Follow ACC Docket Online:  

6 Things to Do if You’re Still Not Ready for GDPR

A fter two years of legal and IT departments scrambling to get ready, GDPR has finally been implemented. Companies that aren’t prepared — and there’s a startling number that aren’t — run the risk of massive fines. Two notable examples are Facebook and Google, which could pay more than US$9 billion for not complying with the new regulations. To learn how to avoid these fines (or at least reduce their severity), we spoke with ACC Chief Legal Officer Amar Sarwal about how legal counsel can harmonize their compliance programs with GDPR.

1. Stop everything

Now is not the time to fine-tune your company’s employee handbook. Sarwal advises using every resource you have to ensure that your company is compliant with all GDPR regulations. These updates likely can’t be made with a few tweaks, especially if data is at the core of your company’s business model.

Even if data isn’t your company’s focus, your company should still update its policies. The fines aren’t worth taking the risk. But if the shareholders are hesitant to make the investment, the best way to persuade them is to remind them of the aforementioned lawsuits that Facebook and Google are facing.

2. Selecting compliance policies

For non-EU companies establishing data governance, there are several different regulations in-house counsel can enact. “It’s best to take a uniform approach to compliance, even if some EU countries adopt more lax rules on data regulation,” Sarwal explains. Failing to establish a comprehensive data policy — even if it covers some of the regulations — could result in fines.

[Related: This Week in Privacy: What You Need to Know About the GoBD]

There is also the issue of EU countries gathering data that your company might not need. For example, Germany is now scrutinizing tax documents more thoroughly under the GoBD, which is similar to GDPR but focuses on financial data. This regulation extends the reach of the German Ministry of Finance in order to monitor cash-based transactions (e.g., restaurants, hair salons) to verify that they’re being reported accurately. However, few countries require this data, and it’s not worth exposing the information to cyberattacks. In other words, if you don’t need it, don’t save it.

3. Consent of the governed

Consent is the crux of GDPR. As such, ensuring that your company has its users’ permission to gather their data is without a doubt the most critical measure to follow. “Everything is focused on consent,” Sarwal explains. “It’s not just having consent to use the information for a particular function in business. It’s also having consent to track that information.”

Any contact that your company has with an EU citizen’s data must be verified and protected. Cyberattacks, such as the Equifax, Yahoo, and WannaCry hacks, show how easily the public can lose faith in a company. Add that to the inevitable backlash of not having permission to use the data that was compromised, and more fines could be pending.  

4. Power to the people

There are 99 GDPR articles in total, so it’s not surprising that a few could be eclipsed by the attention on consent. One easily forgotten yet pressing regulation is Article 80, or “the representation of data subjects,” which empowers EU citizens to protect and enforce the privacy of their data.

[Related: GDPR: Implications from the New Normal]

This regulation could create trouble for inattentive counsel, Sarwal notes. If a company has violated these compliance measures, then its EU users, clients, or customers can join a class action lawsuit to request the data that a company has on them. A tarnished public image — on top of litigation and regulatory fines — is one more incentive to create and implement a thorough compliance policy.

5. Pitfalls from procrastination

Whether unintentional or malicious, procrastinators can be bad actors if they’ve delayed implementing GDPR compliance policies. Sarwal describes these two types of slow-starters who could incur fines:

•    Those who tried to comply but missed some measures; or,
•    Those who knew about the compliance measures but didn’t follow them regardless.

Ideally, regulators should be more lenient with the former, as they acted in good faith. For example, a nonprofit organization that assumed that GDPR doesn’t apply to them because they aren’t a customer-facing company could find themselves in trouble if they have employees or even consultants who are EU citizens.

The latter, however, will likely face more severe consequences. On top of receiving potential fines from regulators, your job could be at risk for not following protocol. “If board members are unhappy about these massive fines, then C-suite jobs could be on the chopping block,” Sarwal warns.

6. Facing regulators

Should you receive the dreaded notice from regulators, hire outside counsel who specialize in EU law. Their expertise will help you avoid a burdensome fine. When cooperating with the regulators, be amenable and less client-focused.

“You’re going to be in worse shape with a defensive approach, because they have all the cards,” Sarwal cautions. Instead, working with the regulators might reduce the fine’s severity and show that you’re creating a process on how to make your company compliant.

[Related: The GDPR Balancing Act: Employer Interests and Employee Privacy]

Most importantly, be transparent, record everything, and admit to any regulatory oversights. Covering up any mistakes won’t help. “At the end of the day, they’re going to find whatever you have. It’s better to be forthright to do what the GDPR asks you to do and triage the most important parts,” Sarwal says.

As overwhelming as this process can be (especially with the pressure from procrastination mounting), it’s an opportunity to help usher your company into the new standard of privacy that the public wants and demands. Other countries may not have these stringent laws yet, but within time, similar themes will likely appear in other nations’ laws. What’s more, embracing GDPR will help cement your company’s brand for caring about your customers. “When companies talk about wanting to do good, this is how they can make that change,” Sarwal says.

About the Author

Karmen Fox is the web content editor of ACC Docket.

The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.