Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Baker & McKenzie LLP conducted a survey at the International Association of Privacy Professionals's Global Privacy Summit 2016 in Washington on privacy professionals' views on the European Union General Data Protection Regulation and EU-U.S. Privacy Shield.
Bloomberg BNA Privacy & Data Security News Senior Legal Editor George R. Lynch posed a series of questions to Theo C. Ling, Partner and Head of the Canadian Information Technology/Communication Group at Baker & McKenzie LLP in Toronto, on what privacy professionals are most concerned about in the GDPR and Privacy Shield and how companies can take steps to manage the transition.
What was the main concern the survey found for companies regarding their ability to conform to the EU-U.S. Privacy Shield and GDPR?
Regarding the GDPR, one of the top concerns revealed by the survey is that close to half of respondents feel that their organization either does not have the tools to ensure compliance with the GDPR, or else could only obtain such tools at significant cost (14 PVLR 2289, 12/21/15). This finding highlights the challenging requirements imposed by the GDPR, and the perceived lack of cost-effective tools to help ensure compliance.
Regarding the EU-U.S. Privacy Shield, one of the top concerns is that more respondents believe that model clauses, technical safeguards and binding corporate rules are more effective means of protecting personal data transfers than the Privacy Shield (15 PVLR 269, 2/8/16). Taken broadly, this finding indicates that companies shouldn’t seek to rely solely on the Privacy Shield once it is implemented, but should also seek to implement other safeguards for good measure.
Do companies view either the Privacy Shield or GDPR as a bigger challenge to adjust to and why?
I think the GDPR and EU-U.S. Privacy Shield serve somewhat different purposes, so the question of which regime will be more difficult to comply with will depend on the goals and profile of the organization. If an organization is based mostly in the EU, the GDPR will likely be the privacy regime that most directly impacts the organization’s operations. If an organization’s operations depend on data transfers from the EU to the U.S., this would be a strong motivator to sign up for Privacy Shield.
What most surprised you about the survey results?
It was interesting to note that around 85 percent of respondents expressed that they are at least somewhat familiar with the requirements of the GDPR and EU-U.S. Privacy Shield. This finding speaks to the strength of the knowledge of privacy professionals who gather at IAPP meetings, as well as the importance of the GDPR and EU-U.S. Privacy Shield, given that so many professionals are familiar with them so far in advance of their implementation. It was also remarkable that roughly one in three respondents considers the GDPR to be a global game-changer. The fact that such a high percentage of privacy professionals believe that the GDPR is a transformative privacy framework really speaks to its long reach and the high compliance threshold it is establishing.
Survey respondents had a low level of trust that the EU-U.S. Privacy Shield would act as an adequate data transfer mechanism compared to other methods, such as binding corporate rules and model contracts. Do you attribute this to a lack of familiarity with the pact that may change over time?
This probably speaks to the skepticism of privacy professionals generally and their desire to see privacy protected in as robust a manner as possible. Nevertheless, once the requirements under the Privacy Shield have been agreed upon and implemented by the appropriate EU and U.S. bodies, it will absolutely help to protect personal data being transferred from the EU to the U.S., and organizations that engage in such transfers on a regular basis should strongly consider adhering to the program once it takes effect.
What is your advice to companies that face the challenge of adapting to both the Privacy Shield and GDPR over the next two years?
If they have not already done so, companies should take stock of the personal data they collect, process and disclose, and understand the five Ws and a “How” around such activities: (1) what personal data is being collected, used and disclosed; (2) who is engaging in such activities; (3) why personal data is being collected, used and disclosed; (4) where such personal data is stored and transferred; (5) when such personal data will be stored until; and (6) how personal data is protected within the enterprise.
Once a company has a solid understanding of these points and can illustrate that understanding through a high-level summary or data map, the company should first analyze which privacy requirements under the GDPR and Privacy Shield apply to it, and then identify and take the necessary steps to most effectively and efficiently comply with such requirements. This may require the development of privacy notices and policies, the implementation of privacy training, the vetting of third-party contractors and the agreements with them, the enactment of data transfer agreements between parties that share and receive personal data inside and outside of the enterprise, and the installation of technical, organizational and physical safeguards, among other things.
How does conducting surveys like this help Baker & McKenzie better serve its clients?
A survey like this helps our clients understand what dedicated privacy professionals are thinking about when it comes to upcoming privacy regimes. For example, it is helpful to note that the majority of respondents recommended that organizations sign up for Privacy Shield once it is implemented, and around 7 out of 10 respondents believe that organizations will generally need to invest at least some additional budget and effort to comply with the GDPR, particularly with respect to the data mapping, cross-border transfer and consent requirements. The survey responses represent a snapshot of the views of a significant body of privacy professionals, including those working at sophisticated multinationals and data protection authorities, as well as privacy lawyers and consultants. All in all, our aim with surveys like this is to spread awareness of the requirements and issues that may apply to clients and organizations more generally.
Theo Ling would like to thank Jonathan Tam, associate at Baker & McKenzie LLP in Toronto, for assistance.
The complete Baker & McKenzie survey, Preparing for New Privacy Regimes: Privacy Professionals' Views on the General Data Protection Regulation and Privacy Shield, can be found at http://src.bna.com/fKG.
Notify me when updates are available (No standing order will be created).
Put me on standing order
Notify me when new releases are available (no standing order will be created)