With the EU General Data Protection Regulation coming into force this week, Steptoe & Johnson’s Cyberblog seeks to address the questions of whether the GDPR will apply to an organization and, if so, what immediate steps need to be taken to ensure compliance.
The post examines the details of what constitutes an organization being “established” in the EU, what “offering” goods and services consists of, and what qualifies as “monitoring” EU residents. It also explains the new and expanded rights that the regulation confers upon individuals in the EU, and the standards for data protection.
It outlines specific measure and the steps with them that should be taken to ensure compliance, which include:
- Appoint data protection officer (dpo) or other data protection leader.
- Determine if the business must appoint eu representative.
- Audit and map the business’s data processing activities.
- Review and document the business’s legal basis for processing personal data.
- Review and update consent mechanisms and language.
- Review and update privacy notices.
- Review and update vendor and service contracts.
- Prepare for new data breach notification requirements.
- Perform data protection impact assessments.