Here at the IAPP Global Privacy Summit in Washington, it was easy to understand why Borden Ladner Gervais Partner Eloise Gratton’s interview with Isabelle Falque-Pierrotin was filled to the brim with anxious privacy professionals. With just two months until the go-live date of the EU General Data Protection Regulation, everyone wants to hear thoughts from the former Article 29 Working Party chair and current CNIL president about what enforcement looks like on May 26.
The good news: “Even if you’re not finished [preparing for the GDPR] on the 25th,” Falque-Pierrotin said, “this is not a problem. This is a learning curve, and we will take into account, of course, that this is a learning curve.”
“The role of the regulator,” she said, “is to be very pragmatic and to be proportionate.”
However, it’s important that you “start today, not tomorrow,” she said. “Today.”
Likely, those in the room here at the Summit have already begun preparations, and there was a chuckle in the room when Falque-Pierrotin said the first step toward compliance was to “take the privacy issue seriously,” but heads were certainly nodding as she continued her remarks. “It’s a change of culture in your company,” she said. “You need to make sure that this question of compliance is not focused on the legal departments, but throughout the company. It is a strategy question; it’s not a technical legal question. It has to rise to all levels of the company and obey to a strategic decision from the top.”
It’s a simple matter to read the law, she said, but “we all know that beyond the technical obligation there is the governance issue in most companies. Which means it is a power issue. Who will be in charge? With what powers? How do you get the IT, marketing and other departments engaged? These questions are more difficult to deal with than the purely legal questions.”
Of course, the audience also had a slew of purely legal questions as well.
One of them stumped Falque-Pierrotin: What if the FBI, one attendee asked, is telling a company not to notify the regulator of a breach because they’re worried about information leaks and an investigation is ongoing? How would a European DPA look at that delay in notification beyond the 72 hours?
“That is a conflict of loyalty we’ll have to study very carefully,” she said. “I can realize the point of this, but, hmmm.”
She paused in thought. The audience laughed.
“As you can see,” Falque-Pierrotin said, “the GDPR is a learning curve for everyone.”