GDPR Is Here: Now What?

11 June 2018
View Debevoise Debrief

If you are like many of our clients subject to the EU General Data Protection Regulation (“GDPR”), you may have spent the last several months in a mad dash to get ready for the new law. Updated privacy policies have been written. Data transfer agreements have been executed. Required contractual clauses have been included in data processor agreements. Incident response plans have been updated and data retention practices considered. Now what?

Unfortunately, GDPR compliance did not end on May 25, 2018, it has only just begun. Below, we list five recommendations for navigating the post-GDPR world.

Do what you say. You are under an obligation to act fairly. This means privacy policy and related disclosures must reflect reality. Carefully review what you have said about the personal data you process, why you do so, how you secure the data, and with whom you share it. To the extent your privacy policy significantly departs from your practices, it should be revised, or divergent practices should stop. Likewise, if you have told people that they would be removed from your marketing lists unless they expressly opt in, ensure you actually do so.

Fulfil controller-processor obligations. Many companies in data controller-processor relationships have either taken on or imposed contractual obligations in anticipation of the GDPR. In some cases, those requirements may go beyond the GDPR or purport to apply the GDPR to companies that are not otherwise subject to it. Make sure you understand your contractual obligations and are prepared to fulfil them. If, in the cold light of post-GDPR day, you realise these obligations go beyond those legally required, consider reaching out to your counterparty to clarify their scope and applicability.

Watch out for the ePrivacy Regulation. The GDPR is not the only data protection regulation to worry about. The ePrivacy Regulation, which is expected to come into force in 2019, will apply to electronic communications and impact direct marketing and use of cookies, among other issues. The text of the Regulation is far from final; a recent draft has introduced important changes that would impact customised advertising, for example. Watch this space.

Don’t forget about Member State legislation. The GDPR gives EU Member States an opportunity to vary certain provisions or to go beyond the GDPR. These national differences may be particularly important in the employment context and for businesses handling sensitive personal data.