You are here

How to prepare for the EU General Data Protection Regulation

'Privacy notice requirements are likely to be far stricter under the regulation,' warns Rosemary Jay

5 June 2014

Add comment

By Manju Manglani, Editor (@ManjuManglani)

Firms need to get their houses in order to ensure they are future-proofed for the introduction of the EU's General Data Protection Regulation, Rosemary Jay, a senior attorney at Hunton & Williams, has said.

Speaking yesterday at Ark Group's Data Protection Conference 2014, Jay noted that organisations need to take the upcoming regulatory changes seriously as "data privacy is not only about law and legal compliance; it is increasingly a business critical issue".

The final text of the draft regulation is unlikely be known until the end of 2014 or beginning of 2015 at the earliest. However, Jay warned that "the general direction of travel is evident" and that "it now seems unlikely that the whole thing will fall through".

"Building a compliance programme now with an eye to the regulation could avoid the need for major programme changes later," she said.

"As a first step, the most important task you can do now (if you haven't already done so) is to get your house in order," said Jay. "You will not be able to ensure that your company's processing activities are compliant with the regulation if you do not even know what they are."

Jay believes that preparations should include completing internal inventories of processing activities, mapping data flows and discovering the right local business stakeholders in each jurisdiction.

Firms should also pay greater attention to privacy notices, as "notice requirements are likely to be far stricter under the regulation," she warned.

"Draft your privacy notices now with greater transparency," advised Jay. "Provide as much information as the business is comfortable with, including: purposes, recipients, retention periods, international transfers, sources of data, use of vendors, how individuals can exercise their rights and data-matching/linking with other data sources."

Firms should also ensure they allocate sufficient resources to ensure data protection compliance. "Make sure there is oversight, responsibility and accountability for data protection within the organisation. Push for the appointment of a data protection officer and/or designation of full and part-time privacy resources, including a network of informal 'privacy champions' across the business," she suggested.

Next, Jay advised that firms should maintain an inventory of all data processors used, including the personal data processed, the key privacy clauses, and contract duration. "Consider drafting new vendor contracts in compliance with the regulation's requirements."

Another important step is implementing retention periods, if they are not already in place. "This will have a number of knock-on benefits, including having a data cleanse, deleting outdated toxic data assets and the ability to provide notice of your retention periods (now that you have them)," she said.

Introducing privacy by design to your organisation would also be beneficial. Firms should consider conducting and documenting data protection impact assessments (DPIAs) for new and risky processing activities.

"These needn't be long or complicated, just consider the privacy risks systematically. Make sure identified risks are addressed; don't document a risk and then take no action to reduce it," commented Jay.

"The days of collecting buckets of data for no good reason are numbered. Use DPIAs to assess whether an intended processing activity would unnecessarily collect data. Document the purposes data are collected for and stick to these purposes or revisit notices and the legal basis."

A breach plan should also be implemented if this is not already in place. "You don't want to get caught out if 24-hour mandatory reporting requirements come in force," said Jay. "Conduct dummy breach exercises to test the procedures and check your insurance for breach coverage."

Jay also noted that clients and staff are becoming increasingly privacy-savvy and that firms need to ensure they are able to deal with subject access requests in a timely manner: "If you don't already have a tried-and-tested robust procedure for dealing with subject access requests, for heaven's sake get one now!"

Concluding, Jay said: "Consider how you can build data portability and access for individuals to their data. It could save you a lot of time if individuals can see, correct and delete their data directly. Even if the right to be forgotten doesn't make the final cut of the regulation, individuals are increasingly likely to request and expect deletion of their personal data."





Categorised in:

Risk & Compliance Technology