In this podcast, Cordery Partner Jonathan Armstrong and Compliance Evangelist Tom Fox use the framework of GDPR to discuss a wide range of issues relating to these topics. They consider what the US compliance and InfoSec security expert needs to know about what is happening in the UK, Europe and beyond.
In this episode, they continue their three-part series of some of the key lessons learned from the first year of GDPR. Some of the issues and highlights are:
DPIA Everything.
It’s mandatory under GDPR. It is a process analysis so you will need Subject Matter Expertise. How often do you revisit DPIA? Regulators are beginning to look at the process of your DPIA. When new processes come into play, you should do a new DPIA. Do you require DPIA when you hire 3rdparty vendor or in the M&A situation? If not you should do so moving forward.
Do SARs and DSRs.
How do you deal with these types of request? More importantly do you have a centralized team to understand the reason behind the request? Who could make that analysis? Is it a work in progress for your organization? Robust response to SARs is critical, as they are here to stay as a core component of GDPR.
Respect the time.
Time limits are much more generous in the US. Some regulators suggest not to be obsessed with time. Will courts allow ‘reasonable delay’? Corporations are trying to extend the 72 hours with time zone and other ridiculous arguments, for example the Thanksgiving Weekend exemption. Regulators can fine you for being late. Are US companies getting the message? It’s a mixed bag, some are not doing so.
For more information please contact Jonathan Armstrong or André Bywater who are London-based lawyers with Cordery where their focus is on compliance issues
Office: +44 (0)207 075 1784
jonathan.armstrong@corderycompliance.com
Office: +44 (0)207 075 1785