Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
The clock is ticking down on the European Union’s new privacy regime, which is set to take effect a year from now. But as that deadline looms, a complex set of requirements and unclear regulations have left many companies uncertain how to prepare to comply.
Companies should start preparing for the new EU General Data Protection Regulation (GDPR), which takes effect May 25, 2018, privacy attorneys said. But regardless of how much they prepare, full compliance with the GDPR is an elusive goal, attorneys said.
One reason companies have been slow to comply is the lack of clarity surrounding the GDPR’s many provisions, Ann LaFrance, London-based partner and co-chair of Squire Patton Boggs LLP’s global Data Privacy & Cybersecurity group, told Bloomberg BNA .
“There remain a number of challenging gray areas which leave open many uncertainties for industry players who are not sure what will and will not be considered compliant,” LaFrance said.
The GDPR, which takes effect May 25, 2018, provides one EU-wide regulation to replace a more than 20-year-old directive that required each country to pass its own privacy laws. The GDPR will bring stricter standards for user consent to the use of their personal data, mandatory data breach notification, and fines as high as $20 million euros ($22.4 million) or 4 percent of a company’s annual worldwide income, among other things.
A spokesman for the European Commission, the EU’s executive arm, told Bloomberg BNA May 24 that ensuring companies are ready to comply with the GDPR is a commission priority.
But many companies won’t be ready in time, according to Gartner Inc. The technology research company recently predicted that by the end of 2018 more than 50 percent of companies affected by the GDPR won’t be in full compliance. Gartner recommended companies to “act now” to make sure they are in compliance when the GDPR goes into effect.
Companies “will have to change their business practices” in order to comply with the GDPR, Rafi Azim-Khan, a data privacy partner at Pillsbury, Winthrop, Shaw & Pittman LLP in London and Silicon Valley, told Bloomberg BNA.
“Companies need to act now because there’s so much to digest,” Azim-Khan said. The GDPR is a regulation and becomes immediately enforceable. There is no “runway luxury,” he said.
“Companies need to initially sit down with genuine specialists and scope out which provisions may directly apply to them,” Azim-Khan said.
The GDPR “at its core is about information governance,” Clarissa Horowitz, vice president of communications at Mountain View, Calif.-based software company MobileIron Inc., told Bloomberg BNA.
According to Horowitz, “The first step is to assess data workflows across the organization to ensure that there are appropriate protections in place and then ensure that unauthorized devices or apps never have access to business data,” Horowitz said.
Todd M. Hinnen, Seattle-based privacy and security partner at Perkins Coie LLP, told Bloomberg BNA May 24 that companies must understand and better document their handling of personal data. This may require companies to develop new policies and implement new training for employees, Hinnen said.
Horowitz said most companies’ legal and compliance teams are doing detailed evaluations, but most haven’t weighed the GDPR’s specific impact on mobility programs.
Mark Webber, U.S. managing partner of Fieldfisher LLP in Silicon Valley, Calif., echoed those sentiments.
“The one year to-go mark has definitely triggered a number of companies to really concentrate on GDPR and we have seen an increase in companies looking to understand how the way they use data fits into compliance,” Webber said.
Webber said that GDPR “is about accountability” in an organization and that takes time. It isn’t “something that will be fixed with two month’s to go,” he said.
To contact the editor responsible for this story: Donald Aplin at email@example.com
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)