October 17, 2019

October 16, 2019

Subscribe to Latest Legal News and Analysis

October 15, 2019

Subscribe to Latest Legal News and Analysis

October 14, 2019

Subscribe to Latest Legal News and Analysis

Getting Ready for GDPR Compliance in the New Year

As 2017 comes to a close and companies look to planning initiatives for 2018, there is one date that should be front and center for privacy professionals: May 25, 2018. That is the date that the EU’s General Data Protection Regulation (GDPR) goes into effect, meaning that any company dealing with EU consumer data needs to have a plan in place.  The GDPR has been looming for almost two years now (since its adoption on April 27, 2016), so hopefully most companies impacted by the regulation have already begun to implement compliance mechanisms. But if not, it’s not too late.

We have written previously in this space about what the scope of the GDPR requirements. The question now is what companies covered by the GDPR should be doing as they head into 2018. Here are some critical steps to make sure you are on track to ensure GDPR compliance:

  • Data Protection Officer: If your company is processing a significant volume of data or processing “sensitive data,” you may be required to appoint a data protection officer (DPO) to monitor GDPR compliance. The regulations do not require the DPO to be a unique, stand-alone position, but if your company is required to have a DPO and does not already have someone in-house with the ability and willingness to take on that role, it may be necessary to make a new hire.

  • Consent issues: The GDPR expressly states that prechecked opt-in boxes are not adequate to establish consent. Thus, companies relying on prechecked boxes need to adjust their efforts to obtain consumer consent. Additionally, affected businesses need to have protocols in place that give customers the ability to transfer their data to another company upon request and the right to have it erased. These are foreign concepts to many U.S. companies and may require significant modifications to your systems and procedures. Accordingly, this is an issue that should be addressed now, before a business receives a consumer request.

  • Appropriate technical and organizational measures: There is no express set of requirements to meet the standard of “appropriate technical and organizational measures” under the GDPR, but the regulators will look at things like encryption, ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. Now is the time for companies to assess the adequacy of the data protection mechanisms.

  • Breach notification procedures: It is important to have a system in place to provide data breach notifications promptly and efficiency. The GDPR requires disclosure to regulators within 72 hours and notice to affected customers without unreasonable delay. Businesses covered by the GDPR can ill afford to be developing data breach response protocols and strategy after an incident has already occurred.

  • Ongoing assessment: The GDPR requires having a system in place to conduct privacy impact assessments and compliance reviews on a regular basis. Thus, affected companies that have not implemented such mechanisms should have a plan for doing so before May 25, 2018.

© 2019 Vedder Price

TRENDING LEGAL ANALYSIS


About this Author

Blaine C. Kimrey, media defense Litigation, Vedder Price Law Firm Chicago Office
Shareholder

Blaine C. Kimrey is a Shareholder in the Litigation practice area in the firm’s Chicago office.

A former journalist at two daily newspapers (the Austin American-Statesman and the Arkansas Democrat-Gazette), Mr. Kimrey is a trial lawyer who has dedicated more than 20 years to working for and defending media entities. Mr. Kimrey’s practice, however, extends well beyond media defense, focusing on a broad range of direct and class action litigation involving topics as diverse as privacy, consumer deception, intellectual property,...

312-609 7865
Bryan Clark Media & Privacy Law  litigation Vedder Price Law Firm Chicago
Associate

Bryan Clark is an Associate at Vedder Price and a member of the Litigation group in the firm’s Chicago office.  He has an extensive media and privacy practice that includes privacy class action defense, mobile-marketing litigation, class action TCPA litigation, copyright litigation, right of publicity litigation, data breach response, FOIA issues, reporter’s privilege issues and prepublication review.

Mr. Clark’s other representative work includes drafting successful dispositive motions in right of publicity and invasion of privacy cases, arguing successful motions to quash on behalf of media entities facing subpoenas, defeating motions for preliminary injunction in intellectual property litigation, and advising advertising and marketing clients on compliance issues. He presents on issues related to digital privacy and data breach before a national audience, such as the ABA Annual Meeting in 2013.

Mr. Clark is a member of the Trial Bar for the Northern District of Illinois and has first-chair trial experience in federal court. As a litigator, Mr. Clark has been involved in a broad range of matters in addition to media and privacy, including topics as diverse as loan enforcement and foreclosure, consumer fraud, environmental, construction, and insurance law. He also has handled a variety of pro bono engagements, including work for nonprofit media entities, representation of an Illinois prisoner with multiple sclerosis, and Section 1983 civil rights litigation

312-609 7810