The EU’s GDPR Turns 2!

Today marks the second anniversary of the EU’s General Data Protection Regulation. And, wow, what a two years it has been! Looking back to 2018, I can remember my email being flooded with privacy notice updates to account for the changes under the GDPR. It did cause me to pause at how  many (often too many) services had access to my email address!

Even with the fear of many businesses of the impact of GDPR, many were still able to have fun with the new law:

After the initial wave of changes, it seems like the EU, and the world, had settled into a more normal cadence which now embraces the GDPR. Data Protection Authorities started to issue fines, providing clarity to companies on what would be required to be and demonstrate its GDPR compliance. Some of those fines made splashes, including France’s CNIL and its € 50 million fine against Google; the UK’s ICO fines of British Airways and Marriott (which may now be in slight reprieve); and the on-going investigations by Ireland’s DPC into the GDPR practices of Twitter and Facebook. And, let’s not forget: it not only the behemoth companies that have faced regulatory fines: local government authorities have faced six-figure fines for mistakenly using personal data, a consulting company was fined for preventing a Supervisory Authority inspection, and a local school was fined for using student biometric data. 

And, just as we were all settling into a world where GDPR is the norm, and increasingly influencing global privacy regulations (i.e., Brazil, Canada, etc.), the true impact and strength of the GDPR is seeing its first test in the international response to COVID19. With the new  emphasis on the use of technology and contact tracing as a solution to the spread of the virus, there are heightened concerns about individual privacy within this digital response. In our prior post, “Contact Tracing Gridlock,” we emphasize the need for a privacy-oriented approach.  The European Data Protection Board (“EDPB”) has continued to  emphasize that GDPR already  allows for innovation while still protecting individual privacy. Andrea Jelinek, Chair of the EDPB, stated that: 

The GDPR is designed to be flexible. As a result, it can enable an efficient response to support the fight against the pandemic, while at the same time protecting fundamental human rights and freedoms. When the processing of personal data is necessary in the context of COVID-19, data protection is indispensable to build trust, to create the conditions for social acceptability of any possible solution and, therefore, to guarantee the effectiveness of these measures.

As this is the first true test of the GDPR, the world will watch and take notes on how effective the regulation is in balancing critical, national needs while upholding the privacy rights of all individuals. 

XPAN’s Lessons from the first Two Years of GDPR

After guiding companies across a wide variety of industries and sizes to address GDPR compliance and integrate GDPR within their infrastructure, we can say without question that GDPR poses challenges but does allow for innovation. The GDPR is never a simple solution; there is no “out of the box” compliance option that truly addresses all of the nuances organizations need to consider. Each organization requires tailored, customized solutions to organically fit GDPR within their unique business model.

But, there are some consistent themes we see across all industries and businesses that can help anyone impacted by the GDPR to keep their compliance moving forward. 

ONE: Embrace the Unknown

The GDPR is only two years old. That means that guidance from regulators, interpretations from the court, information from trenches → all of this is still in its infancy. So do not be surprised when there is no concrete response. Instead, make sure that you refer your questions to individuals who study and stay abreast of the latest guidelines and trends. Also, keep in mind that for GDPR compliance an organization needs a trusted partner, not just technology. Technology cannot provide critical guidance and thoughtful strategy when there is no cut-and-dry answer. This is particularly important, especially when a company could face fines that amount of 4% of your global turnover (Art. 83) or private actions by individual data subjects (Art. 82)- and that is just the regulatory penalties. Organizations can also face breach of contract claims from their clients and/or suppliers, and breach notification liabilities (Arts. 33 & 34). 

The key to make informed decisions based on a reasonable understanding of the regulation, your business, and your business growth goals. Sometimes, this analysis will require trade-offs and accepting some risk. In privacy and security, there is no such thing as zero risk. So, embracing the unknown is common. But, the goal is to be informed when making those decisions and have resources to weigh the unknowns. 

TWO: Create a Strategy- there  are no excuse for no action

Even with these unknowns, inaction is the worst solution. Do not become paralyzed by the options available. Creating a strategy and working towards that strategy can reduce exposures exponentially . 

The GDPR was drafted with a goal of remaining flexible enough to evolve with the ever-changing technological world. In fact, COVID19 is a great example of this flexibility: if the regulation was too rigid, it would have had to account for situations like the ones we face today — one that frankly would be challenging to regulate in its entirety. The GDPR provides flexibility to organizations to create solutions that organically fit within the business, instead of ones that are mandatory. Privacy and security are never one-size-fits-all. We have found that the organizations that really embrace privacy are those that can find solutions within their current operations. They also have the framework to weather the storm- be it COVID19 or some other issue. 

THREE: Data Subject Rights are Hard and Require Coordination

The biggest headache we see under the GDPR is data subject rights. They are hard, partially because a data subject right request can really impact so many different business units and partially because networks are often not architected with data retrieval and destruction at the individual level in mind.

In addition,  the 30 day deadline to respond to a request under the GDPR makes having a pre-planned strategy even more critical. Start simple: which business units have personal data? Or access to personal data? Then, identify what personal data those businesses have, at least at a high-level. (This is called a data inventory or data mapping exercise). This information will be key in identifying which departments may even have responsive information to a request. 

Next, understand why you have the personal data (i.e., the legal basis for processing the information). The why will directly relate to how you respond to the request. For example, can you even delete the personal data? Are you the controller or processor as it relates to the personal data? These are key questions that will impact your response process.

Finally, do not be afraid to seek guidance. While data subject rights may sound simple, the devil is in the details. Coordinating among many different business units, across a multitude of systems (both internal and external), and creating a response that is legally compliant within 30 days can be daunting. Start building towards a process that is streamlined and comprehensive, and fill in the details as you go.  

FOUR: Your contracts matter, probably more than you think

The GDPR requires a contract be in place between controllers and processors that addresses the data processing requirements and a variety of other data processing related provisions. (Art. 28). However, since many (if not all) businesses are built on a complex spider-web of processors, these provisions can create a supply chain contract nightmare. If you are a controller, you are addressing requirements with your first level processors. Your processors are then contracting data processing with their processors (often called sub-processors). Their processors are then going to engage with their own processors (let’s call these sub-sub-processors). And, it goes on. Oh, and did we mention that an organization can play multiple roles in different data transactions (i.e. a controller in one data transaction and a processor in another). 

Identifying eachs data transaction, where you sit within the chain, and what your responsibilities are to the data within that chain is key. You do not want to take on more responsibility than required. Often companies will agree to be GDPR compliant when it is not even relevant to the business or the data impacted by the contract. But, guess what? You can agree contractually to comply with the GDPR (and all that comes with it) even if the actual GDPR would not have impacted you under the language of the regulation.

So what can your organization do? First, understand your role in the data transaction. Read your contracts. Understand your contracts. And, make sure those documents are not reaching beyond what is required under the regulations and what you can actually provide. If your company does not have the ability to comply with a certain requirement, discuss that with the client before you agree to do it. A growing area of litigation will be trying to pass the proverbial buck to other parties in a transaction when it comes to findings of non-compliance under the GDPR. 

FIVE: Start today, create a plan, and make meaningful progress

The first step in any security, data privacy, or information governance project is to make a plan. (At XPAN, we love a good plan of action!).  That plan should start with understanding your key risks under the GDPR. Ask yourself: where are your top exposures? If you are a B2B business, those risks may rest mostly within your client relationships. If you are a B2C business, you may need to focus more on your interactions with individuals, and clearly articulating and explaining what it is you are doing with their personal data. 

Second, create realistic and actionable goals with corresponding metrics. If you are a small team, do not expect GDPR compliance to happen in a day (or frankly in a year). Where possible, harness your internal resources but also, look to external resources to help provide a deeper understanding of the GDPR and a skill set to guide you in your GDPR compliance. It is never too early to start, and creating a plan that sets measurable goals will help the team to stay on target with the overall GDPR compliance strategy.  

These first two years of the GDPR have been one heck of a journey, and we are just at the beginning. At XPAN, we continue to create solutions to meet the needs of our clients in this ever-changing data privacy landscape. We love a good challenge and working with clients to create solutions that fit their business. Providing legal guidance in a GDPR world is a great example of the need to remain open to new options, and flexible to address new challenges that might arise. And, as always, keep in mind that luck favors the prepared, so don’t wait!

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.