GDPR: Time to get ready
- Articles and memoranda
- Posted 14.02.2018
The countdown has started: in less than five months, the General Data Protection Regulation (“GDPR”) will become directly applicable within the European Union (“EU”). From 25 May 2018, all entities located in the EU which process personal data in the context of their activities will have to comply with the requirements of the GDPR, regardless of whether the processing takes place in the EU or not. Under certain circumstances, entities located outside the EU which process personal data of data subjects located in the EU will also have to apply the GDPR.
GDPR will entail substantial changes in the approach to personal data processing: the accountability of entities will become of paramount importance, the supervisory authorities will be granted stronger powers and the administrative fines will be clearly dissuasive.
By way of thorough data mapping, entities will in particular have to identify and document (i) the types of personal data processed, (ii) the capacity under which they process personal data (as controller, joint controller or processor), (iii) the data subjects targeted, (iv) the purposes and legal grounds for each processing, including for data transfers outside of the EU, and (v) the persons who have access to the personal data or to whom they are transferred. New obligations will concern, in particular, the implementation of appropriate procedures (for the purpose of providing the data subjects with the required information and for allowing them to exercise their rights under the GDPR, notifying data breaches to the relevant supervisory authority or to the data subjects, etc.), the designation of a data protection officer (where applicable) or the drafting and updating of detailed documentation (records of processing activities, data protection impact assessments, etc.).
The entities shall also review and amend all agreements in place or to be concluded (general terms, service agreements, employment agreements, etc.) in light of the new GDPR requirements.