What In-House Counsel Are Doing to Prepare for the GDPR
The EU's General Data Protection Regulation is set to go into effect in May 2018. How are legal departments preparing?
October 17, 2017 at 12:27 PM
5 minute read
With the European Union's General Data Protection Regulation set to go into effect in less than a year, companies and in-house counsel have been considering the implications–and the massive potential fines—for some time now.
But with the May 2018 date looming, what are legal departments doing to prepare? At the Association of Corporate Counsel's annual meeting, in-house counsel offered some of their strategies used to get ready for GDPR requirements.
|Privacy Impact Assessments
Privacy impact assessments (PIAs) are required under the GDPR in certain situations, and this process essentially describes where data is, what it's used for and in what context. PIAs are required when a processing operation could pose a high risk to individuals, and should identify processing operations, analyze risks, review whether processing is in compliance and outline measures that are thought to address any risks.
One resource for in-house counsel when dealing with uncertainties is regulators, who can provide guidance on PIAs and the GDPR, in general, according to panelist Lisa Zolidis, privacy counsel for the Americas region at Dell Inc. “As you're coming up with different ways to tackle different parts of the GDPR, one way to test these potential best practices is to get a meeting with the data protection authority and to walk them through [those],” she said.
“And it might be a situation, [and] there have been situations recently, where the data protection authorities are just now learning the practical effects of some of the overarching directions in the GDPR,” she added. “And in talking that through … they are able to then maybe have a learning opportunity, or maybe give some additional guidance.”
One challenge for in-house counsel when it comes to PIAs is in addressing risks while not slowing down the business, said panelist Whitney McCollum, VP and assistant general counsel of data privacy and technology at global engineering design firm AECOM. It might not be well received, she said, when counsel step in to analyze risks by way of a PIA as the business is looking to launch a new product.
“The advice I've seen so far … is first, as much as you can, get on people's radar early. Get on the procurement team's radar, any of your development teams, and say, 'Look, GDPR is coming' and then scare the pants off them with the fines,” McCollum said, noting that violating GDPR obligations can result in a fine of up to 4 percent of a company's annual global turnover, or €20 million, whichever is greater.
As far as the PIA itself, McCollum said, to the extent possible, “make it simple.” Find out what data is being collected, create a simple checklist of all the possible data collected, what's the data used for, and so on, she elaborated.
For some in-house lawyers, the tools to simplify this process may already exist within the company, said panelist Laura Hamady, head of global legal privacy at PayPal Inc. “When you kind of roll up your sleeves on this project, I think you're going to find that there are many intake processes that already exist organically throughout the business.”
To simplify the process, Hamady said, “try to standardize” and “try to embed the same set of questions” across the board, when possible.
|Data Protection Officers
And in many cases, such as when processing is carried out by a public authority or when a company conducts “regular and systematic monitoring of data subjects on a large scale,” a data protection officer must be appointed. For some companies, it may be easy to say a data protection officer is required, but for a number of companies, it is fairly ambiguous.
What should a company facing uncertainty do?
Zolidis echoed her previous comment that regulators can be an excellent sounding board for in-house counsel. “This is one of those areas that if you do think that you're in a gray area and you're not sure … you may consider talking to your lead regulatory authority, your lead data protection authority, and vet it out,” she said.
“I say DPO if you can,” McCollum said. “Unless you are absolutely certain that you don't fall into these categories, then I'd assign someone to be your DPO.”
Adding to the complexity of this position is the concern that the DPO may be difficult to terminate because of certain privileges afforded to this role as well as the question of whether to keep the role in-house or to hire someone from outside the company to fill the spot.
“We don't have an external DPO … but if we did appoint one, it would be our privacy counsel, who we've been working with for a number of years,” McCollum said. “They wouldn't just be the person you shoot an email off to to get an answer. They'd be an integral part of the team.”
McCollum added: “Something to keep in mind if you're using an external firm is that there is a cost aspect of that in paying outside counsel fees, but you also get the expertise with that, and you also get their knowledge of what other companies are doing.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllNew Corporate-Transparency Laws to Require 'Mountain of Filings'
How Google Is Leveraging Data Science to Improve Legal Ops
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250