Since the European Union’s General Data Protection Regulation (GDPR) came into effect on 25 May 2018, it has had – and will continue to have – a significant impact on how companies do business across the world. In our experience of working with numerous different companies on GDPR compliance efforts, we see the following as being the three key areas of enduring impact for information and compliance professionals:
1. Data privacy and cyber security issues are now unequivocally board-level issues.
The GDPR, as is now well-known, allows privacy regulators in the European Economic Area (EEA) to levy fines of up to the greater of EUR 20m or 4% of annual worldwide gross revenues of the relevant corporate group. And such fines are not in the realm of mere possibility: the French privacy regulator recently levied a 50m fine on Google. We expect that other significant fines are likely to be forthcoming as various ongoing investigations commenced in 2018 are concluded.
In addition, we will expect the GDPR to be used by individuals to recover damages for both financial and non-financial loss, and also be used in business-to-business litigation. And, the GDPR, unlike with regulatory fines, does not cap damages that may be recovered by individuals or organizations that deploy the GDPR in litigation. Because of these potential liabilities, many of our clients are disclosing the GDPR as a key risk factor to their regulators, shareholders and other stakeholders. Above all, information and compliance officers should take steps to ensure that they keep the board adequately informed regarding the state of the company’s GDPR preparedness, and undertake prompt remedial measures in areas of particular weakness so as to reduce enterprise-wide risk. In fact, ensuring that a company is properly prepared for and responds to privacy and cyber security threats is a key corporate governance responsibility for directors and senior officers.
2. Cybersecurity is, arguably, the most significant area of ongoing legal risk for information management professionals – and it is not just about the GDPR.
If an EU company has conducted a GDPR compliance project, then the most significant area of information risk are cyber security incidents. The GDPR requires personal data breaches to be notified to the appropriate EU privacy regulator “without undue delay” and “where feasible” within 72 hours of awareness. In our experience, companies are taking this very seriously, and the statistics are telling. According to the European Data Protection Board (the apex EU privacy regulator) over 89,000 personal data breaches had been reported to EU data privacy regulators since the GDPR came into effect. Significantly, this metric may not include cyber security incidents reported under parallel EU cyber security regimes (such as the UK’s Financial Conduct Authority’s rules, the EU Market Abuse Rules, UK Network and Information Systems Regulations 2018, and ePrivacy rules).
While companies are justifiably focussed on the GDPR in this respect – after all, it contains the first EU-wide industry-agnostic mandatory data breach notification regime – companies should not ignore the impact of these other sector specific breach notification requirements too. Based on our experience, sector-specific regulators (such as the UK’s Financial Conduct Authority) can take cyber security incidents just as seriously (if not more) than their counterparts at the UK Information Commissioner’s Office (which is the UK’s GDPR regulator).
In our experience, companies that wish to prepare for cyber security incidents need a sophisticated company-specific incident response plan that sweeps in stakeholders from senior management, the Chief Information Officer, Chief Information Security Officer, General Counsel and Chief Compliance Officer. The plan should cover entire gamut of breach response including training employees, identifying suitable outside counsel, forensic providers, cyber risk insurance providers and public relations professionals. Perhaps, most significantly, it is critical that cyber security breach response be tested through a realistic cyber security table top exercise that is custom to the company. The conduct of such tests could be particularly useful for information and compliance professionals to demonstrate to regulators, the c-suite or the board that they undertook effective measures to prepare the company for cyber security threats.
3. Individuals’ rights under the GDPR are complex – and, as a result, companies require sophisticated and pragmatic legal advice.
The GDPR provides individuals with enhanced, and in some cases entirely new, rights with respect to their personal data. Individuals may, for example, request a copy of their personal data in a portable data format, ask for their personal data to be deleted, or object to direct marketing. Respecting these and other individual rights can be challenging companies: for example, companies may have to undertake an e-discovery-like exercise to provide individuals with their personal data. In other instances, companies have to balance competing considerations: for example, respecting an individual’s right to seek erasure of her or his data versus complying with a non-EU law that requires that the same data be retained by the company for compliance purposes.
While the issues are complex and the scope of the GDPR is indeed extensive, it is also important to recognize that some of the provisions are not always as restrictive as some commentators anticipated. For example, although some interpreted the GDPR to require opt-in consent of individuals as always necessary to engage in direct marketing, in fact this is not always the case. And there are unwarranted consequences to an overly or erroneously restrictive interpretation like this, as it could greatly diminish the value of marketing databases. Navigating the GDPR successfully therefore requires not only keen technical legal analysis but also pragmatic, sophisticated and business-focused guidance.