General Data Protection Regulation (GDPR) has been on the minds of business owners and featured in almost all the business and technology publications on the web. If GDPR affects you, your company needs to be in compliance by May 25th, 2018.
One method companies are taking to quickly becoming compliant is by scanning documents en masse so that their documents are secure and so they can react to subject access requests that may be made under GDPR. But GDPR can be highly complex legislation that businesses find difficult to comply with. However, by not complying to the legislation, businesses can risk losing major contracts when being unable to provide appropriate due diligence documentation, or receive significant fines from the ICO in the event of an avoidable data breach. Fortunately for many companies, there are GDPR implementation consultants that can protect your business from the dangers of non-compliance and identify the greatest risks of this legislation for your company; have a peek here to learn more.
Paradigm Technology, Polsinelli and Informatica are collaborating together to address the issues and help your organization prepare. We were able to sit down and speak with Mr. Jarno Vanto for an interview regarding GDPR.
Guest Introduction:
Mr. Jarno J. Vanto is a shareholder at Polsinelli PC. For the past 15 years he has counseled clients in many industries on compliance with data privacy laws and has built company-wide privacy programs for clients, working together with the client engineering teams. In addition to his law practice, he has authored treatises on the EU Data Protection Directive, the predecessor of the GDPR.
Mr. Vanto, What does the regulator expect organizations to achieve by May 2018?
- “That organizations have identified and mapped the personal data they process, built the processes required by the GDPR, such as those relating to data protection impact assessments and data subject rights, and included all GDPR-required elements into their legal documentation such as privacy policies and vendor agreements”.
If an organization has yet to start or is just starting its GDPR program, what should it focus on first?
- “Identify what personal data you have, where it is stored and accessed, which third parties have access to it, then make sure, in particular if you are a US organization, that you can legally move the data to the US for example by means of the Privacy Shield, and then focus on your privacy policies and vendor agreements. If you are a vendor, focus on creating an acceptable data processing document for your customers, and ensure that your organization can meet the requirements imposed on data processors under the GDPR”.
Who is the best person to appoint as DPO?
- “Ideally someone that has a combination of legal and technical understanding, and who has experience with the predecessor of the GDPR, the EU Data Protection Directive”.
What if an organization has not or does not capture the age of a subject?
- “The age limit for the collection of personal data in connection with “information society services” such as apps and websites is by default set at 16 in the GDPR. EU Member States may go as low as 13. If age is not captured by an online service, and the service is not clearly targeting children, it is good to keep an eye on signals that the user base may be on the younger side and clearly state in the service terms and the privacy policy that the service is not intended for users below the age of 16″.
If Right To Be Forgotten or “RTBF” is physically impossible, or economically infeasible, how should an organization handle this situation?
- “RTBF is an unqualified right so economic infeasibility as an argument against it is likely going to fall on deaf ears. That said, RTBF does not apply in all cases. It applies when the data is no longer needed for the purposes for which it was collected, when data was collected based on consent and the person withdraws their consent, or personal data is processed based on “legitimate interest” of your organization or the data is processed for direct marketing purposes and the person in question opposes such processing, or the personal data relates to a child under the age of 16, or the data was unlawfully collected to begin with. This leaves many situations out there in which RTBF does not apply”.
If a US company just uses an EU processor, does it still need to comply?
- “This is a fact-specific inquiry but generally if the processor is used to support the US business (and not for example a US company’s European affiliate’s business), the processor needs to comply with the GDPR but not the US company, unless it is otherwise captured by the GDPR”.
If no data is transferred outside of the EU, what are the portability requirements or BCRs?
- “If no data leaves the EU (for example through an HR database or an intranet site), which is the case very rarely for international companies or online consumer businesses, then no further measures are required. Careful mapping of data is required to determine whether “transfers” occur”.
How will the regulator identify and prioritize organizations to audit?
- “Enforcement priorities have not been made public but if history is any guide here, consumer businesses and regulated industries such as finance and healthcare with large personal data sets like those required for sensitivity analysis will probably experience enforcement activity”. Though I believe the areas of finance and healthcare have already taken GDPR into account.
If a data breach occurs, or a data request cannot be handled sufficiently, will that be grounds for a fine?
- “Yes”.
Paradigm Technology is co-hosting a joint webinar answering your GDPR questions and concerns with Mr. Jarno Vanto from Polsinelli and Informatica.
To join the GDPR Webinar on March 29th at 10am CST/11am EST, register here.
About the Authors:
- Mohit Sahgal is the VP of Analytics of Paradigm Technology. He is an accomplished senior executive with decades of management consulting expertise. Mohit has held various leadership positions including Senior Executive at Accenture, Partner at IBM, Partner at Capco, and Executive Director at Ernst & Young LLP. Mr. Sahgal is also a published writer, having provided articles on information management to industry journals like American Banker, Information Management, and BI Review.
Mr. Sahgal LinkedIn profile can be found here.
- Frank Golda is the Manager of Marketing and Communication for Paradigm Technology. For over six years he has partnered with CEO’s, executives and entrepreneurs to expand their influence and professional brands.
Mr. Golda’s LinkedIn profile can be found here.
Paradigm Technology is a strategic consulting company serving the banking, airline, manufacturing, high-tech and retail marketplaces. We utilize innovative business and technology solutions to help clients enable their digital transformation programs, and improve their Analytics, Cloud, Master Data Management, and Project Leadership solution delivery. Paradigm is ready to support you in your GDPR compliance journey. For more information about Paradigm Technology and GDPR, email [email protected] or visit us at www.pt-corp.com.
Polsinelli is an Am Law 100 firm with more than 800 attorneys in 20 offices. Ranked #24 for Client Service Excellence1 and #10 for best client relationships2 among 650 U.S. law firms, Polsinelli was also named among the top 20 best-known firms in the nation3. The firm’s attorneys provide value through practical legal counsel infused with business insight, and focus on health care, financial services, real estate, intellectual property, mid-market corporate, labor and employment, and business litigation. For more information about Polsinelli and GDPR, visit us at www.polsinelli.com.