With the EU General Data Protection Regulation (the "GDPR") now over a year old, companies may feel that their data privacy challenges have settled down and that their GDPR work is complete.  While that may be true for some companies, the reality for most is that their GDPR compliance efforts were incomplete at best and potentially nonexistent at worst. 

In fact, at the end of 2018, less than 50% of companies reported they were "fully compliant" with the GDPR's requirements.  Two explanations stand out for this shortcoming.  First, GDPR compliance is an on-going process that requires constant oversight and work. Second, the effort is expensive and it takes time to achieve "full compliance" with the GDPR.  As a result, companies initially – for good reason – took steps seen as most critical to GDPR compliance, such as updating public-facing privacy policies, implementing appropriate consent mechanisms, and adding data protection addenda to new customer and vendor contracts. 

While companies certainly had to start with the low-hanging fruit with their compliance efforts, it's important that companies evaluate their efforts and continue to take steps on their road towards GDPR compliance. With additional GDPR enforcement actions looming and the California Consumer Privacy Act of 2018 (the "CCPA") going into effect in a mere six months, now is a good time for companies to assess their compliance posture. Companies can take advantage of similarities in both laws to close any gaps in their GDPR compliance status, while aligning this work with CCPA compliance efforts. In fact, the CCPA provides an opportunity for businesses to address both regimes simultaneously and achieve additional scale and cost savings.

Important – But Oft Delayed – GDPR Compliance Steps 

Turning to the oft delayed GDPR steps, we've summarized the GDPR areas many companies still need to address, along with insight into how companies can leverage their efforts to help with CCPA compliance.

  • Draft a Comprehensive Article 30 Register

It's not surprising that even some of the most sophisticated companies do not have in place a comprehensive Article 30 register (or "data inventory"). Data inventories are complicated, as they require (i) significant efforts to understand how the company collects and processes personal data, and how those efforts map against GDPR requirements, (ii) input from a multitude of different company stakeholders who also have to perform their day-to-day job functions, and (iii) periodic reassessment to ensure their accuracy.

It's not surprising that even some of the most sophisticated companies do not have in place a comprehensive Article 30 register (or "data inventory"). Data inventories are complicated, as they require (i) significant efforts to understand how the company collects and processes personal data, and how those efforts map against GDPR requirements, (ii) input from a multitude of different company stakeholders who also have to perform their day-to-day job functions, and (iii) periodic reassessment to ensure their accuracy.

It's not surprising that even some of the most sophisticated companies do not have in place a comprehensive Article 30 register (or "data inventory"). Data inventories are complicated, as they require (i) significant efforts to understand how the company collects and processes personal data, and how those efforts map against GDPR requirements, (ii) input from a multitude of different company stakeholders who also have to perform their day-to-day job functions, and (iii) periodic reassessment to ensure their accuracy.

However, an accurate and complete data inventory is one of the crucial aspects of GDPR (and CCPA) compliance. In the event of a personal data breach, a supervisory authority will likely first request the data inventory. Just as important, a company cannot realistically understand its compliance obligations for either the GDPR or the CCPA – including drafting an accurate privacy policy – without a comprehensive understanding of the data it collects, uses and discloses. So, companies seeking to comply with this obligation can simultaneously address CCPA and avoid having to undertake the same exercise twice.

  • Implement Data Protection Addenda that Address Both the GDPR and CCPA for Existing Contracts

Most companies have implemented procedures to ensure that all new customer or vendor contracts include an appropriate data protection addendum.  Yet, many companies have not undertaken the more painstaking process of adding these addenda to existing contracts. 

Both the GDPR and the CCPA require specific contractual provisions relating to the protection of personal data for processors (in the case of GDPR) and service providers ( in the case of CCPA).  This is, of course, important for all new contracts, but it is possibly more important for existing contracts.  For instance, if an existing vendor is processing a large amount of personal data with no data protection addendum in place, this processing is much higher risk than processing of new vendors who only process a limited set of personal data.

Of course, practical difficulties exist with implementing data protection addenda for existing business relationships: Is the business relationship stale? What are the incentives for negotiating favorable terms? Why should a customer or vendor expend resources if it does not anticipate further work? To address these difficulties, companies should prioritize their efforts to re-negotiate and be on the lookout for natural opportunities to add these data protection addenda, such as during the negotiation of a new work order or before automatic contract renewals.

  • Streamline Responses to Data Subject Rights Requests

The establishment of data subject rights – including the rights to access and delete personal data – is the fundamental characteristic of modern privacy laws, such as the GDPR, the CCPA and Brazil's data protection law.  Of course, when GDPR went into effect just over a year ago, many companies reasonably decided to address data subject requests on an ad hoc basis, particularly if they expected to not receive a large number of requests.

However, given the promulgation of new laws like the CCPA, data subject rights have and will become even more widespread. As such companies should seriously consider implementing automated or more streamlined processes for addressing these requests. While this is ultimately a business decision, for many companies the long-term benefits will far outweigh the short-term pain. Significantly, we are beginning to see more automated solutions in the privacy tech space that could help companies speed-up their automation efforts.

  • Conduct Legitimate Interest Assessments

Many companies rely on legitimate interest as a legal basis to process personal data, but most of these companies have not performed (and, just as importantly, documented) the legwork that the GDPR requires in order to support this basis.  Conducting a legitimate interest assessment can often feel like an exercise in redundancy, but it's important that companies formally document their position and evaluation with respect to legitimate interest.

At the very least, companies can turn to the UK Information Commissioner Office's legitimate interest assessment sample document for a basic assessment, but, due the complexity of this assessment on the broad basis of legitimate interest, companies should take care to engage appropriate subject matter experts in order to avoid running afoul of the GDPR. Note that this GDPR requirement does not map directly to the CCPA because unlike the GDPR, businesses are not obligated to establish a legal basis for processing personal information under the CCPA.

What's Next?

Cooley can help companies' GDPR and CCPA compliance efforts, from high level gap assessments to in-depth data mapping.  For instance, Cooley can:

  • Identify gaps in GDPR and CCPA compliance efforts;
  • Provide a data protection addendum that addresses GDPR, CCPA and general information security and privacy requirements;
  • Provide sample data inventories that address GDPR and CCPA, as well as counsel on the completion of the inventories; and
  • Counsel on the often difficult legitimate interest assessment, including with insights from past experiences with EU regulators.

It's clear at this point that regulatory and public appetites for privacy laws in the United States and throughout the world are growing, and the GDPR is setting the standard.  As such, companies will benefit by continuing to take steps towards GDPR compliance – especially if companies have been lax about continuing their compliance efforts since the GDPR went into effect.  Additionally, all of the steps set out above will help companies get ahead on their compliance efforts for other privacy laws, including the looming CCPA.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.