Legal departments need to prepare for the new, sweeping EU data-privacy rules.
The General Data Protection Regulation (GDPR), which takes effect on May 25, 2018, sets a high standard for data privacy that affects all companies that do business in the European Union (EU) or with its citizens. GDPR effectively puts control of personally identifiable information (PII) directly into the hands of the individual whose data is being collected, including a company’s own employees. The 99 articles of the regulation dictate how and why PII can be collected as well as the methods for processing, securing and accessing an individual’s PII. U.S.-based organizations must comply if they hold PII on any EU citizen anywhere in the world or on any current resident of the EU.
The costs for non-compliance could be significant. Companies can be fined up to €20 million or 4 percent of their annual revenue (whichever is greater) for not complying. In addition, intangible damages in the form of reputational harm can be even more costly in the long run.
Taking Action on Compliance
The EU calls GDPR “the most important change in data privacy regulation in 20 years.” Indeed, corporate legal departments will face an entirely new world of data-management requirements. To help ensure their compliance, we recommend that legal departments take the following key steps.
1. Assess current capabilities
GDPR Article 5, “Principles relating to processing of personal data,” requires that organizations do their utmost to ensure the accuracy of the personal data they are controlling. Inaccurate data must be “erased or rectified without delay.” To do this, legal departments must take stock of their data and ensure that it is current and accurate.
Legal departments must also examine current processes to ensure that they are equipped to maintain the integrity of data and respond to data subjects’ requests, including the “right to be forgotten” and to access their own PII.
2. Assign a data protection officer (DPO)
GDPR focuses on the accountability of parties that process PII. A key element of this concept is demonstrating a company’s compliance with GDPR’s 99 articles. The responsibility for supplying proof of compliance falls to the DPO, an important new position required by GDPR for organizations meeting certain requirements, or if mandated by local law. The DPO oversees the mechanisms a company employs to comply with GDPR and maintains primary oversight of data-processing activities.
If an EU resident requests access to his or her PII, it is up to the DPO to ensure that the request is handled promptly and within GDPR requirements. Likewise, if a breach is detected, the DPO is responsible for ensuring that authorities are notified within 72 hours.
3. Review data-monitoring processes
GDPR Article 25, “Data protection by design and by default,” calls for the use of appropriate technical and organizational measures to ensure the protection of PII. While it does not specify the tools to use, the message is clear: data controllers must deploy any tools necessary to ensure the integrity of their PII data.
It is worth noting that data processors—the third-party entities that data controllers use to handle PII—are responsible for maintaining the same levels of data integrity and security. Corporate legal departments must ensure that law firms and other legal service providers adhere to stringent standards and share a commitment to using the appropriate tools and processes for data protection. This is not a “check the box” procedure; corporate legal departments must verify and agree with all the specific processes and tools that vendors have in place to protect PII.
4. Implement high data-encryption standards
GDPR requires organizations to take appropriate technical and organizational measures to protect personal data. It is vitally important that legal departments encrypt this data whenever and wherever possible—certainly within databases and email communications, but also in the web browsers and applications that employees may be using. Your enterprise legal management provider should be able to help ensure that your organization is using the latest and most secure versions of their solutions.
5. Practice proper data- management hygiene
Unlike other industries, such as financial services or healthcare, the legal industry is not required to discard personal data after a specific period of time. However, GDPR contemplates data retention periods and states that PII shall not be kept for longer than is necessary for the purposes for which it is processed.
Of course, under GDPR, data subjects have many rights. An organization must have processes in place that will allow it to effectively respond when an employee, or any data subject, demands access to their data, requests to take that data with them to a new job or asks to have it corrected or erased.
6. Update vendor contracts and other agreements
Legal departments should carefully review the contracts they have with their vendors to ensure that those agreements contain privacy language specific to GDPR and address the legislation’s Cross-Border Data Transfer limitations if the PII leaves the EU. If they do not have such language, legal departments should request that their vendors furnish them with updated contracts addressing these concerns.
Legal should also review any End User License Agreements or Terms of Use documents that their corporations utilize with customers and end-users and update the terms of those documents to address GDPR requirements.
7. Perform a data-protection impact assessment
Again, corporate legal departments must ensure that law firms and other vendors are GDPR-compliant. Indeed, Article 35 requires a Data Protection Impact Assessment “where a type of processing … is likely to result in a high risk to the rights and freedoms of a natural person.”
This requirement can be addressed via an electronic risk-assessment questionnaire. The data controller can create a series of questions specific to the organization’s data privacy policy and requirements and ask its vendors to respond. This assessment, which should be repeated periodically, helps determine which firms have acknowledged the privacy policy and are in compliance, allowing corporate legal teams to open a dialogue with providers that still need encouragement to get on board.
Wolters Kluwer’s ELM Solutions’ Cybersecurity Risk Assessment application provides a platform for the creation and dissemination of assessments, in the same format, to multiple law firms at one time. The application allows the information to be captured directly in an enterprise legal management system, giving legal teams visibility into which of their legal service providers are GDPR- compliant.
GDPR Compliance Commitment
It is critical for legal departments to ensure that their enterprise legal management (ELM) provider is committed to GDPR compliance. The provider should have expertise in meeting privacy regulations and should already enforce internal controls that meet rigorous standards for information security and business continuity. Legal departments should seek ELM providers that are ISO-27001-certified, as many GDPR regulations closely align with ISO-27001. If an ELM provider meets these criteria, it will be better positioned to help its clients work toward their compliance obligations.
To learn more about GDPR and how Wolters Kluwer’s ELM Solutions is preparing and helping clients prepare, visit the Wolters Kluwer’s ELM Solutions website and download the white paper, “Preparing Your Corporate Legal Department for the Journey Toward GDPR Compliance.”
Kevin Caulfield is product line director at Wolters Kluwer’s ELM Solutions. He brings nearly 20 years of product management, operations and software leadership experience in the enterprise and consumer markets. He is responsible for driving and leading product strategy and the discovery and validation of market needs and opportunities for the TyMetrix® 360° and Passport® product lines. Reach him at [email protected].
Published April 2, 2018.