February 9, 2023

Volume XIII, Number 40


February 08, 2023

Subscribe to Latest Legal News and Analysis

February 07, 2023

Subscribe to Latest Legal News and Analysis

February 06, 2023

Subscribe to Latest Legal News and Analysis

100 Days Until GDPR … Are You Ready?

What Is GDPR?

The EU General Data Protection Regulation (GDPR),—described as “the most important change in data privacy regulation in 20 years”—becomes enforceable by law on May 25, 2018. After four years of preparation and debate, GDPR was approved by the EU Parliament in April 2016 to replace the Data Protection Directive 95/46/EC. According to the EUGDPR.org, the overarching purpose of GDPR is to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” Expected to comply are organizations located within the EU; that offer goods or services to, or monitor the behavior of, EU data subjects; and all companies processing and holding the personal data of data subjects residing in the EU.

Notification Requirements under GDPR

Among the new expectations for companies under GDPR is accelerated notification timing to the supervisory authority and to affected data subjects—within 72 hours of first becoming aware of the breach. The chart below outlines these requirements:

GDPR Image

Under GDPR, potential consequences for non-compliance with these notification requirements not only include hefty financial fines—up to €10 million or up to 2 percent of the total worldwide turnover of the preceding year—but also potentially significant impacts to brand reputation over the long term.

What Can Companies Do to Get Ready?

Gartner predicts only 50 percent of companies impacted by GDPR will be compliant by the end of 2018. So, what can organizations do to get ready?

Focus on Breach Prevention

  • Identify, assess and amend existing technical and organizational security measures (GDPR Article 32)
  • Review cyber insurance policies to ensure they sufficiently cover the costs of a data breach
  • For third-party vendors/processors:
    • Implement/amend existing due diligence procedures to cover data protection/security
    • Check existing contractual terms and incorporate new mandatory GDPR requirements, including specification of the mandatory breach-reporting obligation and specific security measures

Review and Enhance Your Plans

  • Review and update existing incident response and crisis communications plans to ensure they account for GDPR requirements
  • Develop protocols and processes to meet the 72-hour notification requirement

Educate and Equip Employees

  • Conduct Board training/education session
  • Inform, train and educate employees about the new regulations and impacts on data handling and breach notification

Test and Train the Team

  • Pressure test GDPR-related response protocols through a simulated exercise
  • Incorporate participation from core incident response team members, leaders andIT/forensics firm, crisis communications partner, notification mailing, call center and credit monitoring)
  • subject-matter experts from EU markets, and external partners (e.g., legal counsel,
  • Identify gaps and update/enhance incident response plans to address
© 2023 Vedder PriceNational Law Review, Volume VIII, Number 59

About this Author

Jonathan Maude Labor and Employment Law Attorney Vedder Price Law Firm

Jonathan Maude is a Partner at Vedder Price and a member of the Labor and Employment group in the firm’s London office.

Mr. Maude is an experienced and well-respected practitioner working in labor and employment law. He regularly advises across the full spectrum of employment law-related issues in the contentious and noncontentious spheres with a particular emphasis on advising corporate clients on complex strategic human resource-related matters.

Jonathan Maude's practice can be broadly broken down into the two areas...

+44 (0)20 3667 2860