Tomorrow, May 25, the European Union’s (“E.U.’s”) sweeping and much-awaited data security and privacy regulation known as the General Data Protection Regulation, or “GDPR,” will come into force.  We have previously written a full analysis of the new requirements under the GDPR for companies subject to its jurisdiction.

Since the GDPR was formally approved in 2016, organizations around the world have devoted significant time and resources to preparing for the new law’s implementation.  But while tomorrow is a deadline, it is also a start date—for compliance efforts that will require ongoing attention and adjustments in the months and years ahead.  With this in mind, we have compiled the following tips and resources to aid companies in their ongoing efforts that will come after May 25:

  • Utilize emerging guidance on key provisions. As with any significant new legislation, the text of the GDPR leaves open many interpretive questions.  Helpfully, the E.U.’s Article 29 Working Party, an independent advisory board of representatives from E.U. and member state data protection authorities and the European Commission, continues to provide guidance on a number of the GDPR’s key terms and requirements.  Recent releases include, among others, guidelines for how a company doing business in several E.U. countries can identify the country (or countries) with primary GDPR enforcement authority over their cross-border data processing, examples of disclosures that are (and are not) sufficiently clear to meet the requirement to be transparent about the collection and processing of individuals’ personal data, and instructions about the minimum information that must be provided in order to obtain valid consent to process an individual’s personal data.  And importantly, in February, the Working Party released draft guidance on key GDPR provisions governing the transfer of personal data to third countries, such as when they are permitted as “necessary for the establishment, exercise or defense of legal claims.”  (This guidance is still in draft form as of the date of this post.)  GDPR-regulated entities should pay attention to this guidance as it continues to develop.  We will analyze and summarize key guidance, as we have done previously, as it emerges.
  • Watch out for inconsistencies between E.U. member states. While the GDPR generally increases harmonization of data protection rules across the E.U., so-called “opening clauses” in the regulation enable E.U. member states to adopt state-specific requirements for key provisions, such as those providing for a local supervisory authority and protection of employee personal data.  Companies subject to various E.U. jurisdictions should pay close attention to the ongoing implementation of the GDPR across the E.U., including by tracking national legislation that makes use of these “opening clauses” in the member states most relevant to their businesses.
  • Monitor third-party vendors. Under the GDPR, a data controller[1] may only utilize data processors[2] that can sufficiently guarantee compliance with the GDPR’s requirements.  While third-party processors also face direct liability under the GDPR, controllers are ultimately liable for damage caused by processing that violates the GDPR, unless they can prove they are “not in any way responsible for the events giving rise to the damage.”  This means that controllers should not only perform thorough due diligence before contracting with a processor but also regularly monitor processors’ activities throughout their engagement.  Data vendor oversight is important outside of Europe as well; U.S. privacy regulators have recently scrutinized the failure to monitor the use of personal information by third-party service providers.
  • Understand the GDPR’s breach notification clauses—and similar U.S. notification requirements. The GDPR generally requires controllers to notify the relevant authorities of a personal data breach “without undue delay and, where feasible, not later than 72 hours after having become aware of it,” as well as to notify data subjects of a personal data breach “without undue delay” where the breach is “likely to result in a high risk to the rights and freedoms” of the data subject.  Relatedly, processors must notify affected controllers “without undue delay” after becoming aware of a personal data breach.  (Further analysis of the GDPR’s breach notification requirements, and the potential consequences of failing to satisfy them, is available here.)  Given the frequency with which companies are experiencing data breaches today, precedent on how the GDPR’s data breach provisions will be enforced is likely to be established sooner rather than later.  Companies subject to the GDPR would do well to pay close attention to these early data breach enforcement actions and consider any changes in their own breach notification procedures that may be warranted.  Moreover, when implementing GDPR-compliant data breach notification programs, U.S. organizations (or organizations holding personal information of U.S. consumers) should also take care to understand how and when to notify U.S. regulators of a breach.  All 50 states now have breach notification laws on the books.  Even if their own notification requirements were technically satisfied, U.S. regulators may be loath to learn that they were notified of a data breach days or weeks after their European counterparts.  Public companies listed in the U.S. should also consider whether notifications provided under the GDPR trigger any U.S. federal securities disclosure obligations, such as under Regulation Fair Disclosure (“Reg FD”), which prohibits public companies from selectively disclosing material nonpublic information to certain categories of individuals, including market professionals and investors under circumstances where it is reasonably foreseeable that the investors will trade on the basis of the information.
  • Recognize your regulatory and litigation risks. Exposure under the GDPR is significant.  Violators can face fines up to €20 million or four percent of global annual turnover, and the law also provides for both an individual private right of action and certain collective actions.  Covered entities should make sure they understand this exposure, incorporate it into assessments of their organizations’ global litigation risks as appropriate, and identify whether and how such risks should be mitigated.  For example, the U.S. Securities and Exchange Commission has recently sharpened its focus on cybersecurity related disclosure obligations.  In February, it issued interpretive guidance for public companies about disclosure of cybersecurity risks and incidents, and just last month it followed this up with its first ever enforcement action for the alleged failure to timely disclose a data breach.

Finally, consider whether existing insurance policies provide appropriate coverage.  As early GDPR enforcement actions bring clarity to regulators’ enforcement priorities and approaches, organizations should consider examining whether their existing insurance policies are sufficient in light of GDPR-related risks.  Among the coverage to consider is whether and to what extent existing policies will cover claims related to GDPR enforcement and private actions.

[1] A data “controller” is a body that, alone or jointly with others, determines the purposes and means of processing of personal data.  See GDPR Art. 4, ¶ 7.

[2] A data “processor” is a body which processes personal data on behalf of a controller.  See GDPR Art. 4, ¶ 8.