GDPR Basics for General Counsel

Okay, let's break down the GDPR basics from the perspective of a General Counsel. This will cover key areas a GC needs to understand and manage.

What is GDPR? (In a Nutshell for a GC)

The General Data Protection Regulation (GDPR) is a European Union (EU) law on data protection and privacy that applies to any organization, regardless of location, that processes the personal data of individuals (data subjects) within the EU. It aims to give individuals more control over their personal data and sets strict rules for organizations handling that data. It's not just about privacy; it's about accountability and demonstrable compliance.

Key Responsibilities and Considerations for a General Counsel Regarding GDPR:

A General Counsel plays a critical role in ensuring an organization's GDPR compliance. Here's a breakdown of responsibilities:

• Understanding the Scope and Applicability:


• Determining Applicability: The first task is to figure out if the GDPR applies to the organization. This isn't always straightforward. Even if the organization doesn't have a physical presence in the EU, it might be subject to the GDPR if it:


• Offers goods or services to individuals in the EU.


• Monitors the behavior of individuals in the EU (e.g., through website tracking).


• Processes data related to EU residents.


• Data Mapping: A comprehensive data mapping exercise is crucial. This involves identifying:


• What personal data the organization collects.


• Where the data comes from.


• Where the data is stored (including cloud storage).


• How the data is processed.


• Who has access to the data (internal and external).


• How long the data is retained.


• How the data is protected.


• Whether the data is transferred outside the EU (and if so, what safeguards are in place).


• Documentation: All of the above must be documented meticulously. This documentation is critical for demonstrating compliance to regulators.


• Establishing a GDPR Compliance Framework:


• Data Protection Policies and Procedures: Develop and implement clear and comprehensive data protection policies and procedures covering all aspects of data processing. These should be easily accessible to employees and regularly reviewed and updated.


• Data Protection Impact Assessments (DPIAs): Establish a process for conducting DPIAs for high-risk processing activities. DPIAs are required when processing is likely to result in a high risk to the rights and freedoms of individuals.


• Legal Basis for Processing: Identify and document the legal basis for each type of data processing activity. Common legal bases include:


• Consent: Requires freely given, specific, informed, and unambiguous consent from the data subject. Consent must be easy to withdraw.


• Contract: Processing is necessary for the performance of a contract with the data subject.


• Legal Obligation: Processing is necessary to comply with a legal obligation.


• Legitimate Interests: Processing is necessary for the legitimate interests of the organization or a third party, provided those interests are not overridden by the rights and freedoms of the data subject. Requires careful balancing.


• Data Security: Implement appropriate technical and organizational measures to protect personal data from unauthorized access, use, disclosure, alteration, or destruction. This includes:


• Encryption.


• Access controls.


• Security awareness training.


• Incident response plans.


• Regular security audits.


• Data Breach Notification: Establish a clear process for detecting, reporting, and responding to data breaches. The GDPR requires notification to the relevant supervisory authority within 72 hours of becoming aware of a breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Individuals also may need to be notified.


• Third-Party Agreements: Review and update all contracts with third-party data processors to ensure they comply with GDPR requirements. Data processing agreements (DPAs) are essential.


• International Data Transfers: If the organization transfers personal data outside the EU, ensure that appropriate safeguards are in place, such as:


• Adequacy decisions from the European Commission.


• Standard Contractual Clauses (SCCs).


• Binding Corporate Rules (BCRs).


• Data Subject Rights: Establish procedures for handling data subject requests, including:


• Right of Access: Individuals have the right to access their personal data.


• Right to Rectification: Individuals have the right to have inaccurate or incomplete data corrected.


• Right to Erasure (Right to be Forgotten): Individuals have the right to have their data erased under certain circumstances.


• Right to Restriction of Processing: Individuals have the right to restrict the processing of their data under certain circumstances.


• Right to Data Portability: Individuals have the right to receive their data in a structured, commonly used, and machine-readable format.


• Right to Object: Individuals have the right to object to the processing of their data under certain circumstances.


• Rights in relation to automated decision making and profiling.


• Ongoing Compliance and Monitoring:


• Training: Provide regular GDPR training to all employees who handle personal data.


• Audits: Conduct regular audits of data protection practices to identify and address any gaps in compliance.


• Monitoring: Continuously monitor data processing activities to ensure ongoing compliance.


• Updates: Stay up-to-date on GDPR guidance and case law and update policies and procedures as necessary.


• Data Protection Officer (DPO): Determine whether the organization is required to appoint a DPO. Even if not required, it may be a best practice to have someone in this role.


• Risk Management and Legal Advice:


• Identify and Assess Risks: Regularly identify and assess data protection risks and develop mitigation strategies.


• Provide Legal Advice: Provide legal advice to the organization on all aspects of GDPR compliance.


• Represent the Organization: Represent the organization in any interactions with data protection authorities.


• Manage Litigation: Manage any litigation arising from GDPR violations.


• Specific Actions GCs Must Take


• Review and Update Contracts: All vendor and third-party contracts must be reviewed and updated to include GDPR-compliant data processing agreements (DPAs). This includes cloud service providers, marketing agencies, and any other entity that processes personal data on your behalf.


• Manage Data Breach Response: Develop a comprehensive data breach response plan, including procedures for identifying, containing, and reporting breaches. Ensure that the plan is regularly tested and updated. The GC should lead the legal aspects of breach management.


• Provide Employee Training: Conduct regular GDPR training for all employees, especially those who handle personal data. Training should cover topics such as data subject rights, data security, and data breach reporting.


• Stay Updated on Regulations: GDPR regulations are constantly evolving. The GC must stay informed of any changes to the law and update the company's policies and procedures accordingly.


• Work with Data Protection Officer (DPO): If the company is required to appoint a DPO, the GC should work closely with them to ensure compliance with GDPR.


• Lead on International Data Transfers: Provide advice on the legality of data transfers to countries outside the EU, and implement appropriate safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).


• Advise on Marketing Activities: Review all marketing materials and activities to ensure they comply with GDPR requirements, including obtaining valid consent for email marketing and tracking user behavior.


• Oversee Privacy Notices: Ensure that the company's privacy notices are clear, concise, and easily accessible to data subjects.

• Cross-functional Collaboration: GDPR compliance requires collaboration across multiple departments, including legal, IT, marketing, HR, and sales. The GC must foster this collaboration.


• Documentation is Key: The GDPR emphasizes accountability. Thorough documentation of all data processing activities and compliance efforts is essential.


• Risk-Based Approach: Focus on the areas of highest risk.


• Ongoing Process: GDPR compliance is not a one-time event. It's an ongoing process that requires continuous monitoring and improvement.


• Penalties: GDPR violations can result in significant fines (up to 4% of annual global turnover or €20 million, whichever is greater) and reputational damage.


• Employee buy-in: GDPR is as much about culture change as it is legal compliance. Make sure all employees understand the importance of GDPR.

Let's say a company is launching a new online marketing campaign targeting EU residents. Here's how the GC would be involved:

• Review the Campaign: The GC would review the campaign to ensure that it complies with GDPR requirements, including:


• Obtaining valid consent for email marketing.


• Providing clear and concise information about how personal data will be used.


• Implementing appropriate security measures to protect personal data.


• Ensuring compliance with the ePrivacy Directive (which regulates cookies and other tracking technologies).


• Draft Legal Documentation: The GC would draft the necessary legal documentation, such as privacy notices and consent forms.


• Advise on Data Transfers: If the company is using a third-party marketing platform located outside the EU, the GC would advise on the legality of transferring personal data to that platform and implement appropriate safeguards.

The General Counsel is a critical player in GDPR compliance. They need to understand the law, develop and implement a compliance framework, provide legal advice, manage risk, and ensure that the organization is accountable for its data protection practices. They need to champion a culture of data privacy throughout the organization.