new requirements into your action plan
for European operations. ACC
1 Please see https://ec.europa.
2 Please see www.politico.eu/wp-content/
3 Please note that the General Data
Protection Regulation is a set of
overarching laws for data protection,
whereas the ePrivacy Regulation only
addresses electronic communication
and would thus align within the
parameters of the GDPR.
4 Please see https://ec.europa.eu/
digital-single-market/en/proposal-eprivacy-regulation for initial guidance.
More guidance will be forthcoming
from the data protection authorities.
Law firms have already started issuing
5 Please see http://ec.europa.eu/newsroom/
6 Communication from the Commission to
the European Parliament, the Council,
the European Economic and Social
Committee, and the Committee of the
Regions, A Digital Single Market Strategy
for Europe, COM(2015) 192 final.
7 Recital 11 of Regulation.
8 European Commission. Digital single
market. Digital economy and society.
Stronger privacy rules for electronic
communications. Fact sheet.
Found online at https://ec.europa.
stronger-privacy-rules-electronic-communications . January 10, 2017.
9 See Recital 21 of Regulation.
What can a company do to prepare for EU data
The ePrivacy Regulation is simply the latest in a series of steps that the
European Union has taken to increase data protection on its citizens.
Given the extraterritoriality of the GDPR and the other regulations
either proposed or in scope, there are tens of thousands of companies
impacted. What should these companies be doing to prepare?
First, pay attention. Does the GDPR or any other data protection
regulation apply to your company? Many companies (in and out
of Europe) are blithely unaware of the coming regulations.
Then, once you have determined (most likely) that you are subject to the
regulations (and this does not mean just the GDPR), take deliberate steps to
bring your privacy program and business processes into compliance. Unless
you have a mature and well-defined privacy program, it will likely take you
months, if not years, to come into compliance. Here are some common
actions that will help you comply with EU data protection regulations:
■ ■ Perform a data inventory and mapping — know what data
you have and where it is (this includes cookies);
■ ■ Get rid of personal data that you do not need;
■ ■ Appoint a privacy officer — one that knows privacy laws;
■ ■ Give that privacy officer the authority and independence to take action;
■ ■ Assess/change business processes around personal data collection,
use, and sharing (this means data on employees, general consumers,
vendors, customers, and likely your customers’ customers);
■ ■ Review and amend your privacy policies,
■ ■ Protect personal data in motion and at rest; and,
■ ■ Implement and strengthen your vendor oversight program.
These will get you started on compliance with the ePrivacy Regulation, the
GDPR, and other European data protection initiatives. Many companies need
expert help with these processes, so ensure that your executives understand the
importance of dedicating both funds and resources to these efforts. Most likely,
it will cost less to properly fund a program than it will to pay the potential fines.
ACC EXTRAS ON… Data privacy
It’s Time to Take Data Privacy
Seriously in Singapore
Avoiding the Ethical Perils
and Pitfalls of Big Data
European Data Protection:
New Rules, a Whole New Game
Top Ten Data Privacy
Developments in Employment
and Labor Law (July/Aug. 2016).
Top Ten – EU Data Transfers:
Comapring the Proposed
Privacy Shied to the Standard
Contractual Clauses (May 2016).
Wisdom of the Crowd
EU Data Privacy-Standard
Contractual Clauses (June 2016).
10 Things General Counsel
Should Consider When Examining
Anti-Bribery and Corruption
Practices in Global Supply Chains
ACC HAS MORE MATERIAL
ON THIS SUBJECT ON OUR
WHERE YOU CAN BROWSE OUR
RESOURCES BY PRACTICE AREA
OR SEARCH BY KEYWORD.
HAVE A COMMENT ON THIS ARTICLE? VISIT ACC’S BLOG AT