The European Union’s new General Data Protection Regulation will go into force May 25, after six years of preparation. It replaces the Data Protection Directive 95/46/ EC and was designed to harmonize data privacy laws across Europe, protecting and empowering all EU citizens. 

The rules will apply to all companies that collect the personal information of individuals in the EU, whether the business is based in the European Union or not, and the fines for noncompliance will be extremely onerous.

The main challenge for corporations will be assessing their current information collection and storage systems against the new regulations and ensuring compliance before the deadline. Accountability is critical, and concepts such as pseudonymisation will become commonplace under the new regulations.

In addition, the cross-border transfer of EU residents’ data outside the region will be become much harder. The EU Commission will assess third countries’ level of protection by carrying out "adequacy" assessments binding to all member states. They will then carry out reviews every four years to ensure continued compliance.

Any businesses that collect sensitive personal information will need to carry out and regularly update gap analyses, data protection impact assessments, privacy audits and data breach roadmaps in order to stay on the right side of GDPR.

This series aims to highlight the profound level of impact this new GDPR legislation will have on organizations. Nine data protection experts from Germany, Belgium, The Netherlands, Italy, U.K., U.S., Luxembourg, Sweden and France discuss how they are helping their clients reach GDPR compliance and emphasize some of the structures businesses should put in place to avoid a crippling fine.

What are some of the structures your clients should consider putting in place in order to satisfy the EU’s new General Data Protection Regulation?

England and Wales — Kerry Beynon
Technical measures and good information governance are seen as being of equal importance under GDPR.

Information governance means having in place appropriate policies and procedures and training your staff. In terms of technical measures, we are encouraging our clients to look at their cyber governance, including Cyber Essentials and various other accreditations. This allows testing of the IT systems and also the physical infrastructure of buildings.

To put in place appropriate technical and organizational measures, you really need to have carried out an audit of the business plus a gap analysis. We then look to put policies and procedures around that. It is important to keep paper items secure, as well as treating information governance and technical measures as being equally important in a holistic approach.

Sweden — Anna Fernqvist Svensson
We also try to assist our clients with policies and training. When it comes to audits, I see that many clients find it difficult to deal with the practical side of GDPR. I sometimes wonder whether I am a lawyer or someone who has to hold the hands of the clients to find out which registers they need to be on and which data they are processing.

How can we better help the clients to initiate this piece of work is an interesting question, I have a client that now has to appoint a data protection officer, a post they have never needed before. We had a very interesting discussion about how this would work when handling sensitive data, and whether there could be a joint DPO shared with another organization.

Luxembourg — Cecile Porcher
To avoid redundancy with what has already been said, I will just say that we provide the same type of advice as my fellow lawyers and face the same issues. Regarding technical measures, there are a lot of things to be done around control, impact and risk assessment so there is usually a need for more than one person to be in charge of these topics.

Given the various tasks to be tackled and the reinforcement of the data controller’s liability, there is definitively a need for a specific person or service within the entity to be in charge of that protection. So one thing for sure we highly recommend is that our clients have a DPO or its equivalent, whether or not they have an obligation to have one.

Germany — Kathrin Schürmann
Privacy governance is a key factor for implementing the GDPR for big group companies. When we start a GDPR project we usually begin with a gap analysis to get an overview of how the client’s operation worked before within the German Data Protection Law.

We can then get a good plan together for what needs to be done in pursuit of GDPR compliance. The most important thing, initially, is to structure the data protection management system for company and clients, taking into account privacy governance. For example, it is important to establish a data privacy governance structure on how the company will ensure data privacy compliance with new GDPR regulations in all entities.

Most of our larger clients have chosen a hybrid model for their subsidiaries in the European Union, which means a central DPO and coordinators in all other entities. In Germany, it is not new to have the obligation to appoint a DPO, so there is usually already one in place. In the hybrid model we additionally work with the other subsidiaries, using some kind of data protection coordinators.

This provides pretty good data protection governance within the whole group and ensures that every group company will have the same standard of GDPR governance. The hardest work in every company is to document the overview of processing, including who has access to data and when it will be deleted, as well as the documentation of all the technical measures including the data privacy impact assessment process.

It also involves an overview of all existing data privacy agreements, updating them and putting new ones in place when required under GDPR. It is also important to comply with the transparency obligations, since there could be claims from the affected persons.

Italy — Ruggero Rubino Sammartano
For some of our clients the gap analysis process is not straight forward but is definitely the first step towards compliance. One size doesn’t fit all, and each client has different data management needs, which means different attitudes and different measures need to be considered in each case.

We aim to offer clear visibility of the framework within which the client has to operate, achieving compliance with the GDPR while avoiding any business disruption. In some environments an external consultant acting as DPO can reduce uncertainties and train internal staff to take over the role in the future.

In other cases, an internal resource is not necessary, and an external consultant can manage the process on an ongoing basis.

France — Alexander Roth
Given our firms’ experience in Franco-German business relationships, the contrast between implementation of the GDPR in France and Germany is great. We, in France, are undergoing a complete reversal of the actual systems we already have in place with the data protection authorities. We have been operating under a preliminary declaration procedure, where, prior to collecting data, companies declare the nature of the data plus the amount, value and intended use to the French Data Protection Authority, the CNIL.

New GDPR compliance requires a complete reversal, because we will not be operating on a preliminary declaration basis anymore, but a compliance basis, with accountability, responsibility and privacy built-in by design. This requires familiarizing our clients with the new GDPR regulations and entails an audit of the company’s activities and the nature of the information collected. We don’t think this requires the systematic presence of the DPO, because that will depend on the nature of the data collected and whether the information is sensitive or not.

This is all very new and there is a greater responsibility lying on the clients, so we will accompany them, as we have been doing for a few years now, in adopting the specific technical measures and their management.

U.S. — William Shawn
Awareness of GDPR in the U.S. is non-existent, except for the most substantial and sophisticated companies.

In the U.S. there is tension between privacy and legitimate government concerns around accessing the personal information of bad people and there is already a substantial privacy operation in the U.S. with regulations like Sarbanes-Oxley and Dodd Frank.

There is some consciousness around GDPR with regard to the whole regime being changed and substantial liability for violating these rules, so our analysis for clients focuses on what personal information the company has on EU subjects, and, secondly, what the company has to do to protect that information. Our implementation will focus on appointing data protection officers and complying with opt-in notifications. We expect a groundswell revolution for insurance coverage and documentation or indemnification in defense and hold harmless cases and such. There are great opportunities to help bring U.S. companies into compliance because of this lack of awareness.

The Netherlands — Bart Sujecki
What we are doing in The Netherlands, is not only looking at how to prevent data protection infringement, but also how to deal with it when it happens. We advise clients to just imagine there is a data leak and consider what steps they should take in order to prevent that happening in the first place. There is the danger that companies in The Netherlands will be faced with very high fines, but the problem is not just how to prevent data protection leaks, but how to face them and what to do when they occur.

The other thing is to discuss how to appoint a data prevention officer. Dutch data protection law does not have experience with that, in contrast to Germany.

Belgium — Steven de Schrijver
Companies should regularly check the guidelines and communications issued by the WP29 and ICO between now until the entry into force of the GDPR in May.

This should involve scrutinizing privacy policies and compliance of third parties whom they contract for their data processing and collection activities. Accountability will become a key concept under the GDPR and requires companies to be able to demonstrate their compliance.

Auditing what personal data they are collecting and what they actually use it for is important, as is running data protection impact assessments or DPIAs to check whether the collected data might pose a high risk to data subjects in case of unauthorized disclosure and whether the collection thereof should be notified to the competent data protection authority.

Pseudonymization is a newly introduced and heavily promoted practice under the GDPR. It separates data from direct identifiers so that it cannot be linked to a specific data subject without the use of additional information which is held separately. More lenient data protection rules and relaxed standards will apply to data controllers that use this privacy-enhancing technique. For example, the GDPR permits the processing of pseudonymized data for uses beyond the purpose for which the data was originally collected.

Recital 78 and Article 25 of the GDPR list pseudonymisation as a method to demonstrate compliance with the GDPR requirements such as Privacy by Design, allowing it to steer a well-balanced middle course between respecting the privacy of the data subjects, while still enabling the commercial value to be retained and even expand the use of the data.

photo credit: Move The World via photopin (license)