This document provides an overview of the steps businesses need to take to comply with the new General Data Protection Regulation (GDPR) which takes effect on May 25, 2018. It outlines key aspects of the new law including definitions of personal data, who it applies to, examples of penalties for non-compliance, and individual rights. It then lists 5 steps businesses should take including conducting a data audit, reviewing privacy policies and notices, appointing a data protection officer, training employees, and establishing procedures to handle requests and security breaches. Taking these steps will help businesses avoid penalties and ensure they are ready for the new regulations.
1. CLIENT BRIEFING
GDPR – IS YOUR
BUSINESS
READY?
BY
EMMA VANGO-BROWN
CARSTED ROSENBERG ADVOKATFIRMA
2. CLIENT BRIEFING MAY 2018
GDPR – IS YOUR
BUSINESS READY?
By Emma Vango-Brown
Carsted Rosenberg Advokatfirma
It is important to ensure your business is prepared for the changes and that the
right people fully understand the implications. This may seem daunting but a
methodical and practical approach will help you ensure that your company is
ready in time. Understanding what your business needs to do, and then to
putting in place the appropriate procedures, supported by up-to-date policies
and agreements will ensure your business is ready for the 25th May.
This short and concise client briefing is intended to provide an overview over the
matters to consider and the necessary steps a business must undertake to ensure
compliance with GDPR and avoid financial penalties.
The new General Data
Protection Regulations
(GDPR) come into force
on the 25th May this
year. Are you ready to
deal with the changes
for your business?
3. CLIENT BRIEFING MAY 2018
Examples of personal data
Personal data can include individuals names, email
addresses, bank details, telephone numbers,
photographs, credit card information, posts on social
networking websites, medical information, or a
computer IP addresses.
What are the penalties for non-compliance?
Companies can be fined up to 4% of annual global
turnover or EUR 20 million for breaching GDPR,
depending on the type and level of the breach.
What is personal data?
Personal data is any information an individual or ‘Data
Subject’ shares with a business by which they can be
identified.
Who does the GDPR apply to?
GDPR applies to all organisations that collect any
personal information about individuals residing in the
European Union, including customers or employees,
regardless of whether that company is located within
the EU or not.
4. CLIENT BRIEFING MAY 2018
STEPS TO TAKE BEFORE
25 MAY 2018
1. RAISE AWARENESS AND DEVELOP A
PRIVACY STRATEGY
Make sure everyone in the organisation who
handles personal data is aware that the law is
changing, particularly the decision makers and
key members of the business.
Consider what levels of risk your organisation is
prepared to accept and which aspects of GDPR
are most critical to your business and your
customers.
2. DATA AUDIT AND DATA MAPPING
Your business should conduct a thorough
internal review of all data it holds and consider
the following questions:
What?
How?
Who?
Where?
3. PRIVACY NOTICES AND DOCUMENTATION
Review your current privacy notices both online
and internally to ensure GDPR requirements are
met, including:
Consider whether the following documentation is
necessary:
Third Party Diligence and Contracts:
You need to have an understanding of how your
supply chain handles any data you transfer. You
will be required to have explicit privacy clauses in
contracts, which should include a retention period,
and the right to audit.
4. PROCEDURES AND PLANNING
Appoint a data protection officer or someone to
take responsibility for data protection compliance.
Your data protection officer will then need to
consider the following steps and procedures:
What information is being collected?
What risks are posed by it?
What is the lawful basis of the data being
held?
How is it collected?
How is it being processed?
How will it be used?
Who is collecting it?
Who are the data subjects?
Who will it be shared with?
Where has the data come from?
Where is the data being shared?
Is data being shared cross-border (to
another EU country or outside the EU) if
so is there adequate protection of that
data?
concise, transparent, intelligible and easily
accessible;
written in clear and plain language, particularly
if addressed to a child; and
free of charge.
Data Privacy Impact Assessments and Auditing.
Data Privacy Policies – for data relating to
customers and for data relating to employees.
Website Privacy & Cookie Policies.
Privacy Notices.
Data Processing Agreements.
Data Subject Access Requests – toolkit for
dealing with subject access requests.
5. CLIENT BRIEFING MAY 2018
STEPS TO TAKE BEFORE
25 MAY 2018
Individual Rights:
Put procedures in place to protect the rights
granted under GDPR, including:
Subject Access Requests:
Put procedures in place to manage requests
from data subjects. Plan how to handle such
requests. You will have 30 days to comply with
each request. Requests will be free under the
GDPR so you may receive a lot more of them.
Data Security, Breaches and Incident
Management:
Sensitive Personal Data:
Is there any sensitive data being held, including:
children’s data, biometric or genetic data,
medical data? If so, are the correct standards
being met to collect, process and store it?
Training:
Ensure that your employees understand how
GDPR applies to them and that they are aware
of the impact of GDPR.
High risk areas for example HR or marketing
teams will need focused training on their
obligations under GDPR.
Managing Consent:
Review how consent is currently obtained and
refresh if GDPR standards are not met. Consider
whether you use tick-boxes and opt-ins, and if
the way you obtain consent may need to
change.
In relation to children, how do you verify
customer ages? How do you obtain consent
from a child’s parents/guardians?
5. DON'T PANIC!
There is still time to ensure your business is
compliant with GDPR, and Carsted Rosenberg is
on call to help.
NEXT STEPS
Raise awareness and develop a privacy
strategy.
Data audit and data mapping.
Privacy notices and documentation.
Procedures and planning.
Don’t panic!
right to be informed;
right of access;
right to rectification;
right to be forgotten;
right to restrict processing and withdraw
consent;
right to data portability; and
right to object/complain.
Ensure procedures are in place to detect, report
and investigate personal data breaches.
Consider how secure the data is and if
encryption or pseudonymisation will be
required to protect the personal data held.
Ensure network and information security,
preventing unauthorised access to e-
communication networks and stop damage to
computer and e-communication systems.
Be aware of reporting requirements – reporting
breaches to regulator.
6. CLIENT BRIEFING MAY 2018
CONTACT
IMPRESSUM
CARSTED ROSENBERG ADVOKATFIRMA GMBH
HR-NR. CH-140.4.003.142-6
UID NR. CHE-114.437.705
BAHNHOFPLATZ 4, POSTFACH 825, CH-6060 SARNEN 2, SWITZERLAND
PHONE: +41 (0) 79 901 3713
EMAIL: INFO@CARSTEDROSENBERG.COM
CONTACT: ADVOKAT AND SOLICITOR MICHAEL CARSTED ROSENBERG
For more information please contact:
Emma Vango-Brown at
eb@carstedrosenberg.com
T: +45 91 11 19 44
Carsted Rosenberg Advokatfirma
Bredgade 3
DK-1260 Copenhagen K
Denmark
Mainzer Landstrasse 18
D-60325 Frankfurt am Main
Germany
T: +49 (0)69 3650 654 58
Carsted Rosenberg is an international law firm based in Frankfurt and Copenhagen that specialises in cross-border banking & finance, capital
markets, mergers & acquisitions and corporate and commercial matters. Our clients rely on us for pragmatic advice and transactional excellence.
Uniquely we can advise our clients on both Danish and English law.
At Carsted Rosenberg we pride ourselves on combining the highest global standards with local expertise. Accordingly, we work closely with the
leading international law firms and financial institutions to provide a multi-jurisdictional transaction team as their dedicated local counsel for
Denmark. We are used to working in multi-practice, multi-jurisdictional teams combining our local counsel skills with our partner firm’s
international network to deliver the best possible results for our clients.
This publication does not necessarily deal with every important topic or cover every aspect of the topics with which it deals. It is not designed to
provide legal or other advice. It shall not be used as a substitute for legal advice, but is only intended for general information on matters of
interest. While we endeavour to represent the information as accurately and correctly as possible, we cannot accept any responsibility for any
errors or omissions.
For more information please do visit our website: www.carstedrosenberg.com