Q&A: GDPR Compliance May Strain Resources

The fallout from implementation of the General Data Protection Regulation will vary considerably across different sectors of the U.S. economy. Vishal Anand is senior vice president with Mindcrest and specializes contracts management and integration of emerging technologies. He offered his insights on the range of effects that may result from the new European directive.  

Hear more from Anand at the 2018 Bloomberg Law Leadership Forum on May 23 in New York, where corporate counsel from Fortune 500 businesses and leaders from top law firms will gather to discuss trends in trade, regulation, and technology.

Will GDPR implementation move the U.S. regulatory environment more toward privacy norms in the EU?

It’s difficult to predict the extent to which GDPR will impact the U.S.’s regulatory landscape. The U.S. has had a multitude of sector-specific laws, competing state and federal regulations, and a myriad of enforcement regimes that do not reflect the single, comprehensive legal ecosystem that GDPR is likely to establish in the EU. We have seen most congressional terms introduce proposals to enhance and standardize privacy-related laws at a federal level without any traction.

At this point, there are some initiatives at the state level that seem to have stemmed out of the GDPR, including the push for the California Consumer Privacy Act of 2018, which has gained some momentum and could be on the ballot as part of the upcoming mid-term elections. The measure, if passed, will give consumers the right to ask companies to release the data collected on them, the right to demand that companies do not sell or disclose their personal information, and related remedial actions.

It is difficult to foresee a single legislative data-protection mandate that reconciles the differences between state and federal requirements being established in the near-term. However, the year ahead is likely to bring increased attention to privacy norms, depending on how these state-driven actions pan out and the level of GDPR enforcement against potential defaulters in the U.S.

What are the immediate risks GDPR implementation poses to your organization and what is the strategy to address the directive?

There is an understandable rush to achieve compliance at this point in time, but sustaining compliance with GDPR, for many companies, is going to be as difficult as initial implementation and securing compliance. The immediate risk this poses is the scarcity of the right level of resources—both in people and technology—that are required on May 26 and beyond to support and maintain the work done until then. GDPR compliance is not a one-time data fix and losing the momentum gained until now could prove costly for companies.

Strategically, this requires organizations to supplement internal resources with external tools and subject matter experts required to support several ongoing work streams. For example, they have to be able to identify and maintain new records of data processing, ensuring that DPIAs for new products are getting documented at early stages and the supply chain contracts with the right contractual language are negotiated with vendors going forward—all requirements that will necessitate support on an ongoing basis.

What sectors of the U.S. economy are likely to be most affected by GDPR?

All sectors of the U.S. economy with exposure to EU markets will undoubtedly be affected. In many ways, the impact is more significant for small- and medium- size U.S. companies that operate outside the traditionally regulated sectors like financial services or health care.

Most large financial services and health care companies have had processes implemented to monitor personal data and comply with other privacy-related laws. Understandably, these processes now need to be beefed-up under GDPR, but there is a good starting point for these companies. For smaller organizations outside these regulated industries (for example, HR services providers and targeted marketing agencies), compliance with GDPR may need to start from scratch.

This means assessing the business model, identifying instances of personal data, and training resources along with implementing foundational processes. For these companies, establishing these processes for GDPR compliance could even mean cutting budgets somewhere else to ensure compliance doesn’t impact their bottom line.

**

Vishal Anand spoke on May 23 at the Bloomberg Law Leadership Forum, the premier event for legal industry leaders to gain insights and discuss how global economic and regulatory changes impact their business. Mindcrest was a sponsor of the event.

The 2018 Forum features an update on current regulatory priorities, a look at where corporate risk is rising, and an exploration of the technology and management tools legal counsel need to respond effectively.

Click here to view the agenda and learn more about the 2018 Bloomberg Law Leadership Forum.

Leadership Forum Speakers Include:

  • Chairman Jay Clayton, U.S. Securities and Exchange Commission
  • Deputy Attorney General Rod Rosenstein, U.S. Department of Justice
  • Marcy Cohen, Managing Director and Chief Legal Officer, ING Americas
  • Noah Perlman, ‎Global Head of Financial Crimes, Morgan Stanley
  • Katherine Choo, Chief Investigative & Anti-Corruption Counsel, GE