GDPR: The Final Countdown
The mere thought of the European Union’s incoming flagship data protection law is enough to make compliance and HR professionals break out in a cold sweat.
The General Data Protection Regulation becomes effective on 25 May, and while the intention is to protect EU citizens from privacy and data breaches, it also has an impact on US and Asian companies who hold or process any data of an individual in the EU when providing goods or services to them or monitoring them.
Eye-watering fines of up to €20 million or four percent of global annual turnover await firms that breach the new laws around consent, disclosure, capture, storage and other handling processes for personal data, catapulting data controls to the forefront of critical planning.
Radar talks to William Long, privacy & cybersecurity partner at international law firm, Sidley Austin, to get the lowdown on the GDPR juggernaut.
What is GDPR all about in a nutshell?
GDPR is the new European Union data privacy law that has been designed for the 21st century. Data protection isn’t new, we have had it since the 1980 laws were in place, but regulators have seen in the last 10 years that the world has changed dramatically in terms of the data that gets collected and used. It can be transferred around the world with the touch of a button, and we can do a lot more with it thanks to the likes of cloud computing, social media, the Internet of Things. GDPR is a response to that change.
It’s also a regulation, not a directive. It requires European Union states to adopt the provisions in the GDPR and therefore have a harmonized position, although there are some areas where states can apply national positions. The GDPR will also continue to apply to the UK after Brexit.
What is the end game and what is the outcome that the directive hopes for? Will it achieve it?
The main outcome is to ensure a flexible regulatory regime that sustains the digital world we now increasingly inhabit. You can look around and see the huge interest in GDPR, whether you are a multinational company or a local charity or sports club, everyone is talking about it. To that end it has met its goal, everyone is very focussed on these kinds of issues that previously they may have ignored.
It has changed attitudes, but it will be interesting to see if over time this continues, or whether this is a short sharp shock rather than a long-term change.
If you were just starting to think about GDPR and are wanting to avoid outright panic before the 25 May deadline, how would you prioritise your approach?
First thing I would do is find a good law firm! This isn’t something that can be done in six weeks by flicking through a few articles on the GDPR. There is no time left. How do you get it done by 25 May? The question you should be asking yourself is why have you left it so late?
If this is the case, you’ll need to urgently work out what personal data you have, and understand how the numerous requirements of the GDPR apply to that personal data; that is critical.
A key area to look at is information security. A breach here is one of the biggest risks, as this is where GDPR will test you the most. You will also need to look at what you do with your own employee data, and this is something HR may need training on. On the customer and investor side, you will have to look at what you say to customers/ investors, such as in notices, policies and T&Cs. You will need to explain how you are using their personal data and work out if you are transferring the data outside of the EU.
Amending contracts with vendors to include provisions required by the GDPR and dealing with international data transfers are two of the biggest headaches.
What sort of relationship will the Information Commissioner’s Office (ICO) and the Financial Conduct Authority strike up or will they operate very independently for GDPR compliance?
This relationship has been in place for a long time already, so there should not be much change in my view, with continued cooperation, of course. In terms of the relevant authority for the GDPR that is the ICO in the UK, and they will enforce and provide guidance on the new UK Data Protection Act that will implement GDPR into UK domestic law. From the FCA’s perspective, the focus is more around ensuring appropriate use of customer data, rather than personal data, thus ensuring customer data is being used in ways that are fair to the customer and consistent with the FCA’s conduct of business rules.
However, there can be overlaps; so if a security breach impacts customer data and personal data, potentially you could end up having to report a breach to both regulators.
If you had to crystal ball gaze and predict the enforcement landscape over the next 18 months post-May, what do you see?
We’ll have to wait and see as there may be different approaches across the EU. The ICO has said they will enforce GDPR but will try to do so in a pragmatic way, focussing first on areas where there is high-impact to individuals, or where breaches of the GDPR are deliberate or repeated.
How do firms need to adapt to the new environment in terms of their attitude to data from a governance, capture and retention perspective?
GDPR has changed attitudes towards data, it is forcing companies to think about it and how important it is to their business as an asset that needs to be protected. If one isn’t trusted with customer data, that is a quick way to lose value and business. The GDPR will require additional resource by businesses to be given to dealing with data protection requirements, and internal management structures such as setting up a Data Privacy Committee and appointing a data protection officer.
What are the bear-traps and pitfalls that have perhaps not had the necessary focus so far?
How you balance competing regulatory requirements is one. Particularly in a global environment where a bank may be dealing with requests from foreign regulators. With GDPR the potential fines and liabilities mean hard questions, such as how to comply with sometimes competing regulatory requirements to provide access to documents and privacy issues to limit access, have to be thought about carefully. For example, if you are dealing with an investigation and need to give access to large amounts of data, that must be transferred internationally, and that will take careful planning and thought.
Firms also have to think about the legal ground in the GDPR under which personal data is processed. Before the GDPR, financial services in particular tended to rely on consent to collect customer information. With GDPR obtaining valid consent is harder. For financial services I think there will be a move away from consent towards alternate legal grounds, such as the ‘legitimate interest’ ground, but that does require a balancing exercise to be carried out which balances the rights of the business against the privacy rights of the individual.
To what extent would you see the spirit of GDPR having an influence, if at all, outside the EU in terms of adoption, equivalence or outright rejection?
We operate in a global world; businesses want common processes, policies and standards. Having different standards across global businesses can be problematic and inefficient. As the GDPR sets a high watermark in terms of data protection, many international companies may over time look to the GDPR to provide that common privacy standard. In addition, other countries may look to adopt something like it, for example, in India. In addition, the GDPR is designed to have a broad territorial application; so, as mentioned, it applies to non-European businesses that collect personal data on individuals in the EU when such data relates to providing services to those individuals or monitoring them. So the GDPR could have significant influence outside of the EU which is exactly what those drafting the GDPR intended it to do.
What key benefits and actions should result from a Data Protection Impact Assessment (DPIA)?
The need to use a DPIA can vary, but there are specific requirements within GDPR telling you when you should use it, for example when using new technologies that result in a high risk to individuals. Using a DPIA is a process which essentially runs through a checklist to ensure you are covering off privacy concerns and issues. By using a DPIA, thought can be given to these issues at the beginning of a project so that privacy is being accounted for at the outset, rather than in the past, as an afterthought at the end of a project.
It is designed to navigate the different data privacy requirements and help businesses apply them in a practical way, so I think it is helpful for businesses to do when appropriate.
So, in summary, the GDPR is very relevant to all businesses that interact with the EU and will continue to be relevant after 25 May for many years ahead. It heralds a new privacy regime controlling how data is used in the 21st Century