McCormick & O'Brien, LLP
Solutions to Problems

Cyber Alert 3/2018 - GDPR

Cyber-security & Data Privacy

2017 Cybersecurity Developments - Cybersecurity Awareness Month


Alert Author

Not Prepared For GDPR?  5 Key Things You Still Have to Time To Do.

March 2018


The European Union’s General Data Protection Regulation (GDPR), which seeks to unify fragmented existing data protection rules, will become fully enforceable throughout the EU (including the United Kingdom) on May 25, 2018. It imposes significant new obligations on organizations that control or process relevant personal data, and failure to comply may have major financial consequences. With so much at stake, data controllers and processors will want to take immediate action to prepare for enforcement of the GDPR.

Will you be prepared for General Data Protection Regulation (GDPR) compliance when it goes into effect May, 25, 2018? The latest statistics reveal that 86% of companies (of all sizes in multiple industries) are not – and over 60% have not even started planning or taken any preparatory steps towards compliance. With less than two months to go, here are the top five things you can still do.

  1. Check whether your website privacy policies are GDPR compliant.
  2. Check if you need to appoint a Data Protection Officer (DPO).
  3. Check if you have a record of processing activities, and if not, start working on it.
  4. Check if you have data processing agreements in place and if they require a GDPR compliant upgrade. 
  5. If you process based on consent, check whether such consent needs to be updated.

As GDPR is now only weeks away, by concentrating on making the above changes -- which are directly visible to customers and supervisory authorities -- companies that have thus far made no arrangements will be better positioned for GDPR compliance. You can implement these changes by following these tips. 

Are Your Privacy Policies Up to Date?

Companies should assess their privacy policies.  Quite frequently, privacy policies are incomplete and incomprehensible, or are mingled with General Terms and Conditions. Under the GDPR, privacy policies must clearly and concisely describe the categories of data processed and inform data subjects of their rights to information, access, rectification, erasure, restriction of processing and data portability, as well as the data subject’s right to object to the processing.

Do You Keep Record of Processing Activities?

As of May 2018, all companies subject to the GDPR will be required to maintain a record of processing activities. Drafting a record of processing activities is certainly a long-term task, as this will have to be maintained and updated as long as personal data is being processed. For now, it is time to start working on the record by gathering the required information and filling in these records. This should be done, even if all the information has not yet been gathered.

Do You Need a Data Protection Officer?

Companies should assess whether they are required to designate a DPO. Bear in mind that nowadays, almost all employees work with computers and may process personal data. Companies doing business in Germany will have to appoint a DPO if they are employing more than 10 persons.

Do You Need Data Processing Agreements?

Companies should check whether their data processing agreements are GDPR compliant. If there are not any data processing agreements in place, then it is time to enter into such agreements prior to 25 May 2018.

Do you Obtain Consent?

According to German supervisory authorities, consent based on old law may, in principle, be considered valid, if it is in line with the new (above-mentioned) GDPR requirements. Companies should be very careful here, however – the safest thing to do is to obtain a new consent designed according to the GDPR.