By Lisa Hawke
It took approximately four years of preparation for the General Data Protection Regulation to be approved by the EU Parliament in April 2016, and now the May 25, 2018 enforcement date is nearly upon us. Law firms and companies who fall within the territorial scope of GDPR under Article 3 will be watching closely to see how courts and regulators in Europe interpret the sweeping regulation.
With enforcement on the horizon, speculation regarding what actions might come out of Europe is at a high. In March, the law firm McCann FitzGerald, in conjunction with IDA Ireland and tech companies including Twitter and Box, hosted Irish Data Protection Commissioner (DPC) Helen Dixon to engage with legal and tech community on GDPR readiness and what to expect post-May 25th.
This was a unique opportunity for US companies working on GDPR compliance to hear directly from Ireland’s top data protection regulator. Dixon joined Paul Lavery, head of McCann FitzGerald’s Technology and Innovation Group, for the talk, “Preparing for the GDPR: Compliance Challenges and Potential Solutions.” In addition to sharing insights regarding their observations on compliance activities, they provided the audience with the chance to pose questions about the regulation and enforcement.
The overarching theme of the talk was that firms and companies currently implementing GDPR compliance will set the standards for how both large companies and startups behave under the regulation. Both speakers emphasized that GDPR reflects fundamental rights of individuals in this digital era.
Impacted firms and companies have had two years to prepare for GDPR, so there will be no further transition period post-May 25th. We are likely to see a lag in enforcement as EU regulatory authorities begin their investigations under the GDPR. Organizations may take a risk-based approach to compliance implementation; however, they will be accountable for their decisions and the technical and organizational measures they take to protect and secure personal data. According to Dixon, “accountability is the bedrock of GDPR.”
The Irish DPC is focusing on three major areas of concern under GDPR. The first is the principle of transparency. Dixon explained that organizations can’t demonstrate their compliance if they are not clear on how they are collecting and processing data. She also noted that data controllers and processors can’t “divvy up” their own obligations under GDPR so that who is doing what with the data becomes less transparent to the data subject. Furthermore, traditional privacy policies with “vague statements” are insufficient to meet the new standards.
The second area of concern is whether an organization has a lawful basis for processing data under Article 6, which sets out six possible bases. Dixon emphasized the obligation to be transparent with users about an organization’s legal basis for collecting and processing data. She cautioned against automatically using the legal basis of “necessary for the performance of a contract” when another legal basis would be the correct choice. In other words, if you are doing a “square peg, round hole analysis” or using “creative lawyering” to establish legal basis, you need to take a hard look at your reasoning.
And finally, the special protection of children’s personal data under Recital 38 is another area of concern. Dixon said children and teens are a huge constituency of the Irish DPC. She said she is concerned that organizations lack transparency about their data collection and processing practices, because they don’t describe these in language that young people can understand.
Based on the discussion, we can expect protection of children online, transparency for all users, and handling of data subject rights to fuel GDPR enforcement actions. Of note, Dixon mentioned that when organizations fail to deliver on the enumerated rights that the GDPR gives every data subject, higher fines should be expected. These individual rights include: right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object, and rights in relation to automated decision making and profiling.
GDPR is a seismic change, and the regulators expect to see a meaningful change in how organizations describe their data collection and processing practices, and how they protect data. Tweaking around the edges won’t be enough. Dixon concluded her portion of the discussion by issuing the challenge: will your users see a change when they engage with your service on May 26th?
The ediscovery industry has been paying attention to potential implications of the GDPR. In 2017, Duke Law EDRM formed a GDPR project team to draft cross-border discovery guidelines for adapting to GDPR. This initiative aims to develop practical guidelines for cross-border transfer of information to help address conflicting requirements in the US and Europe for processing evidence during ediscovery.
According to the EDRM GDPR project team, the guidelines will address data transfers from Ireland to the US, as well as mitigating risk that “international litigation teams and ediscovery practitioners face when balancing US discovery obligations against European data privacy laws.” A draft of the guidelines was circulated to EDRM members in early March for comment, and the final document will be published in Judicature this spring.
For firms implementing process improvements in anticipation of GDPR, resources are already available from the EDRM team. EDRM’s Privacy & Security Risk Reduction Model can help firms establish a process for “reducing the volume of private, protected and risky data by using a series of steps applied in sequence.” As Dixon highlighted during the discussion in March, a key step in the risk model is identifying locations and types of “risky data”—which would include personal data under GDPR.
The Privacy & Security Risk Reduction Model contemplates that an organization must understand the data in its possession. Since GDPR Article 30 requires that every organization subject to the regulation must maintain a record of data processing activities, law firms and companies that are preparing for GDPR compliance likely have a head start on documenting their data processing activities and resulting risk, including in relation to any applicable rights of the data subject. While it makes sense for firms to tailor data processing inventories to align with their own operations, there is guidance available.
For firms and companies looking to assess their own level of GDPR compliance and identify areas of major risk, McCann FitzGerald launched an innovative GDPR Gap Analysis app in February. The app uses AI to enable law firms and companies to quickly assess their own level of compliance and identify areas of risk. Everlaw open-sourced a GDPR Documentation Template that can be used as a starting point for records of processing activities, security of processing, and ability to respond to data subject rights. Firms can also take advantage of the the EDRM Security Audit Questionnaire to help evaluate the data security capabilities of cloud providers offering ediscovery products.
In addition to completing the necessary documentation and risk analysis activities, firms and companies should also be focused on cultivating an organizational culture in support of data protection and breach avoidance. Remember that, above all, GDPR is about giving people control of their personal data in line with the right to respect for privacy, and ensuring that personal data is secure.
To contact the reporter on this story: S. Ethan Bowers in Washington at email@example.com
To contact the editor responsible for this story: S. Ethan Bowers at firstname.lastname@example.org
Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)