With less than one year until the entry into force of the General Data Protection Regulation (GDPR), organisations have to move fast in order to ensure compliance of their data processing activities with the new regime that will be directly applicable throughout the EU as of 25 May 2018.
The GDPR is expected to have significant impact on how businesses process personal data, since it aims notably at establishing a modern and harmonised data protection framework across the EU, reinforcing individuals’ rights, ensuring stronger enforcement and creating new obligations for organisations, not only in the EU but worldwide, especially in terms of cyber-security.
Unlike the current regime, the GDPR follows an antitrust-type sanction regime. Fines of up to 4% of annual turnover or EUR 20 million are not only many times higher than the current administrative fines, but they also signal that data protection will need to be taken more seriously.
Companies seeking compliance with the GDPR need to identify their databases, conduct due diligence reviews in order to spot deficiencies, prepare an action plan and proceed to its implementation. Depending on the above exercise, implementation could include, among others, drafting or redrafting of privacy policies, information notices and consent forms, conducts of privacy impact assessments (PIAs) for specific databases, development of data-breach reaction plans, implementation of software that provide sufficient security measures, as well as personnel training.
Our data protection practice group has conducted several exercises preparing clients from various industries (such as insurance, IT, pharma, automobile, retail) for their GDPR-compliance.