McGuireWoods London associate Alice O’Donovan (Business & Securities Litigation) was quoted extensively in a recent Compliance Week article on EU General Data Protection Regulation preparedness. As organizations wrestle with the new responsibilities and weigh the associated risks of GDPR — which takes effect May 25 — O’Donovan encourages documentation of “all the personal data you hold, where it came from, why you process it, and who you share it with. This is probably the most important step toward GDPR compliance.”
According to O’Donovan, GDPR compliance gap analysis has two stages. “First, assess where the greatest areas of risk lie for your organisation. For example, do you transfer personal data outside of the European Economic Area (EEA)? Do you process ‘special categories’ of personal data, or personal data relating to children? Do you engage in surveillance activities? Second, assess where you do — and don’t — comply with the GDPR, and cross-reference it with your list of risks. If you aren’t compliant in any area that poses a particularly high risk, work toward mitigating that risk as a matter of priority.”
She added, “Training on data protection and security, the requirements of the regulation, and the rights of data subjects should be offered to all employees. Humans are your greatest asset — but they’re also your greatest potential weakness.”
The new regulation has been introduced to harmonize data privacy laws in the European Union. The GDPR has an extraterritorial effect, which means that it can apply to organizations in the U.S., and imposes tough sanctions for non-compliance.
The article, titled “What to Do to Make Sure You’re Ready for GDPR,” is available online to subscribers.