The European Union’s General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. This regulation unifies the various European data privacy laws, providing unprecedented penalties—20 million Euros or 4 percent of annual corporate turnover, whichever is greater—for egregious violations. Under the GDPR, organizations are required to protect the personal data of European residents and provide residents with free access to, and control over, their information.
Even if you don’t have offices or physical facilities in Europe, there’s a good chance that your business will be affected. As a result, dozens of articles have been written about what the GDPR is, what effect it will have on U.S.-based companies, and what it means for eDiscovery.
But what if you’re still not ready? You’re not alone: Gartner estimates that more than half of companies that will be affected by the GDPR will not achieve compliance in 2018. Don’t put it off any longer! Get started on your GDPR readiness plan today with the following steps.
1. Start a thorough data inventory.
The GDPR requires that businesses protect the personal data of European residents, which requires knowing what data the company possesses and where it can be found. A comprehensive inventory therefore serves as a double whammy: if you find that you have no data for European residents, you can take your foot off the gas as far as GDPR compliance goes. If you find that you do, however, you can start to take steps to protect and provide access to that information.
Don’t be daunted by this preliminary step: as eDiscovery professionals, you are excellently situated to collect, catalog, and characterize data. Inventory your information today and resolve to keep your data maps current and accurate.
2. Hire or assign a data protection officer (DPO) or equivalent.
You may not be required to appoint a DPO, but having an employee dedicated to the role is still a good idea. A DPO monitors an organization’s compliance with the GDPR, advises the organization about its duties and obligations, and acts as a liaison with the supervising data protection authority. In addition, consider designating a data ombudsman to coordinate your organization’s response to data requests.
3. Revise your privacy notices and data retention policies.
The GDPR requires that companies have a legitimate reason, often customer consent, to collect and maintain private personal information. Revisit your privacy notices, explaining the types of data you may collect, why you collect information, what you will do with it, and how long you will retain personal data. Provide information about how customers can request access to their data. Finally, ensure that your consent policies are stated in clear and plain language and provide a default of no consent, as consent cannot be inferred under the GDPR.
4. Get your company ISO 27001 certified.
The International Organization for Standardization’s ISO/IEC 27001 standard establishes international requirements for data security. While ISO 27001 certification will not replace a GDPR compliance plan, it provides a structured approach, demonstrates that you take data security seriously, and will get you off to a good start for the GDPR.
Need more help understanding how your eDiscovery should adapt to the impending GDPR? We can make sure you have systems in place to meet your obligations and accelerate your eDiscovery. Please contact us to learn more.