GDPR Countdown: What To Do Before May 25

   Posted by: Stephen E. Stein, Craig CarpenterThe EU will implement the new General Data Protection Regulation (“GDPR”) on May 25, 2018.  The overall goal of GDPR is to enhance the protections afforded to EU residents for their personal data (under GDPR, the definition of “personal data” goes well beyond corresponding definitions in the United States).While GDPR has many detailed provisions governing the collection, cross-border transfer, processing, and deletion of personal data (including data collected online via websites), it is the potential liability under GDPR that has garnered the most attention: the greater of 10 million euros or 2% of global revenue for “technical non-compliance,” with these limits doubled to 20 million and 4% for a breach of GDPR’s fundamental principles.The most common question we are asked is whether GDPR applies to U.S. companies.  If a U.S. company is collecting or otherwise processing the personal information of EU residents (either as the data owner (“Data Controller”) or a data processing service provider (a “Data Processor”)), the answer may be “yes.” GDPR will likely apply to U.S. companies that process personal data of EU residents (in addition to companies with an EU presence).What does GDPR require?In a nutshell, GDPR requires that companies process data according to six data-protection principles, including:Lawful, fair, and transparent processing (including sufficient notice)Processing limited to specific, legitimate purposesProcessing limited to adequate, relevant, and necessary informationData is kept accurate and currentData is kept for only as long as necessaryData is secure and confidentialGDPR also requires that companies establish, protect, and maintain their ability to demonstrate GDPR compliance.What can a company do to start preparing?While GDPR compliance is a complicated process that will vary greatly from company to company, there are some basic steps that companies can take to begin the process:Data inventory and mapping – identify what data is collected and where it is stored.Gap analysis – compare current data-protection practices to those required under GDPR.Prioritization and action plan – develop a plan to address issues identified in the gap analysis.Security – develop, implement, and maintain clear data-security policies and practices.Documentation – maintain clear documentation of data privacy and security policies and practices, including efforts taken to comply with GDPR.Lawful basis – identify the “lawful basis” for processing personal information.Privacy notice – develop and implement a privacy notice that clearly explains the privacy practices and data subject rights.