Clifford Chance
Data security and data misuse are no longer abstract risks. The major 2018 Facebook-Cambridge Analytica scandal is an example of how regulatory trends have developed to put the spotlight firmly on data privacy. What is more, individuals now care more than ever about how companies use and harvest their data – this means ever-increasing levels of scrutiny and reputational risk.
With the introduction of new and more stringent data privacy laws, in particular the EU General Data Protection Regulation (GDPR), the reputational and regulatory costs of non-compliance have made it more important than ever for businesses to be fully informed and fully compliant.
The significant changes that the new data privacy regime introduces and the ever-increasing appetite of privacy regulators is sufficient enough to transform the global data privacy environment. We will help you to meet the requirements of the law, as well as the ethical considerations that stretch beyond it.
Be clear on data risk
5 questions to ask yourself
1
What is our global approach to data use?
GDPR significantly extends the scope of the EU data protection regime – and is applicable to non-EU entities who may have had no expectation that they would be subject to EU law. Does your personal data processing (anywhere in the world) relate to your activities in the EU? Should you apply data privacy standards based on GDPR worldwide? How to address the restrictions and obligations will depend on your current operational footprint and future strategy. Regulatory compliance is not a short-term or isolated workstream; it requires proactive and extensive planning.
2
How do we give effect to the rights of individuals?
GDPR substantially expands the rights that individuals have in respect of organisations that control and process personal data. Not only are consumers more data-savvy and aware of their data protection rights, but businesses need to be accountable and transparent or will risk severe financial penalties for non-compliance, as well as the reputational risks caused by lack of trust. How do your systems, processes and policies support individuals' rights (including the right to be forgotten and for data to be deleted and "ported" on request)? If you are unable to use data in a transparent way you must be prepared to pay the price.
3
Have we done our "data mapping"?
GDPR runs contrary to many business models that assume that data can flow freely and without restriction in its sharing and use. Adjusting to the new privacy regime involves a radical change in the approach of most businesses to the personal data they hold. Comprehensive "data mapping" is of vital importance for assessing your GDPR risk exposure.
Data mapping enables you to understand your in-scope data processing activities (including international transfer) and to conduct diligence on your key applications systems, supporting assets, customer relationships and third-party suppliers. When ensuring accountable data use, parts of GDPR are directly applicable to third-party outsourcing, supply chain diligence and identifying individual and personal data.
4
Is data privacy and protection "business as usual"?
GDPR requires you to build privacy into your processing activities. Beyond GDPR, minimising the personal data required to carry out your operational activities will contribute to building privacy-compliant architecture.
5
Is "data" a key part of our M&A due diligence?
Data is a valuable business asset but also a huge risk to your business. Does the target process high volumes of personal data – including "sensitive" personal data? Does the target have a large European workforce? Is the data of the target valuable? What rights does the target have in respect of that data? There are many important questions to ask.
