Follow ACC Docket Online:  

One Year After GDPR: How Are Legal Departments Handling the New Data Policies?

Seven years ago, the European Commission laid plans for data protection reform across the European Union in order to make Europe “fit for the digital age.” In 2016, an agreement was reached on substance and enforcement. One of the key measures of the legislation was the General Data Protection Regulation (GDPR).

This innovative EU framework, put into effect in May 2018, applied to all organizations in all EU member-states and had implications for businesses and individuals across Europe and beyond. The GDPR was designed to give EU citizens more control over their personal data, and simplify the regulatory environment for business so both citizens and companies in the European Union could reap the full benefits from the digital economy by:

  • harmonizing data privacy laws;
  • protecting and empowering citizens’ data privacy; and
  • reshaping the way organizations across the continent approach data privacy.

So, one year later, how are legal departments — and businesses in general — holding up with GDPR? Per a new survey conducted by Thomson Reuters, businesses around the world are struggling to comply with the European Union’s massive reform, with many companies either failing to meet data privacy requirements or maintaining up-to-date privacy laws and regulations.

“Data privacy laws and regulations are growing every day, and businesses are finding it increasingly difficult to comply and keep up with these fast-changing requirements,” one Reuters spokesperson was quoted.

Why was there so much uncertainty surrounding GDPR? The regulation was preceded by years of debate, delays, and confusion on its final draft, with a barrage of messages flooding inboxes. Compliance with GDPR has proven to be a major challenge for companies, with the interpretation of agreement not always proving simple.

For example, a number of companies have struggled as to where to assign responsibility for GDPR compliance, as the legislation mandates that organizations appoint a data protection officer (DPO), but hiring and retaining a DPO is no easy feat. According to GDPR, companies must hire DPOs if:

  • You have more than 250 employees;
  • You are processing data on a large-scale basis;
  • Your processing is carried out by a public authority;
  • You are processing sensitive data;
  • You are monitoring and tracking systematically;
  • You are processing unique categories that could be related to criminal violations; and
  • If you are processing and systematically monitoring data such as internet traffic or IP addresses.

However, GDPR contains no exact qualifications in the existing law about what is required for a DPO, other than at least 30-60 hours of training. But the position does require appropriate access in all data protection matters and operates independently. There is also confusion regarding an internal versus an external DPO, as items such as cost, competence, liability, and data control can easily bewilder the CLO or CEO.

The 2019 ACC Chief Legal Officers (CLO) Survey revealed that 25 percent of CLOs worried their organizations had experienced a data breach, highlighting the importance of the GDPR. This fear is what is keeping chief legal officers awake at night.

For example, in a list of 12 developments that were designated “very or extremely important,” data breaches and protection of corporate data were ranked number one across the globe, at 67.6 percent. The concern also got the top spot when ranked by “company annual revenue,” with 77.6 percent saying data breaches and corporate data protection were most important to CLOs at companies with revenues of US$10 billion or more.

Yet, for all the confusion associated with the rollout of the new law, and the constant threat of major cyberattacks wreaking havoc on a global scale, GDPR has also accomplished a lot in its first year. The new law has been hailed as the global standard when it comes to privacy in the digital age.

The fact that the new law came into effect only a few months after the political consulting firm Cambridge Analytica was shut down for accessing the personal data of 87 million Facebook users sans their permission only served to accentuate the need for global governance regarding the proper protection of sensitive information.

Sadly, it took such an act to force Facebook and other Silicon Valley enterprises to make sweeping changes to their data and privacy-handling policies, and even Google was fined for not properly disclosing how its data is collected and used for targeted marketing. Google, though, has been the only company to be sanctioned under GDPR’s tenure.

But what many can agree on is that GDPR has kick-started the global conversation about privacy. European Justice Commissioner Vera Jourova noted how in 2018 more people complained about the new law and attacked it.

Now the tune has changed to more intense calls for comprehensive data protection rules similar to GDPR. Although the United States has not drafted a nationwide equivalent to GDPR, the California Consumer Privacy Act (CCPA) mirrors many of the same policies of its EU counterpart. According to the ACC Docket article “Privacy Trends: The California Consumer Privacy Act is a Harbinger of New Regulations,” once the CCPA is implemented in 2020, many US companies can use parts of their GDPR compliance programs to meet some of the CCPA requirements.

There is concern, however, that GDPR policies are more lenient than the Asia-Pacific Economic Cooperation’s Cross Border Privacy Rules (CBPR). In the ACC Docket article “Is GDPR Compliance Enough for Entities Operating in Asia?”, authors David Chen (director of legal at Appirio) and Hannah Ji (technology transaction and data privacy associate at Polsinilli, PC) point out that while GDPR requires that companies hire a DPO, much like in South Korea, Japan, and New Zealand, it doesn’t have data storage and localization requirements.

CBPR, on the other hand, “requires certain data to be stored within a country’s own borders,” Chen and Ji state. As such, multinational companies such as Apple strive to comply with both GDPR and CBPR frameworks. To learn more about Asian privacy regulations and other global topics, read the ACC Docket June 2019 Cross Borders issue online.

In short, one year after GDPR, data protection continues to be a top concern globally, and regulations are still evolving in response.

About the Author

Scott Sharon is a freelance writer who has contributed to Conducive Chronicle and World Policy Journal.

The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.