One Company’s Path to GDPR and Privacy Compliance

Angela Gholson Tamhane, Chief Compliance Officer

March 25, 2019

Like the majority of you, Keane’s (or the “Company’s”) path to compliance with the European Union’s General Data Protection Regulations (“GDPR”) began well in advance of the May 25, 2018 effective date. Soon after GDPR’s passage in 2016, Keane began a company-wide review to determine how far the Company had to go to be GDPR compliant. It turns out, not too far, says Keane’s General Counsel Melissa Steinrock. Per Melissa, “Going through HIPAA compliance helped Keane when we started to prepare for GDPR.”[1]Additionally, long standing policies and procedures in information security management, privacy, data breaches and data destruction assisted Keane in becoming GDPR compliant.

Keane’s first step was to understand the law and its requirements. After internal analysis and review of our understanding of the law with outside counsel, Keane updated several policies: data security breach policy and procedures, consents, and the Company’s Privacy Notice.[2] As indicated on our Privacy Notice, in different contexts Keane might be a data controller and a data processer, so the Company has to comply with obligations applicable to both categories.

Concurrently, Keane’s IT team was determining the Company’s ability to purge information as requested, and whether other IT solutions should be considered to ease the administrative burden. Critical to this exercise was knowing where data is stored, who has access to the data, and which systems and applications process and share data. Keane’s data retention requirements and the use of Write Once Read Many (WORM) compliant backups complicates our ability to remove data from archive. Still, Keane’s approach to the individual rights granted under the GDPR is predicated on our commitment to consumers and our clients. In general, any retention of data is pursuant to either a legal obligation or contractual commitment of Keane or its client.

Keane has maintained its Privacy Shield certification from the Department of Commerce since 2011 initially via Safe Harbor, a link to which can be found on the Company’s Privacy Notice webpage. In addition, Keane utilizes an independent non-profit dispute resolution mechanism to refer unresolved privacy complaints – BBB EU Privacy Shield.

As we look forward into 2019 and 2020, Keane continues to monitor privacy-related legislative activity in multiple states and on the Federal level. One example would be the California Consumer Privacy Act (“CCPA”) which must be adopted by the Attorney General on or before July 1, 2020. The CCPA is still undergoing possible amendment, with the most recent hearing dated January 25th. Attendees urged the Attorney General to: consider supporting a universal opt-out icon, similar to the ad choices opt-out, noting possible consumer confusion; consider identifying certification standards; implement reasonable limitations to consumer requests about their data; and clarify key defined terms. The Attorney General noted that the Office is in the early stages of this process and does not anticipate starting a formal review process until Fall 2019.[3] Hopefully the Attorney General will take the attendees concerns into consideration during the rulemaking process.

As mentioned above, even the Federal government is getting involved. On January 16th a bill was introduced in the US Senate entitled the “American Data Dissemination Act” (ADD Act). Based on the principals of the Privacy Act of 1974, the ADD Act requires the FTC to provide Congress detailed recommendations for privacy requirements within 6 months; the goal being FTC proposed regulations 18 months after enactment and an enforcement date of 27 months after enactment. Since the ADD Act would apply to almost all businesses, with the Act’s extremely broad definition of “covered providers,” a vital small business exemption was included.[4] Between this, multiple states’ own proposed legislation, and GDPR’s first fine (Google – $57 million)[5], it’s going to be an interesting couple of years on the privacy front.

[1] Health Insurance Portability and Accountability Act of 1996,

I'm looking for information on...