Reed Smith Client Alerts

GDPR celebrated its first birthday on 25 May 2019. Since its introduction, privacy and data protection issues continue to dominate public debate and regulators have signalled that large fines for non-compliance are imminent. 

Authors: Katalina Bateman John O'Brien

With this in mind, we ask six key questions you should think about to successfully navigate GDPR year two:

1. Do you need to launch GDPR programme v2?

GDPR was first published in April 2016. For many companies, there was a somewhat leisurely build-up to its effective date of 25 May 25 2018. This led to numerous mad dashes to what some companies perceived as a 25 May ‘finish line’. Those of us in the privacy and data protection world are all too familiar with organisations that then suffered little ‘GDPR fatigue’ after 25 May 2018.

Now is an opportune time to review your privacy and data protection regime. We have more regulatory guidance and case law and practices may well have bedded-in within your organisation over the last year.

This is a great opportunity to take stock, assess the compliance landscape, and review your existing GDPR program. What is working,  what is not working, and how can things be improved?

A successful compliance program is one that is ongoing and iterative. GDPR compliance is a constant process and not a static goal. This means taking lessons learned, incorporating best practice and ensuring you are properly resourced to continue your compliance efforts.

2. Do you need to complete your records of processing?

Some may have struggled with the data mapping exercise and accurately recording how they process personal data. Particulalrly for multinational companies, this can indeed be a mammoth task. Trying to track how personal data flows through a large organisation is difficult and time consuming. Businesses may have simply given up trying to complete their GDPR Article 30 records of processing.

However, this is a mistake. Records of processing are the bedrock on which good GDPR compliance is built. To embed a culture of privacy by design, you need to understand what personal data flows through your organisation. Accurate and comprehensive records of processing are the first thing that a regulator will ask for if it conducts an audit. They are invaluable during a personal data breach to understand what personal data is at risk.

If you have not completed (or started) your records of processing, address this today.

How have EU Member States implemented and enforced the new data protection regime?

Learn more about how the EU Member States themselves implemented GDPR, including a discussion on local implementation efforts, implementation highlights, enforcement activities, and what to expect next.