EU Business News Q3 2018

22 EU BUSINESS NEWS / Q3 2018 , GDPR Resource Guide Available from Baker McKenzie, Protiviti and Robert Half New FAQ guide answers critical questions about compliance with newEU data regulation. For companies on the journey to compliance with the European Union’s ground-breaking new General Data Protection Regulation (GDPR), global consulting firm Protiviti has teamed up with Robert Half and Baker McKenzie LLP to provide a GDPR resource of frequently asked questions. Titled “Understanding the General Data Protection Regulation,” the GDPR guide has been developed to help businesses navigate the challenging and wide-ranging mandate. The complimentary guide takes a deep dive into GDPR requirements and details specific components of the regulation to assist companies in understanding the processes needed to achieve – and maintain – compliance. “The GDPR represents the most significant change in data regulation in 20 years. Fines for GDPR noncompliance can reach four percent of a company’s global revenues, so it’s critical that companies know how to operate under this new regulation,” said Kurt Underwood, a Protiviti managing director and global leader of the firm’s technology consulting practice. “Our guide serves as a practical resource for people from the boardroom to the IT department to understand and help their organisation comply with the GDPR’s complex requirements.” The GDPR was issued by the European Commission, the European Parliament and the Council of Ministers of the European Union (EU) to supersede the Data Protection Directive adopted on October 24, 1995. Effective as of May 25, 2018, the purpose of the GDPR is to strengthen and unify data protection for individuals residing in the EU by regulating the processing of personal data for citizens, residents and anyone inside the EU, either electronically or as part of a paper filing system. The regulation affects any and all organisations doing business within the EU or the European Economic Area, no matter where they are based. “Any business handling personal data of individuals in the European Union or the European Economic Area in the EU must now take greater care when acquiring, sharing and using this information. Many organisations are still unprepared to comply with the GDPR,” stated Joel Wuesthoff, a managing director for Robert Half Legal’s consulting solutions practice. “In addition to formalising their internal and external facing privacy policies and practices, it’s also imperative that they put suitable third-party contracts and processes in place reflecting the provisions of GDPR Article 28.” The guide’s development was prompted by the numerous questions global clients of Baker McKenzie, Protiviti and Robert Half have been posing about this extensive, complex and nuanced regulation. Questions in the guide range from “What is ‘personal data’ as defined under GDPR?” to “What are considered appropriate safeguards?” The guide answers these and more than 70 other questions covering subjects including data privacy rights; cross-border data transfers; liabilities and penalties; and responsibilities of a data protection officer. At its core, the GDPR poses new broad-based data protection principles, which are outlined in the guide as: • Lawfulness, fairness and transparency - data is processed lawfully, fairly and in a transparent manner in relation to the data subject • Purpose limitation - data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes • Data minimisation - data is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed • Accuracy - data that is inaccurate must be erased or rectified without delay • Storage/retention limitation - data that permits identifiability may be kept for no longer than necessary for the purposes for which the personal data is being processed • Integrity and confidentiality - data is processed in a manner that ensures appropriate security The guide also outlines the cornerstones in the process of becoming GDPR compliant. They are: • Awareness: Chief security officers, IT managers, CEOs, business unit managers, etc., must be informed of GDPR’s wide-ranging legal implications and should translate and apply them into plain, simple measures to comply with this regulation • Disciplined Execution: A GDPR compliance strategy is worth very little without disciplined execution. Knowing which data security and management solutions must be selected and implemented to ensure compliance and security is not as easy as it would seem. Numerous factors weigh in, and the human factor is the most complex “Non-compliant organisations should have started adjusting their internal processes, if they haven’t already, so that any obstacles encountered can be resolved before penalties and reputational repercussions are incurred,” said Jeff Sanchez, a Protiviti managing director in the firm’s security and privacy group and leader of its GDPR solution offering. “Using our guide as a blueprint to comply with the GDPR can give companies a