Get ready for GDPR compliance. Our firm has created this European Union Privacy Law - General Data Protection Regulation Checklist to jumpstart the process. Contact @gamallp or Christina Gagnier at gagnier@gamallp.com to learn more.
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
European Union Privacy Law - General Data Protection Regulation Checklist
1. 224 Townsend Street
San Francisco, CA 94107
T: 415.795.1572
F: 909.972.1639
gamallp.com
1
RE: European Union General Data Protection Regulation (GDPR) Checklist
Greetings,
Our firm has prepared an overview of the General Data Protection Regulation that was
approved by the European Commission in April 2016. As of today’s date, this regulation has yet to
go into effect, but companies will have to be in full compliance by 2018.
As our firm gets further information about the approval and implementation of this
regulatory regime, an update to the EU Data Privacy Directive of 1995, our firm is ready to work
with your company to execute the proper procedures for compliance.
The GDPR imposes enhanced requirements on all businesses operating in the EU, which
includes those processing personal data in the EU and transferring data from the EU. It aims to
create a more consistent data protection regime, while providing EU citizens better control over
the use of their information by creating new rights.
The following is a checklist of items that serves as a guideline for what companies have to
do before 2018 to ensure GDPR compliance. Gagnier Margossian LLP is advising its current and
potential clients to begin this compliance implementation alongside compliance with other legal
changes in the European Union in the wake of the Schrems decision in October 2015 and the
prospective EU-U.S. Privacy Shield program (yet to be approved and details for compliance yet to
be released).
Item Compliance
Status
1. Assess the risk and identify areas that could cause compliance problems under
the GDPR.
-‐ Fines for non-compliance can be up to 20 million Euros or 4% of the
company’s annual global turnover.
-‐ Additionally, collective actions can be filed by consumer associations.
2. Make sure to document:
-‐ The personal data the company holds/collects;
-‐ Where the information came from;
-‐ Where the information is stored;
-‐ How the information is processed;
-‐ How the information it protected; and
-‐ With whom it is shared (annual audits are now a necessity for
recordkeeping).
2. 224 Townsend Street
San Francisco, CA 94107
T: 415.795.1572
F: 909.972.1639
gamallp.com
2
3. Maintain detailed records of the processing performed on personal data. This
must include:
-‐ Determining the types of data processing being carried out;
-‐ Identifying the basis for carrying it out; and
-‐ Documenting the basis.
-‐ The company will have to explain their legal basis for processing data in their
privacy notice and when they respond to a subject access request.
4. Evaluate the company’s policies and procedures to ensure they take into
account all the rights individuals have under the GDPR, including the:
-‐ Right to access information;
-‐ Right to correct inaccuracies;
-‐ Right to have information erased (the right to be forgotten) without undue
delay; and
-‐ Right to withdraw consent at any time, which must be an easy to access
process.
5. Companies must also:
-‐ Prevent direct marketing;
-‐ Prevent automated decision-making and profiling; and
-‐ Provide data electronically and in a commonly used format (data portability).
6. Draft or revise security policies, which should include implementing appropriate
technical and organizational measures, taking into account the nature, scope,
context and purposes for processing as well as the risk of varying likelihood and
severity for the rights and freedoms of individuals. Security actions may include:
-‐ The pseudonymisation and encryption of personal data;
-‐ The ability to ensure the ongoing confidentiality, integrity, availability and
resilience of systems and services processing personal data;
-‐ The ability to restore the availability and access to data in a timely manner in
the event of a physical or technical incident; and
-‐ A process for regularly testing, assessing and evaluating the effectiveness of
technical and organizational measure for ensuring the security of the
processing.
-‐ NOTE: Controllers or processors that adhere to either an approved code of
conduct or an approved certification mechanism can use these tools to
demonstrate compliance with the GDPR’s security standards.
3. 224 Townsend Street
San Francisco, CA 94107
T: 415.795.1572
F: 909.972.1639
gamallp.com
3
7. Ensure procedures are in place to continually monitor compliance with these
policies, including the security policies, prior to, during and after processing of
personal data.
-‐ Additionally, perform a gap assessment and consider participation in
certification programs.
8. Before collecting personal data, the company must disclose:
-‐ The identity of the controller;
-‐ The purposes for processing;
-‐ Any recipients of personal data; and
How long the data will be stored.
-‐ Disclosures must be intelligible and easily accessible, using clear and plain
language.
9. Additionally, the company must inform data subjects of their:
-‐ Right to withdraw consent at any time;
-‐ Right to request access, rectification or restriction of processing; and
-‐ Right to lodge a complaint to a supervisory authority.
10. Review how the company is seeking, obtaining and recording consent. The
company must comply with the following requirements.
-‐ Consent must be “freely given, specific, informed and unambiguous (opt in),”
or it is explicit (the higher standard). This should include assessing whether
the company’s audit trail for such consent is effective and whether they need
to make any changes. Consent must be referenced in the company Privacy
Policy.
o Consent is not freely given if there is a clear imbalance between the
data subject and the controller, in particular, where the controller is a
public authority.
o Additionally, the controller cannot make a service conditional upon
consent, unless the processing is necessary for the service.
4. 224 Townsend Street
San Francisco, CA 94107
T: 415.795.1572
F: 909.972.1639
gamallp.com
4
-‐ To show consent, the data subject must signal agreement by “a statement or
clear affirmative action.”
-‐ Consent must be specific to each data processing operations.
-‐ Data subjects must be informed about their right to withdraw consent at
anytime, before they give their consent.
-‐ The controller must provide “accurate and full information on all relevant
issues,” including the nature of the data that will be process, the purposes of
processing, the identity of the controller and the identity of any other
recipients of the data.
-‐ Your company’s customers should explicitly reference use of your company’s
platform and technologies in their policies. This is a reliable means to put the
public on Notice and ensure Consent at this juncture.
11. Review current privacy notices and make necessary changes to include the
additional communication requirements to individuals on:
-‐ The legal basis for processing data;
-‐ The data retention periods; and
-‐ The individual’s right to complain if the individual believes the data is being
mishandled.
12. Update the company’s procedures and/or amend retention policies if necessary
to comply with GDPR requirements, including:
-‐ Privacy policies are easily accessible, written in clear and plain language, and
include full disclosure of your data collection and processing;
-‐ Disclosure of data retention policies;
-‐ Respect to access requests within a month; and
-‐ Allow individuals to correct inaccurate information about them.
13. The company should conduct a thorough data privacy impact assessment where
data processing operations may lead to high risks to data subjects’ personal data.
-‐ The company should refer and implement the provisions of the Information
Commissioners Office’s guidance on Privacy Impact Assessments.
14. Ensure the company has proper procedures in place to detect, report and
investigate a data breach in which individuals are likely to suffer some form of
5. 224 Townsend Street
San Francisco, CA 94107
T: 415.795.1572
F: 909.972.1639
gamallp.com
5
damage. To comply with this requirement, the company should do the following:
-‐ Assess the types of data the company holds;
-‐ Document which type of data would trigger notice if there was a breach;
and
-‐ Develop appropriate policies and procedures.
15. The company must comply with the following notification requirements when a
breach occurs:
-‐ If a data processor experiences a personal data breach, it must notify the
controller but otherwise has no other notification or reported obligation
under the GDPR.
-‐ If a breach occurs the company (controller) is required to notify privacy
regulators of the data breach within seventy-two (72) hours after the breach
is discovered.
o If notification is not made within seventy-two (72) hours, the
controller must provide a “reasoned justification” for the delay.
o There is an exception to the supervisory authority notification
requirement that states notice is not required if the personal data
breach is unlikely to result in a risk for the rights and freedoms of
individuals.
-‐ When notifying the supervisory authority, the notification must:
• Describe the nature of the personal data breach, including the number
and categories of data subjects and data records affected;
• Provide the data protection officer’s contact information;
• Describe the likely consequences of the personal data breach; and
• Describe how the controller proposes to address the breach, including
any mitigation efforts.
16. Data subjects will also need to be notified “without undue delay” where a
breach poses a high risk to the data subject’s rights and freedoms. However,
there is an exception to the requirement to notify data subjects in the following
circumstances:
o The controller has “implemented appropriate technical and
organizational protection measures” that “render the data
unintelligible to any person who is not authorized to access it, such as
6. 224 Townsend Street
San Francisco, CA 94107
T: 415.795.1572
F: 909.972.1639
gamallp.com
6
encryption;”
o The controller takes actions subsequent to the personal data breach
to “ensure that the high risk for the rights and freedoms of data
subjects” is unlikely to materialize; or
o When notification to each data subject would “involve
disproportionate effort,” in which case alternative communication
measures may be used.
17. Limit data collection to the minimum necessary (data minimization) and adopt a
“privacy by design” approach to projects, which promotes privacy and data
protection compliance from the beginning.
-‐ Ensure the company collects the minimum amount of personal data
necessary for the proper performance of the products and services.
18. Controllers and Processors of personal information must designate a Data
Protection Officer (DPO) when:
-‐ The processing is carried out by a public authority or body; or
-‐ The controller’s or processor’s core activities require regular and systematic
monitoring of data subjects on a large scale or consist of “processing on a
large scale of special categories of data.”
19. The DPO must be “designated on the basis of professional qualities and, in
particular, expert knowledge of data protection law and practices.”
The DPO must have the authority and independence to inform the company of
its obligations under GDPR, and must have the ability to fulfill the tasks
designated, such as regulatory compliance, training staff on proper data handling
and coordinating with the supervisory authority, with an ability to understand
and balance data processing risks.
The DPO also needs to monitor compliance and conduct internal audits.
The DPO will be the company’s point of contact for data subjects’ inquiries,
withdrawals of consent, right to be forgotten requests and other related rights.
NOTE: Our law firm will be providing these services to companies.
20. Consider putting systems in place to verify individuals’ ages and to gather
7. 224 Townsend Street
San Francisco, CA 94107
T: 415.795.1572
F: 909.972.1639
gamallp.com
7
parental or guardian consent for any data processing activity involving children
under thirteen (13) years of age. If such information is involved, the privacy
notice will need to be drafted in a manner understandable by children.
21. Review Binding Corporate Rules (BCRs) or Standard Contractual Clauses
(SCCs) for trans-Atlantic data flows for compliance with new requirements of
GDPR.
Draft addendums to SCCs and other contracts as necessary to address the
onward transfer restrictions, which includes ensuring that downstream entities
comply with limitations on purpose and meet all the requirements, including
remediating any unauthorized processing by the downstream entity.
Contact Gagnier Margossian today to discuss how we can help
with your international privacy compliance.
Christina Gagnier
Managing Partner, Internet. Intellectual Property & Technology
gagnier@gamallp.com
909.493.6447