GDPR Compliance, Enforcement Top Issues as Regulation Takes Effect
With Friday the rollout date for the EU general data protection regulation in Europe, the focus for many businesses now shifts from how to comply to when and how stringently the GDPR will be enforced, said speakers at various webinars and others we spoke with. All agreed enforcement would begin Friday, but there are questions about what the priorities of data protection authorities (DPAs) will be, they said. The Irish Data Protection Commission set out its approach in a Wednesday blog. Privacy experts urged companies to stay calm, but to act to show regulators they're committed to compliance. Civil society groups, however, said the level of scrutiny of U.S. and EU companies by privacy watchdogs and regulators "will be very high," and 28 advocacy groups Thursday pressed U.S. businesses to adopt GDPR rules. Meanwhile, ICANN's struggle to bring its Whois database into alignment with the new regulation continues.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
A survey by risk-management firm CompliancePoint, which advises U.S.-based multinationals, found about 76 percent of businesses that were asked whether they feel GDPR-ready said they're not, emailed Senior Vice President-General Manager Greg Sparrow. Of those asked about awareness of the regulation, 26 percent said they're unaware, he said. It's hampering compliance that organizations are unsure how to fully comply, he said. Many smaller entities haven't taken the regulation as seriously as they should because there's a "misconception that the GDPR will really only affect large businesses or that [it is] companies such as Facebook or Google that are more targeted."
The GDPR has no provision for a compliance grace period, wrote DPC Ireland Deputy Commissioner Dale Sunderland: "But let's not dwell on what can't be changed." Regardless of whether an infringement of the GDPR arises Friday, or a year from now, organizations can minimize potential consequences and penalties by showing the ongoing state of health of their GDPR compliance programs and a genuine commitment and best efforts to meet their obligations, he said. Other "influential factors" the DPC will consider in infringement situations are the scale and impact of an infringement, whether the company was negligent or willfully in breach, and its readiness to engage openly and transparently with the DPC and the people whose data it processes, he said.
Ireland will focus on areas of greatest impact and risk to people's data protection rights, Sunderland said. It will target supervisory and enforcement activities at organizations and sectors operating in the private and public sectors that are involved in large-scale data processing activities that constitute a high risk, such as those that perform intensive online tracking and profiling, internet platforms, and those that use emerging technologies such as artificial intelligence and the IoT, he said. The regulator also will focus on ensuring that the rights of data subjects are complied with; that the principles of data protection are respected; and that companies are fully open about the information they collect and process, the lawful basis on which the data is processed and the purposes for which it's processed, he wrote.
Companies should "think about what the regulators want," Hogan Lovells (London) data protection attorney Eduardo Ustaran said at a Wednesday webinar. DPAs he has spoken with say they "want commitment," Ustaran said. They expect compliance with the basics, many of which are the same in the EU data protection directive the EU already had, he said. "We need to prepare for the worst" but hope for the best by knowing how to deal with data breaches, regulatory investigations and litigation, Ustaran said. One key message: It's about commitment, not perfect compliance, and about thinking long-term and acting responsibly with people's data. The GDPR should be seen as an opportunity that can help businesses succeed, he said.
The European Consumer Organisation (BEUC) expects DPAs to take a "very tough stance" on compliance, said Senior Legal Officer David Martin at a May 16 Trans Atlantic Consumer Dialogue news briefing. BEUC will keep a close eye on the market and won't hesitate to act if it sees problems affecting consumers, he said. Civil society and privacy authorities are unlikely to just sit back and allow the GDPR not to be taken seriously, said Privacy International (London) Legal Officer Ailidh Callander at the briefing. She predicted authorities and privacy organizations will step up to the plate, but because some DPAs still lack the resources and power to enforce the GDPR, civil society and journalists will also have to play a part in "constant vigilance."
There will be legal challenges, said Martin. Asked what kinds of test cases might be brought, he said there are clearly certain sectors and companies that play such a key role in people's lives that their actions are hard to ignore, such as Facebook and Google. Online advertising might also need a closer look, he said. The focus will be on organizations that are data-intensive, have business models based on data and do things that are antithetical to what the GDPR is about, said Callander.
U.S. companies can be subject to the GDPR if they process personal data from European affiliates or EU customers and if they offer goods or services within the EU or monitor the behavior of people there, said Mayer Brown (Washington) cybersecurity and data privacy attorney Kendall Burman at a Monday webinar for USTelecom. Key compliance tasks for US-based companies will be to update privacy notices and internal privacy policies, including informing data subject of their rights under the GDPR, and reviewing internal processes to ensure data protection by design and by default, she said. Companies also must update their recordkeeping to include all data processing activities within their responsibilities and be able to show compliance, she said. Proper data transfer mechanisms must be in place, and all vendor agreements must be revised to comply, she said.
"Panic Is Not Your Friend"
The GDPR will be enforced starting Friday "but panic is not your friend," Burman said. A true understanding of the regulation will involve post-May 25 guidance from privacy chiefs, enforcement actions and court decisions, she said. Asked whether U.S. companies appear to be ready for the new rules, Burman said they have had two years since the final text was approved to come into compliance. But some gray areas remain, and they will only evolve over time as EU authorities provide ongoing guidance and U.S. businesses become more familiar with the new concepts, she said. Another open question is what ability EU countries have to punish U.S. companies and how DPAs will prioritize their enforcement activities, she said.
Businesses that aren't GDPR-ready should start by focusing on data subject-facing apps -- website readiness, privacy policies and data subject right request fulfillment -- given the regulation's private right of action, CompliancePoint's Sparrow said. Authorities are "looking for egregious offenders initially and not having the window to your organization compliant increases your chance of exposure." He recommended companies "take a risk-based approach" to compliance and bring in outside experts immediately if internal capacity or expertise is lacking.
U.S. companies should adopt the same data protection rules as the GDPR, said Public Citizen, the Center for Digital Democracy and 26 other signatories in a letter to 95 companies published Thursday. They urged Facebook, Google, Amazon, Walmart and others to use the EU regulation as a baseline standard for all their global services, including in the U.S. "Since you will be providing these protections for hundreds of millions of people in Europe, there is no questions that you are capable of applying the same protections worldwide," they said. "We insist that you do." Microsoft Corporate Vice President and Deputy General Counsel-Global Privacy and Regulatory Affairs Julie Brill said Monday the company will use GDPR rules worldwide.
Meanwhile, ICANN, which has been struggling to bring its Whois database into GDPR compliance (see 1805180055), approved a temporary solution May 17. But since the EU regulation will be enforced beginning today, it's not clear what will happen. ICANN expected registrars and registries to be fully compliant with the temporary specification by Friday, emailed Michele Neylon, managing director of Irish domain registrar and hosting company Blacknight Internet Solutions. "That's not realistic, as many of us [registrars] had already proceeded to make changes to our systems and processes in order to be GDPR compliant," he said. Blacknight joined several other registrars in asking ICANN for a "formal compliance moratorium" to give them time to adapt their GDPR implementation "with the GDPR-compliant aspects of any ICANN temporary specification."