If you are like many of our clients subject to the EU General Data Protection Regulation (“GDPR”), you may have spent the last several months in a mad dash to get ready for the new law. Updated privacy policies have been written. Data transfer agreements have been executed. Required contractual clauses have been included in data processor agreements. Incident response plans have been updated and data retention practices considered. Now what?
Unfortunately, GDPR compliance did not end on May 25, 2018, it has only just begun. Below, we list five recommendations for navigating the post-GDPR world.
• Fulfil controller-processor obligations. Many companies in data controller-processor relationships have either taken on or imposed contractual obligations in anticipation of the GDPR. In some cases, those requirements may go beyond the GDPR or purport to apply the GDPR to companies that are not otherwise subject to it. Make sure you understand your contractual obligations and are prepared to fulfil them. If, in the cold light of post-GDPR day, you realise these obligations go beyond those legally required, consider reaching out to your counterparty to clarify their scope and applicability.
• Don’t forget about Member State legislation. The GDPR gives EU Member States an opportunity to vary certain provisions or to go beyond the GDPR. These national differences may be particularly important in the employment context and for businesses handling sensitive personal data.