The EU’s General Data Protection Regulation: Five steps for moving toward compliance

Listen to this article

By Sarah Sargent

Since the European Union’s General Data Protection Regulation, also known as the GDPR, went into effect on May 25, 2018, many companies all over the world have brought their privacy policies up to date to comply with the regulation.

Companies in the United States are subject to GDPR if they have established operations in the EU, sell goods or services into the EU, or monitor data in the EU. The regulation requires companies to provide “data subjects”— individuals whose personal data is collected—with a notice of their rights and collection practices.

The required notice provisions have caused many companies to bring their privacy policies up to date. However, fully complying with GDPR requires more than a revised privacy policy.

Companies that need to comply with GDPR should consider the following five steps to move towards full compliance.

Contracts should take GDPR into account

Companies should assess whether their contracts sufficiently take GDPR into account. GDPR requires data controllers, i.e., entities that determine why and how data are used, to have written contracts with data processors, i.e., entities that handle data for a controller. For example, if a retailer uses a vendor to process and ship its online orders, then the retailer is the data controller and the processor is the vendor. GDPR calls on controller-processor contracts to meet various requirements, such as having a confidentiality obligation, requiring the processor to adhere to GDPR, and providing specific details about the processed data. Companies should decide if they are a controller or a processor. Companies should then analyze whether they are required to amend their contracts to fulfill GDPR requirements.

Update or adopt internal policies

Companies should update or adopt internal policies. Regardless of GDPR, all companies should have a data-breach-response policy and an employee-privacy policy. These policies, along with any other data policies, should be reviewed and updated to ensure they incorporate GDPR requirements. Data-breach-response policies need to deal with GDPR’s requirement for supervising authorities to be notified within 72 hours when there is a data breach. Employee-privacy policies should contemplate the legal basis for collecting and monitoring employees’ personal data.

Record GDPR compliance steps

Companies should record the steps they’ve taken to comply with GDPR. Although smaller businesses may be exempt under GDPR from keeping certain records, all businesses should maintain records documenting the steps they have taken to comply with it. Most U.S.-based companies that fall under GDPR are not currently compliant; so, they should document all the good-faith efforts they have made to move towards full compliance. If a data subject were to make a complaint to a supervising authority, then the company could at least show that they were diligently trying to comply with the law.

Showing good-faith steps toward compliance could mitigate the risks of non-compliance.

Assess company security measures

Companies should assess whether their security measures are up to industry standards. GDPR requires companies to have “appropriate technical and organizational measures to ensure a level of security appropriate to the risk.” Specifically, Article 32 of GDPR states a company should consider specific factors when assessing security, such as the pseudonymization (a type of data masking) and encryption of data, the integrity of processing systems, the ability to restore data, and regular testing methods. An easy way to assess whether a company is taking the appropriate security measures is to look towards industry standards. Companies can also look to published data-privacy frameworks for guidance. Even if a company does not fully adopt a particular framework, it can use it as a best-practices guide. Some frameworks that companies may find helpful include the ISO/IEC 27001 and 27002, the National Institute of Standards and Technology, or Control Objectives for Information and Related Technologies. Additionally, companies should ensure they are not using outdated, unprotected software or equipment. Companies can also hire an outside, third-party security professional to test their systems. Often security professionals, many times referred to as penetration testers, will provide a variety of tests at a range of prices. Therefore, a company can decide what level of testing and cost is appropriate for their system.

Purge out-of-date data

Companies should evaluate what historical or out-of-date data they may be required to purge from their systems. GDPR restricts how long a company may hold on to data and requires companies to have a reason for maintaining data. Companies should determine if any data are no longer useful and properly destroy data that are no longer needed. Additionally, companies should re-assess whether their data-retention policies are appropriate under GDPR’s privacy-by-design framework. Ideally, data should only be retained as long as needed to fulfill the purpose for which they were collected and to comply with all legal obligations.

While bringing a privacy policy up to date is a helpful step towards GDPR compliance, companies subject to the regulation cannot stop there. As companies evaluate what their next steps should be, they should consider the likely risks and costs, and the complexity of the task before them. During that evaluation, companies should consider their contracts, internal policies, records, security measures and the need to purge unnecessary data.

Sarah Sargent is an attorney in Reinhart’s Litigation Practice and a member of the firm’s Data Privacy and Cybersecurity group.