One Year Until EU Privacy Regime Change: Prep Time is Now

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo and Daniel R. Stoller

The clock is ticking down on the European Union’s new privacy regime, which is set to take effect a year from now. But as that deadline looms, a complex set of requirements and unclear regulations have left many companies uncertain how to prepare to comply.

Companies should start preparing for the new EU General Data Protection Regulation (GDPR), which takes effect May 25, 2018, privacy attorneys said. But regardless of how much they prepare, full compliance with the GDPR is an elusive goal, attorneys said.

One reason companies have been slow to comply is the lack of clarity surrounding the GDPR’s many provisions, Ann LaFrance, London-based partner and co-chair of Squire Patton Boggs LLP’s global Data Privacy & Cybersecurity group, told Bloomberg BNA .

“There remain a number of challenging gray areas which leave open many uncertainties for industry players who are not sure what will and will not be considered compliant,” LaFrance said.

The GDPR, which takes effect May 25, 2018, provides one EU-wide regulation to replace a more than 20-year-old directive that required each country to pass its own privacy laws. The GDPR will bring stricter standards for user consent to the use of their personal data, mandatory data breach notification, and fines as high as $20 million euros ($22.4 million) or 4 percent of a company’s annual worldwide income, among other things.

A spokesman for the European Commission, the EU’s executive arm, told Bloomberg BNA May 24 that ensuring companies are ready to comply with the GDPR is a commission priority.

But many companies won’t be ready in time, according to Gartner Inc. The technology research company recently predicted that by the end of 2018 more than 50 percent of companies affected by the GDPR won’t be in full compliance. Gartner recommended companies to “act now” to make sure they are in compliance when the GDPR goes into effect.

Plan of Attack

Companies “will have to change their business practices” in order to comply with the GDPR, Rafi Azim-Khan, a data privacy partner at Pillsbury, Winthrop, Shaw & Pittman LLP in London and Silicon Valley, told Bloomberg BNA.

“Companies need to act now because there’s so much to digest,” Azim-Khan said. The GDPR is a regulation and becomes immediately enforceable. There is no “runway luxury,” he said.

“Companies need to initially sit down with genuine specialists and scope out which provisions may directly apply to them,” Azim-Khan said.

The GDPR “at its core is about information governance,” Clarissa Horowitz, vice president of communications at Mountain View, Calif.-based software company MobileIron Inc., told Bloomberg BNA.

According to Horowitz, “The first step is to assess data workflows across the organization to ensure that there are appropriate protections in place and then ensure that unauthorized devices or apps never have access to business data,” Horowitz said.

Todd M. Hinnen, Seattle-based privacy and security partner at Perkins Coie LLP, told Bloomberg BNA May 24 that companies must understand and better document their handling of personal data. This may require companies to develop new policies and implement new training for employees, Hinnen said.

Horowitz said most companies’ legal and compliance teams are doing detailed evaluations, but most haven’t weighed the GDPR’s specific impact on mobility programs.

Mark Webber, U.S. managing partner of Fieldfisher LLP in Silicon Valley, Calif., echoed those sentiments.

“The one year to-go mark has definitely triggered a number of companies to really concentrate on GDPR and we have seen an increase in companies looking to understand how the way they use data fits into compliance,” Webber said.

Webber said that GDPR “is about accountability” in an organization and that takes time. It isn’t “something that will be fixed with two month’s to go,” he said.

To contact the reporter on this story: Jimmy H. Koo in Washington at; Daniel R. Stoller in Washington at

To contact the editor responsible for this story: Donald Aplin at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security