Don’t Panic! The Hitchhiker’s Last Minute Guide to the GDPR Galaxy


It isn’t too late for companies to prepare for the European Union’s new privacy regime—the General Data Protection Regulation (GDPR)—but there’s a lot of work to be done to meet the May 25, 2018 deadline, a panel of privacy attorneys told a packed house at a recent Bloomberg Law-sponsored panel. There are specific action items that companies behind in their GDPR preparations can still focus on to help avoid the massive potential fines and stronger privacy and data security oversight and enforcement of the looming GDPR, the attorneys said during the International Association of Privacy Professionals (IAPP) Privacy Security Risk conference in San Diego.  

Preparing for the GDPR should be a company-wide endeavor with cooperative efforts among various interested parties, including the C-suite, legal department, information technology professionals, and other cybersecurity professionals, the panelists said. 

The GDPR provides one EU-wide regulation to replace a more than 20-year-old directive that required each country to pass its own privacy laws. The GDPR will bring stricter standards for user consent to the use of their personal data, mandatory data breach notification, and fines as high as 20 million euros ($23.5 million) or 4 percent of a company’s annual worldwide income, among other things.

Companies should be careful if they are moving to the use of automated data processing, Adam McKinney, vice president and associate general counsel for privacy and data protection at AT&T Inc., said during the IAPP panel. Privacy protections under the GDPR apply to manual processing of personal data, as well as by automated means, such as the use of algorithms, artificial intelligence, or other mechanisms, he said. Under the GDPR, individuals will have the right to object to decisions taken about them based solely on automated decision-making. With so little time left before the GDPR takes effect, companies should be aware of the limitations the new law places on the use of automated data processing, McKinney and other panelists said.

Companies also need to know what kinds of data they are storing, where the data is being stored, and for what purposes, Tanya Forsheit, partner and co-chair of privacy and data security group at Frankfurt Kurnit Klein & Selz PC, said. Without understanding what data they collect, process and retain, companies will have an extremely difficult time ensuring that data processing activities are GDPR-compliant, she said. If a company hasn’t engaged in data mapping already, they need to begin a good faith effort to do so as soon as possible, Forsheit said.

Although some companies may wish to get their GDPR compliance preparation done as quickly as possible, they should beware of one-stop-solution programs, Rafi Azim-Khan, partner and head of data privacy and security for Europe at Pillsbury Winthrop Shaw Pittman LLP, said. Some companies may advertise their products as a silver bullet compliance solution, but there is no one-size-fits-all solution for GDPR preparation, he warned. 

Companies should confer with outside or in-house counsel to determine the proper plan of action for GDPR preparation, the panelists said.

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.