GDPR as Transforming Data Privacy Requirements for Companies

Every year, attorneys in private practice, in-house roles and the public sector are increasingly confronted by new privacy law issues. And it seems that every year, these issues become increasingly more complex. Under an expanding universe of computers and devices, and explosive advances in connectivity between them, many of the challenges in managing privacy are being driven by the volumes of data we now generate, collect and share. Data now powers market decisions such as better product design to creating new business services and opportunities. As business continually becomes a global exercise, data moving across borders becomes a bigger challenge and in response to these changes, new privacy laws such as the EU General Data Protection Regulation (GDPR) take center stage.

As attorneys, we understand the need for evolving legislative and regulatory approaches to privacy. At first, privacy laws were strictly local in application, applying solely within a single state (e.g., California S.B. 1386 in 2002) or country (e.g., the U.K. Data Protection Act of 1998). Some privacy laws were directed only to a particular business sector, as the Privacy Rule under HIPAA was to the U.S. healthcare industry. Even within the somewhat limited scope of these early privacy laws, the regulatory goals themselves at times were limited – such as being aimed solely at requiring the posting of privacy notices on websites in order to achieve transparency with respect to the use of cookies.

In contrast to the above historical panorama of privacy mandates, the GDPR represents a radical sea change with an intended impact similar to major financial industry laws, such as the U.S. Sarbanes-Oxley Act (SOX). SOX was a major paradigm shift in corporate governance, shifting prior regulatory focus from just the final output of financial accounting processes (i.e., the financial reports) to an examination and control of how public companies produce their financial reports. Since enactment of the 1995 Data Protection Directive, the European Union has been at the forefront of treating data privacy as serious enough to warrant broad and expansive regulation. With the GDPR, the EU has significantly expanded this approach.

First, unlike other previous privacy laws, the penalties for non-compliance with the GDPR can be as high as 4% of gross annual turnover. Second, under Article 30 of the GDPR, companies will be required to produce a variety of reports demonstrating compliance, including where data resides, in what systems and in what countries, and how different parties are processing that data. Finally, the GDPR – akin to some financial industry laws, such as those in U.S. securities and the U.S. Foreign Corrupt Practices Act – is designed to have extraterritorial effect meaning that many companies that do not even have offices in the EU will be impacted.

So how do we, as lawyers, adjust our approach to privacy to meet this radical new paradigm and protect our clients? First, we must speak the language of technologists in order to understand the types of data being collected, where it is being stored, how it is shared, how to assess the risks of that data and know how to put scalable processes in place to ensure demonstrable compliance with GDPR. For example, one requirement of the GDPR is that privacy be incorporated into the very design of new products and business processes. How can we advise our clients on compliance with this type of requirement if we do not understand the affected technology?

Second, although privacy starts with the law, it has become a multi-disciplinary function in today’s data-driven business environments. Business technologists, lawyers, compliance personnel and privacy specialists need to come together in order to embed privacy responsibility and accountability within the business, to sustain compliance and to be “regulator” ready. We already collaborate with compliance and business personnel within the U.S. to develop an effective compliance and ethics program qualifying under the U.S. Federal Sentencing Guidelines. Similarly, we need to work together to create effective privacy and data protection compliance programs for our clients. As with SOX, the requirements and potential negative impact of GDPR non-compliance on a company requires that everyone from the Board of Directors level down to the staff worker become part of the privacy program.

The benefits from this approach go beyond merely minimizing the organizational and legal risks to the company as clients will discover that having their finger on the pulse of their data on a real-time basis can produce real competitive advantage. Certainly, any company that seriously falters with GDPR compliance may soon find that other companies no longer view them as a reliable business partner.

Hilary Wandall is the General Counsel, Corporate Secretary and Chief Data Governance Officer of TrustArc