Seeking Compliance With New Data Protection Regulations?
Here's a to-do list for your company
By Peggy Keene
As more and more states pass data privacy and protection legislation in an effort to protect consumer data, companies should look inward to determine whether they can meet new state regulations and guidelines, as well as the EU’s General Data Protection Regulation, or GDPR. The following to-do list can help companies quickly get up to speed to work toward the requirements and compliance with new data protection regulations.
Conduct an Audit of the Company’s Current Data Protection
Policies and Protocols
How should you protect your organization? To prepare for data privacy regulations, companies should conduct an audit of their current data protection systems, policies, protocols, and procedures. Businesses should identify the type of data they manage and determine whether any consumer data is being sent out or received from third parties. Specifically, organizations should understand whether such data is also being further processed or controlled by any third parties.
The type of data and how it is handled by the company and any third parties engaged by the company will determine what practices will be necessary for data protection compliance. Therefore, the audit will help determine what the company needs to do to either get into compliance or stay in compliance with new regulations.
Create New Processes and Procedures to Help Ensure
Compliance with New Data Protection Regulations
After a company performs an internal audit, creating formal written policies is important to work as a point of reference and guide. It would behoove companies to have these written procedures and guides reviewed by legal counsel experienced in consumer privacy and data regulation laws. Similarly, any new contracts entered into between the company and third parties handling consumer data should be reviewed by legal counsel, especially as all parties struggle to comply with the new data protection laws.
Legal counsel can also assist companies in determining whether anything falls under certain available exemptions, such as service provider exceptions. They can also assist in creating protocols to deal with deletion or opt-out requests. Any online privacy notices and consumer consents that are to be posted on company websites would benefit from a review and revision, if necessary, by counsel experienced in dealing with consumer data regulations and compliance.
Get All Employees to Understand the Company’s Consumer Data
Regardless of whether the company is big or small, companies should focus on making sure all teams in the company, from human resources and legal to compliance and sales, understand the company’s policies on the protection of consumer data. Companies should also work to ensure that everyone handling private consumer data understands the important definitions of personal, sensitive, private,and consumer data, which may be defined differently under different jurisdictions and different data protection regulations.
Implement Ongoing Training and Learning Sessions
Lastly, training and education of staff is critical. Companies should have regular training sessions that are conducted periodically to help ensure all staff is educated on the proper procedures the company has in force. Additionally, there should be a point person assigned to work with legal counsel to stay informed of relevant changes in laws or regulations that may affect the company. Staying informed will allow the company to make necessary changes to its data protection policies and work to stay in compliance as new regulations take effect.
Seeking Compliance With New Data Protection Regulations
As changes in data privacy laws take effect, there are a few simple steps companies can take to work toward getting into compliance and maintaining it:
• Conduct an audit;
• Formalize new policies;
• Educate employees; and
• Implement ongoing training. TBJ
This article, which was originally published on Klemchuck’s Protecting Innovation blog, has been edited and reprinted with permission.
PEGGY KEENE is counsel to Klemchuk LLP and focuses on internet law, particularly e-commerce, consumer digital privacy, e-sports, and video game law. She has also counseled clients in trademark portfolio management and served as in-house counsel in the telecommunications industry.