Skip to main content
IMA Executive News & Views Blog

Connecting Information Governance and GDPR Compliance Will Bolster Both Endeavors

by Bennet B. Borden, Jay Brudz, Jason R. Baron, and Amy Ramsey Marcos

Drinker Biddle & Reath LLP is an IMA B2B Partner…

On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) will take effect. Many of the steps your organization should take to come into compliance with GDPR requirements are also fundamental to effecting a more mature information governance (IG) program. In this client alert, we highlight the critical actions that need to be taken now to comply with the May 25 deadline, and how each action fits into a robust IG program aimed at strategically managing data in your organization’s possession and control.

What is the GDPR?

On April 14, 2016, the European Parliament enacted the General Data Protection Regulation (GDPR), which replaces the 1995 EU Data Protection Directive. The GDPR will become effective on May 25, 2018, and imposes significant penalties for noncompliance. Violations can result in fines of up to 4 percent of an entity’s global revenues.

The GDPR applies to entities that collect or process personal data of EU residents, and imposes restrictions and obligations on companies’ interactions with individuals whose data they collect (“data subjects”). Data subjects include individual consumers as well as individuals in their business capacity. The GDPR will have significant bearing for all companies doing business in the EU, or offering products or services to individuals or companies in the EU.

The GDPR requires that all collection and processing of personal data must be pursuant to an applicable legal basis, such as necessary for the performance of a contract, or to comply with a legal obligation, or pursuant to the clear and affirmative consent of the data subject. Before any collection of personal data from data subjects, whether they are individual consumers or individuals in their business capacity, the data subject must receive a detailed notice about the collection and use of their data. There are stricter requirements that apply to the processing of sensitive categories of personal data, including, for example, race, ethnic origin, and genetic or health data. Personal data may only be used for specific purposes and may not be further processed in a manner that is incompatible with those purposes for which it is collected.

Processing includes any activities performed upon personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. The GDPR distinguishes between controllers of data – those entities that determine the purposes and means of processing personal data – and processors of data – those entities that process personal data on behalf of a controller. Each role carries different responsibilities with respect to the data subjects whose personal data is processed.

Under the GDPR, data subjects have specific rights pertaining to data about them, including the right to receive a data privacy notice when data is collected; the right to request and obtain copies of such data; the right to obtain correction of inaccurate data; in certain cases, the right to object to the processing of data; the right to request erasure of data; and the right to request that data be sent to a third party.

The GDPR imposes accountability obligations on those who collect and process personal data, restricts the transfer of personal data, and requires that data breaches be reported within 72 hours. Companies must also maintain internal records of processing activities, including information concerning processing purposes, data sharing, and retention periods. The documentation of all processing activities is linked to the GDPR principle of accountability and will help entities demonstrate compliance with the GDPR.

How can GDPR preparations advance information governance?

Information governance and the GDPR are mutually reinforcing. At the heart of both is the need to understand what information an organization has, how it is used, how it needs to be managed, how it needs to be protected, and its importance to the organization’s operations. For those organizations looking for a catalyst to advance information governance, the GDPR is the perfect stimulus. For those organizations with mature information governance programs, preparing for the GDPR will be more streamlined.

The GDPR requires coordination amongst a myriad of stakeholders within the organization to make sure that information is being collected, used, protected and discarded appropriately. Stakeholders from privacy, security, records management and business lines should all be involved in GDPR compliance efforts. Incidentally, this kind of coordinated approach to information governance mirrors how we counsel people to manage their data regardless of regulation. Organizations should collectively develop strategies for managing company information to ensure that the solutions employed work for all facets of the organization.


To view the full article, click here.