[BreachExchange] GDPR Compliance: 10 Tips for Employers

Tue Mar 13 18:57:19 EDT 2018

https://www.jdsupra.com/legalnews/gdpr-compliance-10-
tips-for-employers-22092/

An immense volume of personal data (or personally identifiable information)
is proliferating and flowing throughout the world. Personal data is an
incredibly valuable asset to companies but data protection and privacy laws
across the world are increasingly regulating its collection and use. In
particular, the EU's General Data Protection Regulation (GDPR), which
automatically takes effect in member states on May 25, will bring
substantial new compliance requirements and potential large fines.

It is not just organizations with an EU establishment that need to be
concerned with GDPR compliance; the GDPR has extra-territorial effect and
non-EU established organizations will also be subject to the GDPR to the
extent they process the personal data of individuals in the EU in relation
to (i) offering goods or services to those individuals in the EU, or (ii)
monitoring their behavior within the EU.

These organizations will need to evaluate their processes for handling
employee and client personal data. Below are 10 steps they should take to
ensure they are on the right track.

1. Conduct data mapping and gap analysis.

Identify categories and location of personal data, reason(s) for processing
it, how long it is retained, third parties with whom it is shared and
countries to which it is transferred.

2. Consider whether a Data Protection Officer is needed.

A Data Protection Officer (DPO) will be mandatory for some organizations,
including those carrying out monitoring or processing of ‘special category’
data (e.g. data relating to health or ethnicity) on a large scale, but all
organizations would be well advised to nominate someone with overall
responsibility for data protection.

3. Identify lawful bases for processing.

Processing will only be lawful to the extent one of the lawful bases
applies. Organizations should consider whether they can rely on consent,
processing being necessary for the performance of a contract, for
compliance with a legal obligation or the legitimate interests of the
controller (where not overridden by the interests or fundamental rights and
freedoms of the data subject). It should be borne in mind that consent
under the GDPR must be specific, informed and freely given and can be
withdrawn at any time. Employers will not be able to rely on consent to
process employee personal data.

4. Amend data protection language in contracts for EU employees.

Remove references to employee consent from contract templates for new hires
and replace with simple language referencing the privacy notice and
relevant data protection policies.

5. Review/draft privacy policies and privacy notice.

Review or draft a privacy notice for customers/clients and EU employees as
well as policies for data protection, breach notification and document
retention.

6. Review/draft addendum for third party contracts.

Identify third parties that process personal data, check that they are
aware of their obligations under the GDPR and, where necessary, update
contracts with those third party processors to ensure that they are GDPR
compliant.

7. Ensure safeguards are in place for transfer of data out of the European
Economic Area (EEA).

Ensure the basis relied on for international transfers are clear and
lawful. Review existing safeguards applicable and consider if any
additional safeguards are required, such as the Privacy Shield, Binding
Corporate Rules or Model clauses.

8. Ensure IT systems are compatible with data subject rights.

Check processes for: keeping personal data up-to-date; deleting it when
appropriate; and responding to a request to delete or restrict the
processing of personal data or a data subject access request (within one
month of receipt).

9. Arrange training for all staff.

One of the ways in which organizations can demonstrate compliance with the
GDPR (‘accountability’) is by arranging training for staff which is
tailor-made to the organization.

10. Maintain records of processing activities.

Data controllers and data processors must maintain records which document:
the purposes of processing; categories of data subjects, personal data and
recipients of data; transfers of data outside the EEA; time limits for
erasure; and descriptions of security measures.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180313/c8424b7f/attachment.html>