The other week I was lucky enough to spend a bit of time with Dentons, who had Giovanni Buttarelli (the European Data Protection Supervisor) as a speaker. Obviously GDPR was top of mind for the audience and in particular some of the legal nuances with implementation.
There were a couple of key themes discussed.
Impact of Brexit: This is becoming an increasingly pressing issue politically in the UK. Although GDPR will be implemented in May 2018, we also need to consider what will happen if the UK leaves the EU. At that point it will become a third country (unless in Single Market) with associated restrictions for data.
“Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”. [link]
In order to establish adequacy, the view was that it would take considerable resource and time (more than a year). There is obviously hope for an agreed compromise, however preparations should take place.
Obtaining guidance and advice from the regulator: Although national regulators like to help, they are limited on resource and with such a significant change will not realistically be able to provide tailored advice to each firm on request. While UK has been working hard, Germany and Austria are advanced and ready, so don’t expect too much direct guidance from the regulator. [It may be worth taking independent advice].
Priorities for enforcement: The change impacts a wide swath of industries and business and is a complex area. Firms who are non-compliant will most likely be viewed through the follow lenses.
- Is the firm actively trying to comply and doing something to improve their compliance? (i. doing nothing is not good).
- Has the Data Protection Officer been selected appropriately? Do they have expertise and independence?
- Is the firm transparent with privacy issues?
- Is this explained to the customers/subjects in a simple form?
Lack of resource – risk of non-compliance
GDPR is a complex area, the legislation is complex and is requiring significant effort to implement.
The consensus across the room was that many firms have developed central programs that are already underway, with data discovery and some pre-work already in place.
However, what was also clear was that this is, only now, gradually rolling out to the wider organisation for implementation. With less than three months to implement, and fines in place for non-compliance (and especially if nothing is done), this could represent a material risk to many organisations. The changes are not insignificant.
Previously published at arum.co.uk