GDPR: it’s coming, it’s serious and we’re going to have to implement it

9. November 2017

Talking to companies across all of Europe, we see uncertainty.

We sat down with Dr. Axel Fr. von dem Bussche of Taylor Wessing. He is one of Germany’s leading legal experts on GPDR and he has just published a book about the topic – see details below.

In this first installment, we talk about the organizational preparation necessary to be compliant. This advice is the result of Axel’s wide experience and is formed in respect of particular demands presented by the new regulations.

Conscensia:

Axel, firstly, many thanks for taking the time to talk and share your experience and knowledge on this critical topic. I’d like to kick of with practical considerations. What would be your advice to companies who aren’t sure where to start preparation for what’s coming?

Axel Fr. von dem Bussche:

Ok. Here the key words are Gap analysis. The first step is like a legal inventory you should do. In order to assess your company’s data protection ‘to do’s’, a “gap analysis” between the current status of data protection compliance on the one side, and the obligations deriving from the GDPR on the other should definitely be made. Bear in mind that achieving compliance with the GDPR does not only mean that new legal requirements must be met. In the course of preparing for the GDPR, potential previous non-compliance with the requirements of the EU Data Protection Directive 95/46/EC should also be remedied.

So I always advise as a first step: Create a complete and detailed picture of current data protection practices at your company. For example which entities and/or departments are processing what kind of data for what purposes. What are the internal responsibilities, how are you safeguarding data subjects’ rights at present, are data protection officers deployed, what IT security measures are in place etc. This is your “Existing Data Protection Structure”.

Conscensia:

Ok. Assuming I didn’t have this overview already, then I’ve created it now. What’s next?

Axel Fr. von dem Bussche:

Now comes the interesting part. In a second step the requirements deriving from the GDPR that specifically apply to the Company will have to be assessed. We’ll call these the “company GDPR requirements”. Since there will be a lot to do, it makes sense to be really practical and start with a risk analysis.

The effort required for implementing the GDPR requirements will likely be very high; not all requirements can reasonably be fulfilled at once. Companies will have to assess what kind of data processing activities are of biggest risk. This means thinking about your company’s business and/or the rights of your data subjects as well as which risks most likely lead to high fines. I advise all my clients on how to use their resources effectively. The following may sound obvious, but I’m going to say it anyway: it makes sense to use more resources for data protection compliance in areas of higher risk whilst low risk areas are best left for later. But before you can do this, you have to clearly identify these areas.

Conscensia:

What about a good time to start? What are your views on this?

Axel Fr. von dem Bussche:

I try to make all my clients aware of one simple fact: As of May 2018, the EU General Data Protection Regulation (GDPR) will apply to all European entities. Not only this, but due to the extended territorial scope – also to entities outside Europe. The GDPR will lead to a significant rise in data protection compliance duties as well as significantly increased fines of up to 4% of the global annual turnover of the whole company group. Thus, even data protection non-compliance in smaller and less important offices of a company group may now lead to significant ramifications. As the preparation for the GDPR requires re-organization of various internal procedures, it is highly advisable to commence with the preparation in very near future, which is to say: start NOW!

Conscensia:

Got the message. Let’s assume we’ve created our Gap Analysis and we’re ready to start implementing. What comes next?

Axel Fr. von dem Bussche:

You will need to set up a project steering mechanism and of course plan your resources and budget. The GDPR implementation process requires collaboration across all your company’s European entities. It also stipulates an awareness of the to do’s on a management level. Your company should assign project responsibilities to key personnel at the involved Company EU offices, as well as designate one ”lead” project manager, to drive the project. The lead project manager can also be an external advisor. Start out by allocating the required resources. In drawing up your planning, you should make sure you have adequate resources for internal personnel required for the implementation, legal costs as well as IT costs. By the last point I mean for supporting software; IT audits etc.

Conscensia:

Makes sense. Let’s assume you have your budget, plan and are ready to go. What now?

Axel Fr. von dem Bussche:

Implementation! You need to know that the GDPR includes a number of additional requirements, things that have not existed to quite the same extent under the EU Data Protection Directive. These are critical, and it’s worth just mentioning them one by one:

Strengthened data subjects rights. For example those regarding information, access to it as well as its correction and/or deletion. The right to data portability; the right to object to data processing activities, the all-important “right to be forgotten”. Something that is new and will cause infrastructure issues is the obligation to forward access/deletion requests to third party data recipients, and of course there will be higher requirements for consent declarations etc.

Strengthened organizational requirements. Here we are thinking about the obligation to have data processing registers summarizing internal data processing activities, the necessity for conducting data protection impact assessments and appointing data protection officers in various cases. You need to be aware of the implications of obeying privacy by design and by default requirements to ensure that data processing systems are privacy-friendly. There is an important obligation to link personal data with the purposes for which it has been collected as well as with the legal basis for its processing. And of course the documentation of data flows which should include a draft of deletion concepts etc.

Next on my list is strengthened notification obligations. For example the potential obligation to inform the data protection authorities within 72 hours of a data breach, as well as, wait for it, the concerned individuals. Think about that!

IT/Cyber security requirements will have to be improved; this is a technical issue and should be dealt with separately.

Expect strengthened contractual requirements. This means there will have to be stricter data processing agreements with external service providers as well as potentially within your company group.

Conscensia:

Many many thanks for that. We look forward to part II.

Axel Fr. von dem Bussche:

No problems, it was a pleasure.

 

In part two we talk about systems and structures, to ensure ongoing compliance.

Click here to get part II of the article: http://bit.ly/2yl7QdA

We are also planning two live events, for the beginning of 2018, in Hamburg and Berlin.

Click here to find out more: http://bit.ly/2AoxzSP

 

Note:

Taylor Wessing LLP is an international law firm with 33 offices internationally. The Firm has around 400 partners and 1200 lawyers worldwide.

Axel is a specialist attorney in the area of IT, one of Germany’s leading experts and together with Paul Voigt, Axel recently published a book:

The EU General Data Protection Regulation (GDPR) A Practical Guide

ISBN 978-3-319-57959-7)