. (The UK presents a special case, which will be the subject of a subsequent alert; in the meantime, we advise UK-affiliated clients to anticipate and prepare for full GDPR compliance).

The GDPR is an intricate regime that will potentially require affected companies to make both technological and procedural adjustments. In many cases, it will be no small undertaking to achieve compliance. Accordingly, the time to begin your compliance efforts is now.

With the hour of reckoning approaching, here are the key issues that senior management should be discussing with their information technology teams:

  1. Set Benchmarks to Meet Tight Breach Deadlines. Under Articles 33 and 34, GDPR mandates data breach notification to local regulators within 72 hours of the company’s determination of a breach. The notification must encompass an explanation of what has transpired, the nature of the data exposed, and the number of data subjects affected. These tight timeframes highlight the necessity of creating a data breach response plan (and periodically engaging in test-runs).
  2. Incorporate the Data Protection Officer into Company Processes: Under Article 37, companies whose business entails the processing of sensitive data must appoint a Data Protection Officer. Sensitive data includes details of an individual’s ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, biometric data, health, sex life, and sexual orientation. Articles 38 and 39 set up the DPO as an internal privacy ombudsman. This requires independence and job security protection. He or she must have access to both IT personnel and executive leadership to be a component in both tactical and strategic decision making.
  3. Enable Data Subject Control: The GDPR is premised on the idea that an individual should control his or her own data. Articles 15 and 21 give data subjects substantial control over their personal data. This control includes the right to cease processing (which gave rise to the famous “right to be forgotten”) and the right to portability. Compliance with these rights may require technological adjustments.
  4. Enforce Vendor Requirements: Article 28 contains a non-exhaustive list of requirements that must be incorporated in agreements with third party processors or vendors that process data on behalf of a GDPR-regulated entity. These requirements incorporate the GDPR vision of security, privacy and control: vendors are expected to protect data, limit access, cooperate with regulators, and be able to document their compliance with all requirements. All new contracts should reflect these requirements. Existing ones should be amended to reflect the same.
  5. Notice of and Limits to Processing: Articles 12 and 14 require that data subjects be notified of the nature and objectives of data collection and processing. The notification must be clear--i.e., using non-technical and non-legal language. IT should ensure that data is processed within the constraints set out in these notifications.

Both the legal and technical complexities of the GDPR regime mean that compliance is a long-term project. Companies who process EU resident data should be prepared to (1) educate their IT departments on the intricacies of the regime; and (2) develop a project plan encompassing the required technical, procedural, and training milestones that will have to be achieved before the stroke of midnight on May 25, 2018.

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601

related information

what's new at the firm

Two Poyner Spruill Attorneys Help Work for Tomorrow through Mentor Program at UNC Law

2/20/2018

RALEIGH, NC – Founded in 2016, the McIntyre-Whichard Legal Fellows Program is now in its second year of existence at the University of North Carolina School of Law. The program was founded by two UNC Law School alums and is co-sponsored by the North Carolina Study Center and the UNC Christian Legal Society. The program is named after Poyner Spruill partner and former U.S. Congressman Mike McIntyre and former N.C. Supreme Court Justice Willis Whichard, who are both alums of the university and serve as program mentors.

Poyner Spruill Diversity Committee to host panel discussion with key leaders in the legal field to celebrate Black History Month

2/12/2018

The Poyner Spruill Diversity Committee is celebrating Black History Month by hosting an intimate panel discussion with key leaders who have been successful in the legal field.

Twenty-three Poyner Spruill Attorneys Honored by Super Lawyers in 2018

2/5/2018

RALEIGH, NC – Poyner Spruill is pleased to announce that 16 of its attorneys have been recognized as 2018 North Carolina Super Lawyers and 7 were named as 2018 North Carolina Rising Stars by North Carolina Super Lawyers Magazine.

Poyner Spruill’s Client Service & Strategy Manager to Present at the 2018 Festival of Legal Learning

1/23/2018

RALEIGH, NC – Poyner Spruill’s Manager of Client Service & Strategy, Brandi Hobbs, has been invited to present at the University of North Carolina School of Law’s 2018 Festival of Legal Learning. The festival will take place February 9-10 at The William & Ida Friday Continuing Education Center in Chapel Hill.

Poyner Spruill files amicus brief with U.S. Supreme Court on behalf of European business organizations

1/12/2018

RALEIGH, NC — Led by partner Saad Gul, the law firm of Poyner Spruill LLP filed an amicus curiae brief on behalf of five European business organizations, asking the U.S. Supreme Court to uphold a lower court’s ruling preventing officials from accessing specific private emails housed on a server in Ireland.