With the anticipated publication of the Europe General Data Protection Regulation (the "GDPR") in 2016, international companies must begin to assess how the GDPR will affect their global data protection and privacy compliance programs. The GDPR will likely affect companies based in and outside the EU, so it is important for all multi-national companies to assess the impact of the GDPR.
What Is Happening?
The GDPR will largely replace the existing data protection regulatory landscape in the EU. It is anticipated that the GDPR will be finalized in early 2016. Companies will then have two years to get their privacy house in order before the GDPR will come into effect. Given the anticipated number of changes as a result of the regulation, companies should begin taking steps to comply sooner rather than later.
Are We Subject To The GDPR?
If you are established in the EU or process personal data about EU residents in relation to the offering of goods or services to them, irrespective of whether connected to a payment or not, or to the monitoring of the behaviour of EU residents, then the GDPR will likely apply to you.
In addition, if you process personal data on behalf of a company that "controls" the data and is subject to the GDPR, then you will also need to consider how the GDPR will apply to your activities.
What Are The Risks?
Fines under the GDPR could be as high as 5% of your global net annual turnover or €100 million. Annual worldwide turnover will likely be based on group-wide turnover.
How Can We Prepare?
Based on the current text of the GDPR, there are a range of activities that you may wish to consider now to prepare for its anticipated adoption.
1. Determine whether you do business with European customers, employees, or other individuals, or could otherwise become subject to the GDPR.
2. Consider appointing a company data protection officer or a representative in the EU.
3. Analyze how you currently handle personal data and what the data flows look like, and then create a detailed data inventory.
4. Review your privacy notices and identify any missing details that may be required under the GDPR.
5. Create a procedure for implementing the upcoming data privacy impact assessment required under the GDPR.
6. Develop a data breach response policy and designate responsible individuals.
7. Review the data protection clauses in your contracts and determine whether changes or additional agreements are required.
The GDPR will likely impose new requirements on data processing agreements, such as that they describe the subject-matter, purposes and duration of the data processing, and contain specific audit clauses and obligations to assist the data controller in ensuring compliance with its own data protection obligations.
8. Evaluate whether your IT systems have sufficient tracking capabilities to produce detailed information in response to data subject requests, such as about the sources, uses, and disclosures of personal data.