Follow ACC Docket Online:  

GDPR: Implications from the New Normal

A fter more than two years of waiting since the European Commission’s announcement, we are finally there: The EU General Data Protection Regulation (GDPR) enters into force on 25 May 2018. In September 2016, I wrote an article for ACC Docket on some aspects of GDPR, and I concluded with the expectation that guidance would be forthcoming from the Article 29 Working Party (a grouping of all the EU Data Protection Authorities [DPAs]) and from individual DPAs.

In fairness, we have seen a lot of papers and consultations — just not that much practical or actionable guidance. I am sure that more will be coming shortly. However, in the meantime, I’ll identify some issues where GDPR plays an important role and other data-related incidences that may not have received much attention.

Cybersecurity: Get to know your DPA now!

We all know by now that it is a case of when, not if, our organisation will suffer some sort of cyberattack. I’d like to draw your attention to the fact that now — on top of advising hyperventilating board members and managing the bill for the recently hired IT consultants — you also need to worry about notifying them about the data breach.

I suggest that you get to know your DPA now, even if it’s just taking part in public consultations or attending events where they are present. We unfortunately have not had much guidance from regulators. However, there have been a couple of incidents where incorrect information was notified to the data subjects, making the data breach look much more serious than what had actually happened. In these cases, companies had decided to share the “worst scenario,” just to be on the safe side. This seems to have convinced regulators that companies should not notify data subjects immediately, but notify the regulator — and maybe engage in a dialogue about the scope of further disclosure.

[Related: Let's Get Together: Proterra's Kent Leacock Explains How to Interact with Regulators]

However, whilst the actual scale and content of the notification to data subjects could remain limited, the problem is that in the meantime you are being judged in the court of public opinion. If the breach becomes public, you’ll have a lot of customers quite reasonably thinking, “Is my information safe? Why hasn’t the company contacted me?” In these circumstances, it helps to have a relationship with the DPA so that you can indicate in your company’s public statement that you are talking to the DPA and have agreed to follow its guidance on what to disclose.

As we have learned from the Facebook/Cambridge Analytica scandal, there is another layer to reputational risk: You can be damaged for what other people do with the data you collected. Having that clarity with the regulator — and maybe being able to show the relevant contracts and data processing agreements with that supplier or partner — could make the difference between a hard and a soft landing.

Competition

The enhanced awareness on data, albeit not strictly linked to the GDPR, highlights another aspect to consider with respect to partners and reputational risks: is the interplay with competition law. Regulators also look at data sharing and data hoarding through the lens of possible anticompetitive behaviour.

[Related: Seeing the Silver Lining: 4 Positive Aspects of GDPR for Businesses]

For example, if you and your peers/competitors in the widget transport industry share information about the location of widget-carrying vehicles, load factors, or demand, then regulators may feel that even without exchanging pricing information, your industry is behaving anticompetitively against the widget industry. The results could be fines up to 10 percent of global turnover, so it’s worth monitoring.

Data as an advantage — or a weapon

If you have access to a particular large set of data, and it is giving you an advantage vis-à-vis your competitors, then it may be worth considering what would happen to your business model if you were forced to share that data. Given that GDPR grants data subjects the right to receive all the data you hold about them in a machine-readable format, it is not unthinkable that someone could develop ways of creating mass requests. The new regulations require your company to answer these requests and then obtain access to that data. Consider also if your organisation would be able to respond to such requests. What is the volume of requests that would “break” your organisation? A hundred requests per day? A thousand? Think of it as GDPR equivalent of a DdoS attack and prepare accordingly.    

Brexit

Finally, another complication with GDPR is Brexit. If you serve your customers in the European Union from the United Kingdom, then you need to factor the impact of Brexit on Data Protection. Unfortunately, things are not yet clear. GDPR enters into force the next 25th of May in the United Kingdom as in any other EU country, and the United Kingdom does not leave the Union until March 2019. However, this is where the certainties stop.

[Related: Brexit and Beyond: A New Cross-Border Landscape]


The UK government has stated that it has the intention of keeping the UK Data Protection regime as closely aligned with the European Union’s regulations as possible. Currently, the UK Parliament is discussing a Data Protection Bill that should ensure those parallels. But as the United Kingdom becomes a “third country” (i.e., a non-member of the EU), the European Commission must decide whether the United Kingdom regime is considered “adequate.” In other words, there are sufficiency safeguards for EU data subject, and it’s possible to export data to the United Kingdom. Such adequacy is not guaranteed.

Also, it may be granted now, but revoked at a later date. The risk, therefore, exists of a future ban on exporting data from the European Union to the United Kingdom. As such, creating a flawless, foolproof plan is difficult. However, the most practical precaution is to monitor these data flows in your organisation, so that you know which processes or workflows would be impacted by such a ban. If that doesn’t work, have a “plan B” ready in order to deliver the outcomes of those processes with EU-based resources or systems.

About the Authors

Alessandro GaltieriAlessandro Galtieri is the VP for corporate law and the group data protection officer of Colt Group.


The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.