The European Union’s new General Data Protection Regulation will go into force May 25, after six years of preparation. It replaces the Data Protection Directive 95/46/ EC and was designed to harmonize data privacy laws across Europe, protecting and empowering all EU citizens. 

The rules will apply to all companies that collect the personal information of individuals in the EU, whether the business is based in the European Union or not, and the fines for noncompliance will be extremely onerous.

The main challenge for corporations will be assessing their current information collection and storage systems against the new regulations and ensuring compliance before the deadline. Accountability is critical, and concepts such as pseudonymisation will become commonplace under the new regulations.

In addition, the cross-border transfer of EU residents’ data outside the region will be become much harder. The EU Commission will assess third countries’ level of protection by carrying out "adequacy" assessments binding to all member states. They will then carry out reviews every four years to ensure continued compliance.

Any businesses that collect sensitive personal information will need to carry out and regularly update gap analyses, data protection impact assessments, privacy audits and data breach roadmaps in order to stay on the right side of GDPR.

This series aims to highlight the profound level of impact this new GDPR legislation will have on organizations. Nine data protection experts from from Germany, Belgium, The Netherlands, Italy, U.K., U.S., Luxembourg, Sweden and France discuss how they are helping their clients reach GDPR compliance and emphasize some of the structures businesses should put in place to avoid a crippling fine.

What solutions are you offering to clients wrestling with GDPR compliance and the challenges of the digital single market. Any concrete examples?

U.S. — William Shawn
Besides, obviously, making plans for the appropriate jurisdiction and the data retention that will take place in the U.S., we do have a patented process, which automates the process of developing a secure, GDPR-compliant environment which is database agnostic.

The U.S. patent number is 9,621,539 issued in April 2017 for our "Method and Apparatus for Securing the Privacy of a Computer Network." It tracks and automates compliance for U.S. companies with original data.

We are applying through the cooperation treaty for protection for the process within the EU and we will make it much easier for entities to comply with GDPR, automating a lot of the things that would otherwise be done manually.

France — Alexander Roth
Most users and company CEOs aren’t really aware of the threat and the risks they are running in certain circumstances. We detect the deficiencies and help them to build their cybersecurity systems with the help of specialists. We also give lectures to our clients and other companies, to heighten awareness and familiarize them with the standards surrounding data protection.

England and Wales — Kerry Beynon
We have launched a GDPR service called Acuity DataGuard, which has a menu of options for clients. It starts with a gap analysis. We provide a report to tell you where to focus attention for GDPR compliance, and we also offer a follow up service to help with drafting policies and procedures, drafting agreements, negotiating contractual changes and staff training.

We have a 24-hour call-out if you suffer a data breach, with a hotline that puts clients through to one of our three data protection partners. We help clients manage data breaches, public relations and the resources needed to get services back on track. We collaborate with two other companies, including cybersecurity experts Wolfberry and software firm Pervade Software. Pervade Software has a monitoring tool which monitors IT infrastructure in real time and tells organizations if they are being hacked.

We were short-listed at the Law Society Excellence Awards 2017 (Excellence in Technology category) and are part of the Wales Cyber Security Cluster, bringing together and sharing best practice in the cyber industry.

Sweden — Anna Fernqvist Svensson
We have not come as far as Kerry yet, but we are assisting our clients, giving advice and helping them to draft policies and agreements. We also provide staff training if they want that. We try to work very closely with clients and involve different departments such as HR, IT and others.

I am a member of the ICC committee for the digital economy and attend these meetings internationally. I am also a network leader for JUC, a Danish network in the field of data protection.

Italy — Ruggero Rubino Sammartano
It is impossible to think of one solution as a panacea for everything. For every client we make sure to evaluate their needs, assessing the actual risks and pointing out criticalities. The standard solution is not always the most appropriate, so we partner up with the client aiming to find the right balance between their business needs and the legal framework. The aim is to facilitate the smoothest transition possible.

We use a flexible multidisciplinary team, which is ready to face any variables relating to the protection of data.

Luxembourg — Cecile Porcher
Given the size of our firm, we are in the same situation as Anna; helping our clients with legal issues and compliance reviews. We point out legal issues and how to address them, referring them to national data protection laws and GDPR. We are partnering with an organization called EuroCloud, in its side project called Cloud Privacy Check.

EuroCloud is a non-profit organization aiming to deliver digital know how and best practice policies to cloud computing customers and providers, startups and research centers. It was set up before the GDPR, when there was more difference between EU countries. They are changing their optic now so to integrate the GDPR and its newest developments.

Belgium — Steven de Schrijver
We offer our clients a wide range of services in order to meet their requirements under the GDPR, including conduct GDPR-compliance scans or more extensive privacy audits, assistance with privacy impact assessment and advisory services, such as drawing up data breach roadmaps.

We also review legal documents, employment agreements and data transfer agreements, organizing staff training or awareness sessions if required. We coordinate technical and security measures and risk assessment with established partner firms and cooperate with them on data mapping, project management, data classification and change management projects for clients.

In the wider digital single market initiative, we advise clients in the retail sector on how to harmonize their contracts for the supply of goods and services online, end geographic restrictions that result in customers paying different prices or customers being denied access to websites or services due to their location (geo-blocking).

By the same token, the European Commission wants to introduce price transparency and regulatory oversight in the parcel delivery market in order to promote cross-border delivery. We work with clients on monitoring and implementing these new measures.

Germany — Kathrin Schürmann
Of course, we offer our clients all the gap analysis and the structuring of data management systems. We also supply IT expertise and pen tests. What we have additionally is a tool which is a DIY kit, designed to test and comply with GDPR. It employs templates and explains how to use them. We have our own company for online training and GDPR compliance in English, German and French.

The Netherlands — Bart Sujecki
We can check the remaining contracts that are applicable and do a risk analysis for the client. We also build awareness by giving little lectures and telling clients about the aspects they have to take into account with the new regulations. Additionally, as my firm is admitted to both the German and Dutch bar, we give our Dutch clients an awareness of the German market and vice versa.

photo credit: Move The World via photopin (license)