GDPR is Top Priority in US Over half of US multinationals say GDPR is their top data- protection priority according to PWC. Of the 200 respondents, 54 % reported that GDPR readiness is the highest priority on their data-privacy and security agenda. Another 38% said GDPR is one of several top priorities, while only 7% said it isn’t a top priority.

1. Do You Have a Roadmap for EU GDPR Compliance?
By Ulf Mattssonat AtlanticBT, KhizarA.SheikhatMandelbaumSalsburg, andIanWest,Specialistin
GDPR.
GDPR is Top Priority in US
Overhalf of US multinationalssayGDPRistheirtop data- protectionpriority accordingtoPWC.Of the
200 respondents, 54% reportedthatGDPR readinessisthe highestpriorityontheirdata-privacyand
securityagenda.Another38%saidGDPR is one of several toppriorities,while only7% saiditisn’ta top
priority.
General Background
The EU General Data ProtectionRegulation(GDPR) wasadoptedonApril 8,2016 and will take effecton
May 25, 2018. The GDPR will replace the currentthe currentData ProtectionDirective 95/46/ECand will
be directlyapplicableinall MemberStateswithoutthe needforimplementingnational legislation.The
Article 29 WorkingParty (WP29) firstguidelinesondataprotectionofficers,one-stop- shop,andthe
newrightto data portabilitywere adoptedonApril 5,2017, andmore guidelinesare expected.
Part of the GDPR Rulesis Already a Reality
Some examples:Partof the proposed GDPR data protectionrulesare already implementedby
organzationsacross EU, includingGermanyandItalyforpersonal financial data.Germanoutsourcing
companiesare will be used.enforcingstrictrulesfordataprotection.DataprotectionrulesinSweden
are now basedon howthe data is used.
GDPR Expanded Territorial Reach
The GDPR Ruleswill have the followingimpactaccordingtoKhizarA. Sheikh,Chair,Privacy,
Cybersecurity,andDataLaw,MandelbaumSalsburg,UnitedStates,ksheikh@lawfirm.ms:
The GDPR regulatesdatacontrollersandprocessorsoutside the EUwhose processingactivitiesrelate to
the offeringof goodsor services(evenif forfree) to,ormonitoringthe behaviorof,datasubjectsinthe
EU. “Offeringgoodsorservices”ismore thanmere accessto a website oremail address,butcouldbe
triggeredbyuse of language or currencygenerallyusedinone ormore MemberStateswiththe
possibilityof orderinggoods/servicesthere and/ormentioningcustomersoruserswhoare in EU.
“Monitoringof behavior”will occur,e.g.,where individualsare trackedonthe internetbytechniques
whichapplya profile toenable decisionstobe made/predictpersonal preferences,etc. Thismeansthat
a companyoutside the EU whichis targetingconsumersinthe EU will be subjecttothe GDPR.
Role of Data Processors
Data processorshave directobligationsforthe firsttime.Theseinclude anobligationto: maintaina
writtenrecordof processingactivitiescarriedout onbehalf of eachcontroller; designate adata

2. protectionofficerwhererequired; appointarepresentative(whennotestablishedinthe EU) in certain
circumstances;and notifythe controlleronbecomingaware of apersonal databreach withoutundue
delay. Provisionsoncrossbordertransfersalsoapplytoprocessors,andBindingCorporate Rulesfor
processorsare formallyrecognized. New statusof dataprocessorswill impacthow dataprotection
mattersare addressedinsupplyandothercommercial agreements.
Notice / Consent
Data controllersmustcontinue toprovide transparentinformationtodatasubjectsatthe time personal
data isobtained. Existingformsof fairprocessingnoticesandconsentswill have tobe re-examinedas
GDPR requirementsare more detailed. Consentmustbe freelygiven,specific,informed,and
unambiguous,andmustbe as easyto withdraw asto give. Consentisnot freelygivenif the datasubject
has no genuine andfree choice orisunable towithdraw orrefuse consentwithoutdetriment. Consent
mustbe “explicit”forsensitive data. The datacontrollerisrequiredtobe able todemonstrate that
consentwasgiven.
Notice / Consent Issues
Contracts
Requestsforconsentshouldbe separate fromotherterms,andbe inclearand plainlanguage.Does
consentprovidesavalidlegal groundforprocessingwherethere isasignificantimbalance betweenthe
data subjectanddata controller? Whetherconsenthasbeenfreelygivendependson,e.g.,whetherthe
performance of a contract ismade conditional onthe consenttoprocessingdatathat isnot necessaryto
performthatcontract (mayaffecte-commerce services,amongothers).
Employment
MemberStatesmay provide more specificrulesforuse of consentinemploymentcontext.
Marketing
Where personal dataisprocessedfordirectmarketingthe datasubject will have arightto object. This
rightmust be explicitlybroughttotheirattention.
Children/ Parents
MemberStatescan lowerthe age from whomdata can be collectedfrom16 to 13 (lackof
harmonization).
Data Transformation
Whenis data nolongerthe data subjects’personal information?
Penalties
The GDPR establishesatieredapproach topenalties.Enablesthe DPAstoimpose finesforsome
breachesof the greaterof 4% of annual worldwide revenuesor20 millioneuros(e.g.,breachof
requirementsrelatingtointernational transfersorthe basicprinciplesforprocessing,suchasconditions
for consent). Otherspecifiedbreacheswouldbe subjecttoa fine of the greaterof 2% of annual

3. worldwide revenuesor10 millioneuros. A listof considerationswhenimposingfines(suchasthe
nature,gravityanddurationof the breach) isavailable.
Which Authority?
The mechanismiscomplicatedasitdistinguishesbetweencross-borderanddomesticprocessing. There
are complex cooperationandcoordinationproceduresforDPAs.Tohave theircasesdealtwithlocally,
the GDPR containsa detailedregime withaLeadAuthorityandConcernedSupervisoryAuthorities
workingtogether.The WP29** has providedguidance onhow toidentify aLeadSupervisoryAuthority.
It remainstobe seenhowitwill workinpractice andwhetheritcan workwithoutforumshopping.
GDPR = ENTERPRISEwide Trust
The GDPR Ruleswill have the followingimpactaccordingtoThe GDPR Institute*and IanWest,Specialist
inGDPR, Data Governance,DataPrivacy& Security,UnitedKingdom,ianwest348@gmail.com:
Impact
Do youcontrol or processpersonal dataaboutANY EU Citizens?If soyouhave to be GDPR compliantby
25th May 2018 or manage the implicationsof the finesandthe reputationaldamage of anyandevery
Data Breach – includingCustomersEmployeesSuppliers
Opportunity or Challenge?
Fines,Lossof Customers, Reputational Damage,andCOSTof Compliance are keyaspectsof GDPR. GDPR
involves EnterprisewideChange Management,PostRoom,andBoardRoom. It involves People,Process,
Technology,andInformation.
Key Questions
What Personal Datado youhold – Customer,Employee,Supplier,Contractor,Sub-Contractor,Citizen,
Patientetc. Where isthat Data Located?PC hard drive,Remote Storage orBackupDevice,OnPremise
Database or ContentServer,orinThe Cloud. How are youusingthat Data? Do youhave Explicitor
ImpliedPermissiontouse the datain the wayyou are usingit?
Immediate ActionPlan
SeekLegal Advice.ConductaPrivacyImpactAssessment.Complete aReadinessAssessmenttoaddress
the keyquestions.Secure Executive Sponsorshipanda meaningful budget.DevelopaConsent
ManagementStrategy. BuildaData SubjectAccessRequestprocessbeforeyougetswamped. Ensure
youhave all your Breach Detectiontechnologyinplace –Database,ContentRepositories,Network
Traffic,Dark Web8. Prepare forthe worst,and breathe a sigh of relief if itdoesn’thappen. The GDPR
Institute HelpingyouresolveYOURGDPR Challenge &Maximise the GDPROpportunity.
US businesses are re-evaluating their presenceinEurope

4. The PWC GDPR Survey foundthatUS corporationsthatare heavilyinvestedinEurope will probablystay
the course in the nearterm. Indeed,64% of executivesreportedthattheirtopstrategyforreducing
GDPR exposure iscentralizationof datacentersinEurope.Justoverhalf (54%) saidtheyplanto de-
identifyEuropeanpersonal datatoreduce exposure.The threatsof highfinesandimpactful injunctions,
however,clearlyhave manyothersreconsideringthe importance of the Europeanmarket.Infact,32%
of respondentsplantoreduce theirpresence inEurope,while26% intendtoexitthe EU market
altogether.
Companies are Spending millions to address GDPR
77% planto spend$1 millionormore on GDPR accordingto PWC.Securinga $1 millionbudgetfordata
privacyhas beenmore anexceptionthanarule for manyAmericancorporations.The GDPR’spotential
4% fine of global revenues,however,haschangedbudgetappetitesformitigatingthisGDPRrisk.While
24% of respondentsplantospendunder$1 millionforGDPRpreparations,68% saidtheywill invest
between$1millionand$10 million.Ninepercent(9%) expecttospendover$10 milliontoaddress
GDPR obligations.
More Learning
Webcastabout GDPR
Viewthis webinartolearnmore aboutthistopic at
https://www.brighttalk.com/webcast/14723/259741
More reading
*: AboutThe GDPR Institute,www.gdpr.institute . The GDPR Institute isaMembersOwnedNot-for-
ProfitOrganisation. The Institutes’Purpose Createacommunityof Data Privacy,DataSecurityand Data
Governance expertstoassistLarge,MediumandSmall Organisationsaddressthe challenge and
maximise the opportunitycreatedbythe General DataProtectionRegulationGDPRChallengeOrGDPR
Opportunity.
**: WP29: https://iapp.org/news/a/wp29-releases-extensive-employee-privacy-guidance/
AboutAtlanticBT: We deliverabalancedapproachto security,
https://www.atlanticbt.com/services/cybersecurity/