EUROPE: Top 5 takeaways on how to get ready for the European Privacy Regulation

How to get ready for the GDPR right now? This was the topic of the seminar arranged to celebrate the one year deadline from the effective date of the EU Privacy Regulation. 

As previously mentioned, the Italian DLA Piper privacy team arranged a privacy breakfast in order to give practical tips to companies on what shall be done to be prepared for the 25th of May 2018 that is now only in one year time.

Below are our top five takeaways and we hope you will find them interesting:

1. GDPR compliant privacy information notice and consents cannot wait

As provided by the recent guidelines of the Italian privacy authority, data protection regulators expect that on the 25th of May 2018 companies already have in place a privacy information notice compliant with the European General Data Protection Regulation and have obtained the required consents.

This step not only requires to put in place a “transitional” privacy information notice, but also to implement technical changes in order to, among others, manage

  1. the deletion of personal data on the expiry of the storage period,
  2. the data portability right and
  3. the new consents to be requested.

2. A data governance system is a “must-have”

The GDPR requires to have a full control of processed data. This can be achieved through the combination of organisational measures and technical tools. A data governance system able to map at any time data in information systems is necessary as otherwise for instance

  1. the record of processing activities cannot be up-to-date,
  2. the storage period of each category of data cannot be monitored and
  3. the exercise of the data portability right risks to be lead to the loss of valuable know-how and assets.

3. The data portability right requires an ad hoc procedure and technical functionalities

The data portability right is definitely the most interesting change introduced by the GDPR. Its management requires

  1. not only to decide how data shall be ported to a third parties, but also
  2. tools to identify which data shall be ported,
  3. organisational measures to obtain the approval by the data subject and
  4. when data is received from a third party solutions to assess which ported data can be retained.

4. Internal technical and organisational checks need to reach a higher level

In a number of companies personal data of customers is accessible to a large number of employees with no major technical restriction to the usage of such data and internal organisational checks on data processing activities are just formalities often ignored.

With the GDPR, the accountability principle requires a major change to privacy compliance which implies

  1. a more detailed review of the profiles of access to personal data;
  2. the implementation of technical solutions to identify potential misuses of personal data; and
  3. a reorganisation of the individuals appointed internally to monitor data protection compliance. The matter cannot be fully delegated to the DPO who also needs to be in a position of independence to be able to perform his activity in compliance with the strict requirements of the GDPR.

5. Checks need to be extended to external suppliers

It is interesting that also very large companies do not have a list of all their external suppliers and the checks performed on them are either only security related or if privacy checks are run these are merely formal.

On the contrary, internal procedures shall be put in place in order to

  1. create a list of all the external suppliers and ensure that they all entered into a GDPR compliant data processing agreement;
  2. run checks on external supplies by means of a checklist at the time of the execution of the contract and during its life;
  3. perform random audits on them and
  4. depending on the specific circumstances of the case, perform also privacy specific trainings to their benefit.

What is your view on the points above? We would be happy to discuss!