Last week, I attended a Lighthouse panel entitled Positioning Yourself as a Trusted Advisor around GDPR at the London NYC hotel during Legaltech NY 2018. This session had, in my opinion, the most relevant and practical information for corporations, law firms, and legal practitioners. The three panelists (Andrew Haslam of Squire Patton Boggs, Robert Owens of Eversheds Sutherland, and Wayne Matus of UBS AG) provided detailed information around the GDPR and presented a checklist for anyone dealing with foreign data. I have done my best to abbreviate their thoughts and add my own two cents below.
The GDPR Checklist
- Do a data map, now! Understand where your foreign data sources reside. This will save you a fortune down the road. Be proactive instead of reactive.
- Identify third parties with access/control of your personal data.
- Take an inventory of the jurisdictions that you can choose from and pick one.
- Consider whether you are obligated to retain a data privacy officer, and, if so, hire one quickly (as an internal or external resource).
- You must have a lawful purpose to process data. For ediscovery, that requires a re-evaluation of the lawful grounds for preservation, collection, search, review, and production. In addition, you must have an appropriate mechanism for transferring data. These are separate considerations.
- For data controllers, inform data subjects of their rights with respect to the data.
- Subject Access Requests are the US equivalent of a Freedom of Information Act Request and are often used as “back-door” discovery/disclosure. Know how to respond and be prepared.
- Know that every new technology onboarded will require a privacy impact statement.
- You have 72 hours to respond to a breach. What is your public breach response notification? Be sure to have one prepared.
- Start training your employees on how to manage EU data and develop a long-term program.
- In the EU, pick a lead controller. Find the safest geography, spend some time and shop around.
- Get cyber insurance, now.
- If you collect data, be incredibly open and transparent with the data owner. Advise what you will and will not do with the data (i.e. if you buy a light bulb today, we will email you in a year to see if you need a replacement. We will share your information with a third party that sells chandeliers). The message here has NO ambiguity.
Ensure you have a plan and policy in place so that when regulators move you will be in the know. For more information on this checklist, or to further discuss the challenges of GDPR, please reach out to me at email@example.com.