The European Union’s new General Data Protection Regulation is a massive expansion of the scope of data protection and restrictions on the use of personal information. The restrictions, alas, are not geographic: You, your company and your clients may not be in the EU, but if you do business in any of its member states, or count any of its 500 million citizens as a customer, you’re likely to be as subject to GDPR’s 99 articles as if you were sitting in Brussels itself. And those 99 articles cover a frightening range of topics, from collecting to holding to processing to transferring to overseeing to safeguarding the data you have about those citizens. Scariest of all are the potential consequences: Fines of up to 4% of annual global revenues or turnover.
Well, maybe that’s actually not the scariest: “There is a provision for private causes of action that data subjects can bring,” Mark Smith, deputy editorial director at Bloomberg Law, says. “That’s not talked about as much as the fines, but it has the potential to be a bigger problem.” Indeed, the uncertainty surrounding how each of the EU’s 28 data protection authorities will police the GDPR is yet another frightening factor: “It’s just a big question mark. What practices are the supervisory authorities going to be going after? What sorts of companies? Only the big dogs? Or are they going to make an example of some smaller companies caught off guard?”
And even that might not be the scariest thing about the GDPR. The scariest thing might be its effective date: May 25, 2018. Less than a month to get up to speed on and become compliant with those 99 articles and their universe of supporting recitals. Scarier still if you haven’t done much or anything about it.
If that sounds like your company, or even if you’ve taken some strides towards compliance, the first step is taking stock of where you are. “Performing an assessment in the final weeks should help you out,” Smith says. “It’s definitely the first thing to do, and it will help you identify where you need to focus your limited resources and limited time.” Luckily, Bloomberg Law has foreseen the preparedness predicament many companies are likely to find themselves in and prepared an array of tools for dealing with it, beginning with just such an assessment.
“We have a downloadable worksheet that lets you assess where you are and what plans you currently have in place, highlighting a number of different topics: governance, data protection officer, notice, breach, etc.,” Smith says. “You can circulate this to the top people in your organization with knowledge of your data collection practices, so you can at least get an overall assessment of where you are at risk.”
Once you’ve got a sense of where you stand vis-à-vis GDPR, you can address specific compliance measures. To that end, Bloomberg Law has rolled out a suite of checklists and tools to guide those last-minute efforts, beginning with designating a data protection officer — Smith suggests having one on the ground in the EU — and obtaining GDPR-compliant consent. The practical guidance suite also addresses your relationships with third parties and maintaining a program that will keep the regulators at bay.
There isn’t going to be a grace period after GDPR comes into effect, which means some regulator could, in theory, start calculating 4% of your global turnover on May 26. But that doesn’t mean you shouldn’t get cracking now even if you haven’t already started. “Show that you’ve taken the initiative to comply,” Smith says. “Regulators will be looking for good-faith efforts to comply.” Beginning to work one’s way through a checklist for establishing a robust GDPR compliance program surely can’t hurt.
As scary and overwhelming as beginning to live by the letter of GDPR seems, there are good reasons to do so beyond simply avoiding a gigantic regulatory fine and potential litigation from aggrieved data subjects. “It all comes down to good business practices,” Smith says. “Look at the hot water Facebook got into recently” over its carelessness with users’ private information. “That’s not good for your company or your reputation. To the extent that you are striving to abide by the purpose of the law, it’s good for business.”