While the 25 May deadline is a useful benchmark, GDPR compliance needs to be a constant process.
When the EU Parliament and Council agreed on the terms of GDPR in December 2016, it gave organisations a grace period to become compliant with its extensive requirements.
With a little more than two months until the enforcement date rolls around, many entities are looking at the compliance deadline as just that: a deadline. But that is really only the beginning for GDPR.
A principles-based piece of legislation, it will take time to uncover how many of the rules within the regulation are applied to those who are found non-compliant.
Hefty fines
According to Anna Myers of the International Association of Privacy Professionals (IAPP), the robust enforcement mechanism of GDPR means that those it applies to should be taking it very seriously.
By now, everyone knows the figures in terms of fines, which can amount to €20m or 4pc of annual turnover, whichever is higher – a steep sum for any entity found to be in conflict with the regulation.
Supervisory authorities are to assess fines along with a set of mitigating and aggravating factors – an intentional violation is worse than a negligent one, for example. Fines may be limited if processors or controllers can mitigate the gravity, duration and damaging nature of the violation, by reporting it as soon as possible and cooperating with the supervisory authority. If an individual is hit with a fine, their income level and personal economic circumstances will influence the fine amount.
There are two levels of maximum fines, depending on whether the controller or processor has committed any previous violations, and the nature of the violation in question. The higher end is €20m maximum or 4pc of annual turnover; the lower end sits at €10m or 2pc of annual turnover, whichever is higher.
Siliconrepublic.com spoke to a number of legal and privacy experts to get their view on what will be an eventful few months after 25 May has been and gone.
Will the grace period continue?
Laura Jehl is a partner with BakerHostetler in Washington DC, and co-leader of the firm’s GDPR and blockchain technologies and digital currency initiatives.
She said attention must be paid to France’s data protection authority, the CNIL, which issued guidance that “indicates that it may hold off on significant enforcement actions for a few months’ ‘grace period’, provided that organisations are making good-faith efforts to come into compliance and that they cooperate with the CNIL”. She noted that other EU member states would be likely to follow its lead.
Avoid the ‘wait and see’ approach
In an Irish context, John Magee, partner at William Fry, said the Office of the Data Protection Commissioner (ODPC) would likely “continue to adopt a ‘firm but fair’ approach to its enforcement role. He added: “Businesses that are taking their GDPR preparations seriously and making genuine efforts to comply with the rules have less to fear than those opting to do little or taking a ‘wait and see’ approach.”
He advised businesses “to pay particular attention to activities that involve higher risk to individuals, such as handling of large volumes of particularly sensitive information such as health or financial data”, but also noted that the ODPC in Ireland could end up taking a sector-specific approach, “focusing on those industries that have to date been less compliant with data protection rules”.
Big tech firms in the crosshairs
Jehl noted that once the grace period comes to an end, we will see significant enforcement actions, most likely targeting companies with big-data business models and/or those who suffer breaches of EU sensitive personal data. “I also expect that some of those initial targets will be American tech companies who are sufficiently ‘established’ in the EU to make enforcement actions practical,” she stated.
In terms of fears that many companies have about possibly being held up as an example of what not to do, Jehl said that if the EU authorities identify “significant GDPR violations by a prominent US-based tech or social media company, I don’t think they will hesitate to take decisive action”.
Jehl explained that the business models and practices of those companies were “a primary force behind the adoption of GDPR” and most of these companies are well aware they are likely to the first targets, but they are meeting it head-on as they have “invested heavily in GDPR compliance in an effort to avoid a high-profile enforcement action”.
Compliance needs to be constantly maintained
Magee said that while a lot of the focus is on the potential fines, there are other things people need to look out for. “Businesses should also be aware of the ability for individuals or groups to take direct compensation claims for non-material damage like distress or reputational loss.
“With GDPR introducing mandatory reporting of data security breaches, which are perhaps more common than many realise, these types of claims may materialise sooner rather than later,” he warned.
Jehl echoed this need for organisations to stay on their toes in terms of compliance: “Even those organisations that believe they have achieved full compliance should continue to monitor any guidance or enforcement actions emerging from the DPAs.
“This is a brand new regulation which has not yet been enforced, so there will be a lot for companies to learn from the early statements and actions of EU regulators.”
Practice makes perfect
Travis Jarae, CEO of One World Identity – an independent strategy and research company focused on identity and privacy – said practice is vital at this late stage in the process.
“Once you have identified the right group of people, the firm needs to practise the breach response. Walking through tabletop exercises that cover various breach scenarios will ensure that your firm’s leadership will be able to react in a helpful, focused manner in a real-time breach response,” Jarae said.
Not all negative
Hidden among all the talk of fines and punishment, there are a plethora of positives that come with GDPR, including increased literacy around personal data in areas outside the EU.
Jehl noted that US citizens may lobby for change once it comes into force. “ It will be interesting to see how Americans, who in recent years have been significantly less concerned about data privacy, will react as they learn about the additional rights and protections that EU data subjects will have when the GDPR takes effect.”
GDPR could be the catalyst to change the culture and the conversation around control over personal data in the US.
Jarae said: “While growing data literacy is a great trend, much work remains to be done towards securing sensitive consumer data.” He noted that adoption of two-factor authentication is still not high enough and pointed to the majority of consumers admitting to reusing passwords between accounts.
Magee was enthusiastic about the streamlining of rules across the EU and the introduction of “a ‘one-stop shop’ regulatory mechanism for businesses that have their data headquarters in an EU country”. He added: “With Brexit on the horizon, it may transpire that March 2019 is just as significant a date for GDPR as May 2018.”
Jarae posited that GDPR could be a major boost for business. “Attributes like when a piece of data was collected and from whom are now just as important as the collected data itself. These data practices can yield benefits beyond GDPR compliance, with advanced analytics techniques unlocking new insights from existing data.”
While there certainly is a great deal of scaremongering and confusion in the data protection space, Jarae summed up the best way to approach compliance: “In an uncertain regulatory landscape, the best defence is common sense. Develop an action response plan for data breaches, and stick to it.”