So we have all fully digested 209 pages of the EU General Data Protection Regulation (GDPR) text, and added it to our 2016 new year's resolution, now what?
While the EU Parliament and Council are expected to have their final vote on the GDPR in the first quarter of 2016, how should companies start preparing for GDPR compliance? Previously, we have identified the major GDPR game changers, and provided the essential elements organisations must consider when drafting their GDPR game plan.
With a two-year implementation deadline in mind, our GDPR Game Plan series will provide practical step-by-step guidance to:
- help organisations understand the GDPR requirements, in a global, EU-wide and local context;
- assist privacy and compliance teams prepare for the GDPR;
- provide practical implementation steps for your GDPR game plan.
Step One - Re-Evaluate
For multinational companies, GDPR will inevitably have a significant impact on their global operating strategy. Now we have management's attention, how should we present them with a constructive solution?
For a start, organisations should try to answer these questions:
- Where is all our data?
- Should we appoint a DPO?
- If we appoint a DPO, where should they be located?
- Should we implement binding corporate rules (BCR)?
- Do we have a data breach incident management plan?
- Who are all our data processors, outsourcers?
- Where do we keep data subjects' consent?
Data Protection Assessment
How do you answer the questions above meaningfully?
While GDPR is much more prescriptive than the EU Data Protection Directive 95/46/EC, it still incorporates the fundamental data protection principles presented in the Directive.
Therefore, as preparation to drafting your new GDPR game plan, we recommend organisations to:
- examine their existing compliance framework carefully;
- generate a status-quo report of your current compliance framework;
- identify the compulsory compliance requirements currently missing in your existing framework;
- produce a "Strategy & Action" plan.
Strategy & Action
The Strategy & Action Plan should form the first chapter of your GDPR Game Plan.
It will help you:
- identify all the policies and agreements you will need to produce immediately;
- determine the short-/long-term goals of your GDPR Game Plan; and
- solidify concrete action points for the next steps of your GDPR Game Plan.
EU GDPR Game Plan Series
In this series, we will be providing guidance for data protection officers and officers-to-be to help them implement a bespoke GDPR Game Plan that is compliant with the GDPR, and meets industry standards and requirements.
We will cover topics including: data breach incident management, consent, data mapping, cross-border data transfer, data processor obligations, consent, rights of data subjects, one-stop-shop, enforcement and sanctions, privacy impact assessments, privacy by design, profiling restrictions and accountability.
We will also produce mini-country guides to help you prepare a strategy meeting the requirements in your country. Stay tuned!
EU General Data Protection Regulation (GDPR) Game Plan Series - Part 1 webinar
We have identified 13 areas of particular interest that companies could use to prepare for the new regulations and prioritise their actions. Baker & McKenzie's GDPR Game Plan programme includes a series of three webinars in which our experts explore those game changers in the GDPR.
The first webinar in this series will focus on the first five key game changers: DPOs, data breach incident management, cross-border data transfer, consent, and data mapping (which involves understanding the sources of your data, who handles it, where it goes, and how it is used and protected). The other game changers will be addressed in the upcoming two webinars.
Wednesday, January 27, 2016
10am Bangkok/ 11am Hong Kong/ 12pm Tokyo/ 2pm Sydney
Americas and Europe
9am San Francisco/ 11am Chicago/ 12pm Toronto and New York/ 5pm London/ 6pm Western Europe
To register, please click here.
Access instructions will be circulated to all registered participants in advance of the webinar.
For more immediate information or questions, please contact .
“Baker & McKenzie's iG360 tool is designed to assist clients to comply with legislative provisions such as the GDPR. The iG360 tool was placed second out of a shortlist of nine in the "Compliance and Technology" category at the Financial Times North American Innovative Lawyers 2015 awards, with iG360 being deemed a "standout". The Financial Times indicated: "At Baker & McKenzie, for example, a cloud-based legal compliance service called iG360 guides the firm's multinational clients through information governance laws in more than 120 countries, with 24-hour access to tailored legal advice."
To learn more about how iG360 can help you comply with the GDPR requirements, please contact .
Contributors - Frances Chen, Anna von Dietze, Sarah Gee