Peer to Peer Magazine

Spring 2017

The quarterly publication of the International Legal Technology Association

Issue link: https://epubs.iltanet.org/i/810339

Contents of this Issue

Navigation

Page 55 of 79

57 WWW.ILTANET.ORG Preparing for the General Data Protection Regulation FEATURES ADAM STONE Adam Stone, Principal Consultant and Chief Privacy Officer at Secure Digital Solutions, has over 26 years of business leadership experience, with over 16 years spent overseeing data privacy and security functions for health care, insurance, financial services and marketing organizations. Adam provides advice and leadership to enable the implementation and maintenance of complex regulatory regimes for organizations large and small. Contact Adam Stone at astone@trustsds.com. not mandate consistency among EU member states in the implementation and enforcement of its key principles and objectives. This created confusion and operational burdens for organizations –– especially those doing business in multiple EU countries –– obligated to comply with the data protection rules. The EU Council signaled a new path forward with the passing of GDPR, which expressly mandates consistency in regulatory approach for EU member states. By passing a "regulation" instead of a "directive," EU leaders created a law that binds all member states simultaneously. The goal of the GDPR is to streamline the approach to one of the EU's key priorities in support of the Europe 2020 Strategy for a digital single market, which recognizes the realities of this new digital age. In addition to reducing regulatory burdens on organizations doing business in the EU, the GDPR seeks to strengthen the legal protections supporting the rights of EU citizens as expressed in Article 8 of the EU's Charter of Fundamental Rights. New mandates in the GDPR, such as the "right to be forgoen" online, reflect shis in public awareness and concern about the pervasiveness and permanence of personal data on the internet. Organizations legally obliged to implement the GDPR's standards face significant penalties for noncompliance. Where the Directive lacked effective deterrents, the GDPR enables EU regulators to punish violators with fines of up to four percent of annual global revenue. In the wake of a data breach, organizations must now factor in such fines as well as the operational costs and reputation damages caused by such an event. Does the GDPR Affect Your Firm? Formally enacted on May 24, 2016, the GDPR becomes effective in May 2018. Law firms should begin their preparations for meeting the new data protection requirements by the effective date, as delays may result in increased operational risks and compliance costs. Many technology leaders among large firms are already reviewing and updating data privacy and security controls in support of GDPR compliance. Anecdotal evidence suggests small and midsize firms are not as far along. Even law firms not directly affected by GDPR standards could feel its effects, as the GDPR extends compliance obligations to data processors and third-party service providers (i.e., law firms). Legal technologists should factor in third-party risk when determining the applicability of GDPR to their firm's operations. In some firms, technology leaders may need to persuade a somewhat skeptical management of its GDPR compliance obligations and the importance of acting upon them. If so, legal technologists can point out that changes stemming from the updated EU data protection framework provide fresh impetus to review the effectiveness and expand the value of the firm's existing data privacy and security controls and processes. Four Steps to Readiness How should you get started on your GDPR readiness journey? There are myriad articles, white papers and associated resources for those not familiar with the GDPR, replete with detailed analyses of the regulation and available (oen free) online. Beyond the legal requirements, however, technology leaders need a clear understanding of how the GDPR will affect the systems and processes under their watch. As with any substantive compliance effort, firms need an implementation plan. Technology leaders should adopt the following four-step approach to ready their organizations for the GDPR's mandates: Understand your business and clients. You need to know whom your firm serves, where and how you operate, and the way you handle data. Ask yourself these questions: » Whom does your firm commonly represent? » How does your firm find and cultivate new clients? » How do you typically communicate with current clients? » What tools and systems are used to collect, process, store and transmit personal data about clients, employees and others? 1

Articles in this issue

Links on this page

Archives of this issue

view archives of Peer to Peer Magazine - Spring 2017