Seven Steps to Ensuring Your and Your Law Firm Partners' GDPR Compliance
The General Data Protection Regulation (GDPR) went into effect on May 25 and with it, the European Union (EU) Parliament has set an impressively high standard for data privacy with the new rule.
June 19, 2018 at 11:25 AM
6 minute read
The General Data Protection Regulation (GDPR) went into effect on May 25 and with it, the European Union (EU) Parliament has set an impressively high standard for data privacy with the new rule. GDPR introduces potentially costly penalties for noncompliance. These include fines of up to €20 million or 4 percent of an organization's annual revenue, whichever is greater.
Despite GDPR's potential implications, 40 percent of law firms recently surveyed by Wolters Kluwer's ELM Solutions said they do not have a specific GDPR compliance plan or process in place to protect customer and employee data. Only 39 percent of these firms said they felt prepared to address the regulation by the effective date of May 25.
Those are important stats for corporate legal departments to know. Outside law firms serve as a valued partner of the corporate legal department at almost every company, and these firms typically have access to some of a company's most sensitive data. This access includes personally identifiable information covered under the GDPR regulation. While an organization's general counsel may have more direct responsibility for GDPR compliance, he or she also needs to be aware of, and prepared to manage, the innate risks that accompany outside legal work.
From my experience talking with general counsel and in-house attorneys, a lack of people, technology solutions, and budget often present the biggest issues in managing compliance with data privacy and security guidelines. Knowing how to address this issue can be overwhelming. These seven simple steps will help ensure corporate legal departments, as well as law firms and other third parties they do business with, can meet GDPR requirements:
- Assess Current Capabilities
Corporate legal departments are required to ensure accuracy of customers and employees' personally identifiable information they and their law firm partners control. This responsibility means taking stock of such information to ensure it is current, accurate, and protected. Corporate legal departments must also examine their and their law firm partners' processes for maintaining data integrity and responding to data subjects' requests to access or correct their own personally identifiable information or “to be forgotten.”
- Assign a Data Protection Officer (DPO)
Accountability is an important focus of GDPR. Some organizations (defined within the regulation's articles) are required to appoint a DPO, who is responsible for maintaining primary oversight of data processing activities. The DPO ensures that information requests from EU residents are handled promptly and within GDPR requirements.
- Review Data Monitoring Processes
While GDPR does not specify technology solutions must be used, organizations must continuously monitor and control the integrity of data. Third-party entities are also responsible for securing, monitoring and controlling data. Corporate legal departments must ensure that law firms and other legal service providers are adhering to the same stringent standards as they themselves are practicing, and share a commitment to using the appropriate tools and processes for data protection. This is not a “check the box” procedure; corporate legal departments must verify and agree with all the specific processes and tools vendors have in place to protect personally identifiable information.
- Implement High Data Encryption Standards
GDPR requires an organization to take appropriate technical and organizational measures to protect personally identifiable information. It is a best practice for corporate legal departments to encrypt this data whenever and wherever possible—certainly within databases and email communications, but also in any applications employees use. The good news is that our survey found 72 percent of organizations had or plan to invest in cybersecurity technology to address GDPR.
In addition, before transmitting any customer or employee personally identifiable information beyond the EU, corporate legal departments should enter EU-approved contractual clauses with their vendors. This is an important point for U.S.-based departments that might be doing business with law firms or other legal service providers in the EU.
- Practice Proper Data Management Hygiene
GDPR states that sensitive customer and employee information shall not be kept for longer than necessary for the purposes for which it was collected. Good data management hygiene must be practiced by corporate legal departments and law firms, discarding old information when it is no longer relevant. In addition, processes need to be in place to effectively respond when a data subject demands access to their information, or to have it corrected or erased.
- Update Vendor Contracts and Other Agreements
Corporate legal departments should carefully review any vendor contracts to ensure that they include privacy language specific to GDPR and addressing Cross-Border Data Transfer limitations if the customer or employee leaves the EU. It is also beneficial to review any End User License Agreements or Terms of Use documents and update them to address GDPR.
- Perform a Data Protection Impact Assessment
To address the requirement that law firms and other vendors are GDPR compliant, corporate legal departments should administer an electronic risk assessment questionnaire. This is a series of questions specific to an organization's data privacy policy and requirements, and should be periodically repeated. The questionnaire helps determine which firms comply and fosters an open dialog with any that still need to make changes.
The EU bills GDPR as “the most important change in data privacy regulation in 20 years.” Indeed, with the regulation, corporate legal departments and their law firm partners face an entirely new world of data management requirements. Preparing for and maintaining compliance with GDPR will undoubtedly prove challenging for many departments, particularly those within mid-market or smaller organizations that may not be currently equipped to handle GDPR's rigorous requirements. But these seven actions are the first steps for companies to help themselves and their outside counsel tackle the challenge in the most efficient and compliant way possible.
Barry Ader is vice president of product management and marketing at Wolters Kluwer's ELM Solutions.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Read the Document: 'Google Must Divest Chrome,' DOJ Says, Proposing Remedies in Search Monopoly Case
3 minute read
'Absurd Costs'?: Visa Faces Antitrust Class-Action Surge Following DOJ Complaint
3 minute read
'Rocket Docket': EDVA Judge Controls Google's Fate in Ad Tech Monopoly Trial
4 minute read
Chastised by Judge, Authors' Lawyers Bring Boies Schiller Into Meta AI Copyright Suit
3 minute readTrending Stories
- 1Gibson Dunn Sued By Crypto Client After Lateral Hire Causes Conflict of Interest
- 2Trump's Solicitor General Expected to 'Flip' Prelogar's Positions at Supreme Court
- 3Pharmacy Lawyers See Promise in NY Regulator's Curbs on PBM Industry
- 4Outgoing USPTO Director Kathi Vidal: ‘We All Want the Country to Be in a Better Place’
- 5Supreme Court Will Review Constitutionality Of FCC's Universal Service Fund
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
