Ten practical steps companies should take to implement GDPR

6) Review data subject information and consent notices

Existing privacy notices need to be updated. New notices must explain the legal basis for data processing, disclose retention periods, and state that individuals may complain to the DPA if they believe there is a problem with the way the company handles their data. This information must be provided in concise, easy to understand and clear language.

7) Implement internal processes to handle data subject requests

Under the GDPR, data subjects will have enhanced rights and may request to:

” Access their data;
” Have inaccuracies corrected;
” Have information erased (right to be forgotten);
” Benefit from data portability: this new right requires companies to electronically provide and in a commonly used format the data of individuals who request it.

Companies should check if internal procedures cover all these rights, including how to handle such requests.

8) Renegotiate / review contracts

To implement GDPR, companies should ensure data processing agreements refer to processor’s new liability obligations and contain an obligation for processor to notify data controller in the event of a data breach.

9) Make sure you’ve got data breach response plans in place

Companies need to notify data breaches to the relevant DPA within 72 hours and to affected individuals if the breach impacts their rights and freedoms. Companies must make sure there are breach response plans to detect, report and investigate data breaches.

10) Address the issue of international data transfers

Companies which transfer data outside the EU will continue to need having protective safeguards in place. In countries which do not provide for an adequate level of protection under the GDPR, companies must use methods such as Standard Contractual Clauses, Privacy Shield, Binding Corporate Rules, consent or codes of conduct. Existing safeguards may need to be updated or implemented.

If a company operates internationally, it must also determine which DPA has primary jurisdiction.

Sarah Delon-Bouquet is counsel in the Paris office of international law firm Bryan Cave; David Zetoony is a partner and David Chen is an associate in the Boulder office of the firm.

Image: Shutterstock

Share this story

Leave a Reply

Your email address will not be published. Required fields are marked *

Send this to a friend