Data privacy lawyers and officers around the world are working to assess the implications of and implement (before May 25, 2018) the requirements contained within the recently passed General Data Protection Regulation (GDPR). As one might expect, the requirements, scattered throughout the nearly 300 pages of the GDPR and introductory notes, are many and not entirely straightforward.
Over the past few months, a significant portion of my time has been spent talking to my colleagues and NAVEX Global clients about the GDPR and Privacy Shield (privacy, it seems, has become a blisteringly hot topic even for non-privacy folks) and with good reason: It has been suggested that the GDPR will create over 25,000 new jobs.
In fact, I’ll be on a panel at the ACC Annual Conference in San Francisco in October to discuss the effect of the GDPR as well as practical recommendations organizations should consider implementing to meet compliance. I would love to connect with any of you who will be there.
In the meantime, I wanted to share some resources on GDPR that I have found useful:
- Phil Lee, Partner, Privacy, Security & Information, Fieldfisher is an expert in GDPR who has published a number of blog posts on this topic, including his two most recent: “What you think you know about the GDPR…and why you may be wrong,” which clears up some common misconceptions, and "The ambiguity of unambiguous consent under the GDPR," which tackles some GDPR grey areas.
- TRUSTe has developed a number of resources and tools to help organizations prepare for GDPR requirements. Start with this blog post, “Your Path to GDPR Compliance, Step 1,” which includes a readiness assessment, and other tools to help.
- The International Association of Privacy Professionals (IAPP) has collected GDPR resources titled, “Top 10 Operational Impacts of the GDPR.” Topics include the potential impact on cyber security and data breach notification obligations and cross-border data transfers.
- In this blog post, “The countdown is on: 24 months to GDPR compliance,” Denelle Dixon-Thayer, Chief Legal and Business Officer at Mozilla Corporation, tries to look at the bright side of GDPR, asserting that good data privacy for users is, ultimately, also good for organizations.
- In this article in The Guardian, journalist Samuel Gibbs explores the potential implications, intersections and future evolutions of the GDPR, quoting William Long, a partner at Sidley Austin, who said, “Organisations should be under no doubt that now is the time to start the process for ensuring privacy compliance with the regulations. Importantly, companies outside of Europe, such as those in the US who offer goods and services to Europeans, will fall under the scope of this legislation and will face the same penalties for non-compliance.”
What stage of preparation is your organization in? Do you have a clear go-forward path so you’ll be ready in May 2018? Share your experience and your questions in the comments section below.