Follow ACC Docket Online:  

The Eye of the GDPR Storm

T he European Union's General Data Protection Regulation (GDPR) went into effect on May 25, 2018. It was preceded by years of debate, delays, and uncertainty on its final text. The months leading up to this date seemed quiet until a flood of emails barraged everyone's mailboxes — frantic requests from companies asking customers to officially opt-in or consent to receive their future messages. Now the storm seems to have abated, apart from the regular newsflash of a data breach or cyber hack at a big corporation or government institution.

GDPR is the European Union's latest answer to the privacy challenges of a rapidly digitalizing world with companies and governments controlling and processing large amounts of personal data. The regulation grants important rights to individuals or data subjects, including required consent or opt in, the right to access, and the right to be forgotten, to name a few.

In addition, its application is not limited to the European Union and can, for instance, also affect US-based companies that process personal data of EU citizens. It is an important step up from the European Union's 1995 Data Protection Directive, which was their initial legislative answer to the first wave of digitalization and e-commerce.

Compliance with GDPR is proving to be a big challenge for companies. Namely, interpreting many of GDPR's provisions is not always easy. In addition, many companies struggle on where to assign responsibility for GDPR compliance. GDPR requires companies to appoint a data protection officer (DPO), but attracting and retaining a DPO is no easy task. A DPO should also be able to call on the support of a number of people including, the board, the GC, CIO, and COO to engineer and implement an effective GDPR compliance roadmap.

Privacy, data protection, and information security are firmly on the general counsel's current priority list. Although sometimes initially and erroneously viewed as a purely legal issue, GDPR compliance is a large-scale issue that impacts the company's business model and reputation. It provides great opportunities for general counsel to use their legal, business, and leadership skills to add value to the company. As such, general counsel cannot afford digital illiteracy and must stay on top of digital technology and cybersecurity trends.

Now that the initial excitement of GDPR has settled and the flurry of consent emails has subdued, it is tempting to carry on with business as usual. For example, the media is focused on the Brexit negotiations in Brussels, although the European Data Protection Authorities (DPAs) are convening in the city on October 22-26 during their 40th International Conference.

In fact, many DPAs already received the authority to impose much bigger fines through their national legislations. Presently, GDPR allows fines of up to four percent of annual global turnover or €20 million, whichever is higher.

The DPAs are now assessing and planning for the future. Companies should use this valuable time and continue implementing their GDPR compliance roadmap to batten down the hatches. We are only in the eye of the GDPR storm.

About the Author

Axel-ViaeneAxel Viaene is group general counsel and company secretary of GrandVision based in Schiphol, the Netherlands. He has been a member of the New York Bar since 1998, and served as president of the board of directors of the European Chapter of ACC during the 2009-2010 term. He received an LL.M. from the University of Chicago Law School and is a graduate of the Katholieke Universiteit Leuven Law School in Belgium.


The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.