Lack of EU Data Reg Guidance Has Companies Uncertain

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Ali Qassim

April 26 — Even while awaiting European Union member state individual rules to implement the EU General Data Protection Regulation and in the absence of official data protection authority guidance, companies must take steps to comply, privacy attorneys said.

Companies that handle personal data on a daily basis—such as Google Inc. and Sky UK—will have different obligations and thus different preparations than businesses—such as drink company Diageo PLC—that have less immediate contact with their end users' data, they said at the International Association of Privacy Professionals Europe Data Protection Intensive 2016 in London.

Businesses that are data controllers need to prepare for tougher privacy responsibilities as they will be facing larger enforcement fines and stricter data breach notification requirements under the forthcoming GDPR. The new regulation will replace the EU Data Protection Directive (95/46/EC) in May 2018..

The GDPR, which aims to bring stronger EU-wide harmonization of privacy and data security rules, was approved by the European Parliament April 14 (15 PVLR 791, 4/18/16).

Lack of Guidance

Despite aiming for harmonization, the GDPR contains approximately 40 provisions that allow individual member states to set their own standards, Bridget Treacy, privacy partner at Hunton & Williams LLP in London, said. That may mean the greater compliance and enforcement certainty hoped for by businesses may be “undermined,” she said.

William Malcolm, senior privacy counsel at Google, said that “for many of us, we'll be waiting to see how national parliaments react and to see what changes made.”

The Article 29 Working Party of data protection officials from the 28 member states have announced it will issue their first set of guidance on the regulation—concerning the right of data portability—in September. At that rate, the regulators are unlikely to have all of their guidance ready by the time the GDPR takes effect in two years.

Don't Wait to Act

Nina Barakzai, group head of data protection and privacy at Sky UK, said that businesses that are waiting for assistance with the GDPR should “stop waiting for guidance.”

Companies should “walk through the regulations” on an “article by article” basis to assess “which ones had the most impact,” she said. Narrowing down the list to about 45 provisions allowed Sky to “asses for risk against different parts of the business,” she said.

Finding the provisions that “were going to impact on the five-year plan of each part of the business,” showed which things needed the most attention, she said.

Malcolm said that it is “best to start conversations” about GDPR's impacts early on and advocate planning “straightaway” as some of the GDPR's articles and guidance “will become clear in the next two years.”

Barakzai said that businesses should approach GDPR more as an assurance issue rather than a compliance issue. “Quite often regulation tends to be behind what we are already doing in business,” she said. “We have mature privacy programs so one piece of regulation, like the GDPR, is not the only thing we are thinking of.”

Any company response to the GDPR should be “driven by the business strategic plan” rather than the company's privacy plans, Barakzai said.

Tougher Enforcement Measures

Companies that don't usually handle data on a daily basis—like alcohol brand Diageo—may have challenges when adapting to new GDPR measures, Treacy said.

“When I speak to my peers in the fast moving consumer goods business, we all agree it's been a challenge to get it into the radar of the management. After all, we've had a four year lead up so it shouldn't come as a surprise,” Helen Gourdin, senior counsel of global compliance at Diageo, said.

But increasingly, management and finance departments have understood the importance of complying with GDPR, Gourdin said. In the U.K., the headlines around financial sanctions for data security breaches “have really helped”, she said.

The GDPR “means business when it comes to enforcement,” U.K. Information Commissioner Christopher Graham said. Under the GDPR, fines could escalate to as much as 10 million euros ($11.2 million), or 2 percent of their annual worldwide revenues. “This is serious money, to plan for” and “sure as hell will interest shareholders,” Graham said.

To contact the reporter on this story: Ali Qassim in London at

To contact the editor responsible for this story: Donald G. Aplin at