The clock is ticking down to the General Data Protection Regulation coming into force in May 2018. As an in-house lawyer, what do you need to know, and more importantly, what do you need to do? Robert Rutherford provides an in-depth, back to basics guide.
With the General Data Protection Regulation (GDPR) due to come into effect in May 2018, many businesses are scrambling to prepare for the changes this legislation will bring. While law firms – both small and large – have been making efforts to ready themselves and their clients for the impact the GDPR will have, many of those in the legal sector are still unprepared.
In-house lawyers are especially at risk of being caught out, as many assume that external firms or IT departments will bear the brunt of this responsibility. However, in-house lawyers will still be needed to assist in the GDPR’s implementation, especially when the changes are rolled out across the entire company. It is therefore vital that in-house lawyers are prepared for these changes and ready to take action.
With its constant presence in the news, it’s safe to say that most people know about the GDPR. However, this understanding doesn’t always translate into actionable steps. C-suite executives, for example, know the GDPR is important, yet many are still unaware of how it will impact their business in practical terms.
It may seem like a lot of information to communicate, but the changes that the GDPR will bring are not actually very complicated. Even so, it is an important area to get right. The C-suite has come to rely on its internal legal team as a trusted source of information, so it is important that in-house lawyers take responsibility for clarifying what impact that the GDPR will have and ensure that everyone in the business understands what needs to be done.
It is natural for senior management to panic at the onset of such far-reaching legislation, especially given its high profile, but it’s important to note that the GDPR is building upon legal processes that were put in place almost 20 years ago in the form of the Data Protection Act 1998. However, businesses need to be aware of some key changes. For a start, the GDPR will change the definition of certain terms – especially in the way ‘personal data’ is understood.
Under the GDPR, personal data will now include a wide range of genetic, biometric and location information. Online identifiers will also be considered part of a customer’s personal data – such as the string of numbers that constitutes an IP address or the cookie IDs that are stored on a website. Under the GDPR, this data will need to be protected in the same way as a customer’s telephone number or home address. As such, businesses will need to adapt their processes to adequately gather and protect this type of information.
Aside from the changes in definition, there will also be additional requirements that businesses will need to comply with. For example, companies will need to employ the latest encryption software and security processes to protect the data of their clients and the business. Although changes like these may require something of a systems overhaul, sufficient investment and support from senior management will put less strain on the business in the long term.
Using key-coded or ‘pseudonymised’ data, for example, can help to offset the damage a cyber-attack can cause, as they make stolen information more difficult (and sometimes impossible) to attribute to a specific individual. If the encryption software is strong enough, the company won’t even need to notify the regulator of the attack, which will not only save time but remove administrative burdens from the business.
Additionally, in-house teams will need to appoint an individual to take on the role of data protection officer (DPO). This person is responsible for many aspects of the GDPR and will therefore need to be chosen carefully in order to ensure that they can meet its demands. The DPO will also be required to advise the business about its obligations when complying with data protection laws, to monitor and maintain this compliance, and be the first point of contact for regulating bodies, authorities and individuals whose data is being used – such as staff, customers and clients.
Once senior-level staff are up to speed in these areas, these actions will need to be clearly communicated throughout the business. If all employees are aware of how the legislation will change their day-to-day operations, compliance will be much easier to achieve. Although additional departments and individuals will provide support, in-house teams will need ultimately to take responsibility for ensuring the company is ticking all the boxes.
Practical changes like implementing an effective security system will always be the responsibility of the IT department, but many people will still come to the in-house legal team for guidance and advice. It is therefore vital that these experts are fully versed on the latest requirements and issues around the GDPR.
In particular, it is important that in-house legal teams have a strong grasp of the standards that the GDPR will require. They should definitely set aside time to read up on the regulation, review its requirements and understand the practical and legal changes that will take effect. Being faced with various questions from every department can be daunting, but understanding the nuances of the GDPR will help in-house teams to respond to the demands of the business more effectively.
Additionally, with geo-political factors such as Brexit, it can be easy to assume that the GDPR may be only temporary for UK-based companies. While it is true the GDPR requirements will no longer apply to the UK when it leaves the EU, businesses will still need to comply with the legislation post-Brexit if they want to conduct business with EU companies.
The Data Protection Bill, announced this summer, will also bring parts of the GDPR into the UK’s domestic legal framework. While compliance with one regulation should lead to compliance with the other, in-house legal teams will need to keep a close eye on the ways in which these two pieces of legislation will complement one another – especially if the business has an international reach.
While legal teams need to be aware of the various aspects and details of the GDPR, practical changes and implementation will require involvement from other departments as well. IT may be the first department that comes to mind, but finance, marketing and discovery teams should also be brought on board to help meet the various aspects of the regulation.
The need for this collaborative approach is perhaps best illustrated by the consumer’s ‘right to be forgotten’. Under the GDPR, customers have the right to request their data to be completely removed from the company’s system or for specific information points to be deleted, depending on their preference. As such, the IT department will need to ensure that its systems and processes can cope with the strain and obey customers’ wishes.
Whereas previously companies only needed to provide an ‘opt out’ option, businesses will also need to provide options for their customers to ‘opt in’ to their data being used during the sign-up process. Although it may seem minor, this change will require the wider involvement of the business and the oversight of the legal team to ensure this change takes effect.
Companies will also need to be much clearer in the way they communicate these changes to clients. Overcomplicating their terms and conditions, privacy notices and additional terminology will go directly against the GDPR. Marketing, sales and even C-level executives will therefore need to review their content carefully and ensure that the information is clear.
Third parties may also need to be contacted – especially if they provide remote storage and data processing for the business. It is up to the legal team to ensure that their suppliers are meeting the right regulation for their business, but they may need to consider additional aspects of the GDPR in order to guarantee compliance.
Some suppliers may prove to be helpful when it comes to streamlining certain processes to meet the GDPR. Businesses should consider speaking with the providers of e-discovery tools, for example, as they will likely have guidance and deliver short cuts on certain areas of the GDPR, therefore making compliance much easier.
Careful planning will be ultimately the most important factor in navigating the often-confusing waters of the GDPR. Even if they are not responsible for the roll-out, in-house teams need to have a firm strategy in place they can clearly communicate to the entire business. Ideally, a project plan based on reviewing the GDPR and adhering to its rules, should be established and shared with key decision-makers.
This plan should be mapped across every area of the company’s data privacy practices and be able to address the various departments within the business. The plan should also be simple to navigate: businesses should consider creating a basic matrix or spreadsheet as an initial starting point. Mapping the areas where the business is not currently meeting the standards set out by the GDPR can make addressing the regulatory requirements more digestible for the team and the wider business.
Additionally, a checklist of internal changes should be noted. Making sure the company has the latest encryption software, a chosen DPO and a clearly communicated line of enquiry can alleviate the pressures on the business both during the early days of the GDPR coming into force and in the event that a cyber-attack occurs in the future.
While this preparation will require a lot of focus and attention, the consequences of non-compliance greatly outweigh the work that is needed to comply with the GDPR. Companies failing to meet the GDPR will face fines of up to €20 million or four per cent of their annual turnover, whichever is higher. The business can also be named and shamed by the regulator, which can not only damage your reputation but impact on future business prospects.
The responsibility for the GDPR isn’t confined to in-house legal teams, but in-house needs to know how the GDPR will impact the whole company. In most cases, in-house teams will be the regular contact for the wider concerns and issues of the organisation and will need to fully understand the legislation to ensure the business is compliant.
Above all, understanding the company’s needs, preparing for any changes that are needed, and responding to each department’s requirements will help to offset the impact of the GDPR and allow day-to-day business processes to continue to run smoothly.
Robert Rutherford is CEO of the business and technical consultancy QuoStar (https://quostar.com).