GDPR Operational Compliance: Don’t Stop at Updating Your Website Privacy Notice

Europe’s General Data Protection Regulation (“GDPR”) is much more than a reminder to update your organization’s website privacy notice. While an updated privacy notice is one of the more public-facing steps an organization can take to comply with the GDPR, the majority of fines lodged by regulators under the GDPR relate to organizations’ operations unrelated to their privacy policy. Below are just a few steps you should be taking to become compliant.

  1. Adopt Appropriate Security Measures: The GDPR requires organizations to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed to individuals by the organization’s processing of their personal data. This is a flexible standard, and while no specific measure is strictly prescribed by the GDPR, hundreds of organizations have already been fined for failing to implement appropriate security measures. For instance, sanctions have been imposed for failing to encrypt personal data, failing to train employees on data security, failing to conduct risk assessments, and even inadvertent disclosures due to human error.
  2. Ensure There Is a ‘Lawful Basis’ for Processing Personal Data: there are six, and only six, justifications (each called a “lawful basis”) for processing personal data under the GDPR. If a processing activity does not have an appropriate lawful basis, it violates the GDPR. Selecting the appropriate lawful basis requires diligence and a thorough understanding of the standards set but the GDPR.  For example, “consent” (a lawful basis) under the GDPR must be freely given, specific, informed, and unambiguous.
  3. Ensure Any Transfer of Personal Data Out of Europe Is Subject to an Appropriate Safeguard Mechanism: The GDPR restricts personal data from being transferred out of Europe and/or transferred onward to a third country unless very specific conditions apply. If an organization is processing EU personal information in another country, it needs to ensure that such transfer is done consistent with the GDPR.
  4. Maintain an Up-To-Date Record of Processing: There are very few black letter requirements of the GDPR, but this is one of them. Any organization processing personal data subject to the GDPR is required to maintain an updated written record of its processing activities.  The GDPR requires specific details to be included in such records, depending on whether you are a ‘controller’ or ‘processor’ for the personal information.
  5. Adopt Data Processing Agreements (DPA) with Third-Party Processors: Another black letter requirement of the GDPR is for processors to be governed by a contract with the data controller specifying the scope of their authority to process personal data and contractually bind the processor to other requirements under the GDPR. Accordingly, it is important for organizations subject to the GDPR to ensure that they have appropriate written agreements in place with any third-party who will process EU personal data on its behalf.
  6. Engage and Document a Data Protection Impact Assessment (DPIA): If a processing activity is likely to result in a “ high risk ” to the rights and freedoms of individuals or otherwise involves systematic or large scale use of sensitive data, controllers are required to conduct an assessment of those risks and the safeguards, security measures, and mechanisms available to ensure the protection of personal data and to demonstrate compliance with the GDPR before engaging in a new processing activity. It may be helpful for organizations considering a new processing activity to analyze the activity using a questionnaire or survey to uncover the risks and remedies that exist. This will help justify why a DPIA was or was not conducted. If your organization is handling a lot of personal data, using new technologies to process data, handles highly sensitive data, or maybe handling personal data in a risky way under the GDPR, you should look into whether a DPIA is necessary.
  7. Breach Response Plan: The GDPR requires data controllers to notify the appropriate supervisory authority of personal data breaches without undue delay and generally within 72 of becoming aware of the breach unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. In addition, data controllers may be required to notify affected individuals of a personal data breach without undue delay if such breach is likely to result in a high risk to their rights and freedoms. Data processors are required to notify data controllers of personal data breaches without undue delay under the GDPR. There is specific information that must be included in these notices under Article 33.  Because of the specificity of the breach notification requirements as well as the timing, organizations must have a clear breach notification plan that is widely communicated within the organization to ensure that possible breaches are quickly brought to the attention of the appropriate contact at the organization who can investigate and notify when appropriate.
  8. Have a Process To Respond to Requests To Exercise Rights: The GDPR provides individuals with the ability to exercise certain rights regarding their personal information and obligates organizations to respond to such requests to exercise rights under certain situations within a certain time period, in some cases, as early as within one month. It is crucial, then, that organizations have well-defined procedures in place to timely respond to such requests and for a person or team to be accountable for overseeing such responses.
  9. Data Retention Policy: Data minimizationis a cornerstone of the GDPR. Organizations should adopt data retention policies that reflect the GDPR principle that requires that personal information only be kept when it is adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. Adopting a written data retention policy that is followed can help demonstrate compliance with this principle.

To date, out of the total of  € 256,909,340 in fines assessed by regulators as a result of 469 violations under the GDPR, € 63,782,532 were assessed in connection with 112 violations where organizations failed to adopt sufficient technical and organizational measures to ensure information security and € 146,975,948 were assessed in connection with 189 violations where organizations were found to have an insufficient legal basis for data processing. Hence, the pattern we are seeing from European regulators strongly suggests that, while updating a privacy policy is an important first step, stopping there won’t insulate your company from scrutiny or possible fines.  Indeed, the pattern of fines assessed for GDPR violations to date suggests that organizations that ensure they adopt robust security measures and have properly assessed and limited their use of personal information to only those processing activities that have an appropriate lawful basis is the better way to avoid violations and fines.