GDPR – What Does it Mean for the Corporate Counsel and Legal Department?

August 29, 2017 3:02 pm Paul Mullin

With the world becoming an every increasingly connected planet, the sheer scale of personal data now being shared throughout the globe has forced the EU to revisit its data protection legislation to ensure that peoples fundamental rights, in relation to data, are robustly protected.

Organisations are dealing with highly sensitive personal information all the time, and this is why it’s extremely important for those responsible for the legal oversight to really grasp the new regulation and how it will work in practice.

The Impact of GDPR for the Legal Department

With GDPR it is critical to recognise that compliance is a shared responsibility and that it is simply not enough to restrict accountability to one individual or department. Every organisation that handles personally identifiable information needs to establish processes that provide increased collaboration across business functions.

The GDPR is one of the most significant legal frameworks to be implemented in the last number of years. Well established rules on legal privilege and confidentiality means that legal departments hold significant amounts of business sensitive data.

This includes employees’ and clients’ personal data, as well as financial data and sensitive information about corporate clients. Best practice states that Corporate Counsel and Heads of Legal Departments should ensure that appropriate security measures are in place.

Requirements for Corporate Counsel

The new regulation brings with it organisational requirements, accountability measures, breach notification requirements and processing system assessments, and most crucially, specific limitations around the transfer of personal data to third party countries not deemed to provide robust enough data protection requirements.

From a legal stand point, there is tighter regulation on what constitutes ‘consent’ and with GDPR, consent must be explicit. This is a key component of GDPR which has enhanced individuals’ rights in regards to profiling, data portability, data processing, and subject access.

To ensure Corporate Counsel is compliant with GDPR, they should:

1. Review existing data protection policies to ensure they comply with the new regulations
2. Build a GDPR impact report to see how it will affect existing policies and processes
3. Demonstrate the management of personal data in a manner compliant with regulations
4. If required, appoint a Data Protection Officer (DPO). This is necessary if your business or legal department is offering goods and services to, or collecting the data of EU subjects
5. Review consent and fair processing notices to align with GDPR
6. Identify a lawful basis before you can process personal data
7. Ensure all employees that deal with the processing of personal data are aware of the new regulation and changes your legal office will need to implement as a result.

Some legal departments have been slow to accept that good data security starts with the lawyers and administration personnel that use and manage the company’s data on a daily basis. Don’t be fooled into thinking that this is an IT problem. Data protection is firmly a legal concept and the clue is contained in the word “protection.”

The Positives

Tracking personally identifiable information and keeping data subjects aware of any ongoing discovery requirements is also required for legal counsel to achieve GDPR compliance within an e-discovery context. 

Only by having well defined GDPR procedures and policies in place, for personal data processing, will Corporate Counsel be able to react to fast paced litigation, or pressure from international regulators.

This development of new organisational competencies revolve around the ability to be more agile, people orientated, innovative and customer centric. GDPR is a core regulation that underpins this digital transformation. It’s important that GDPR and privacy management should be built into key organisational transformation projects.

The bottom line is that Corporate Counsel and Legal teams will have to maintain a close brief on existing and new digital projects within the organisation. It looks like GDPR will make life a little more complicated for the next 18 months.