While acknowledging it might be a little early in the game to start any kind of meaningful pragmatic planning, panelists spanning various sectors used their session at the IAPP Europe Data Protection Intensive Wednesday to give privacy pros some practical tips on “How To Implement the Data Protection Regulation in Practice,” taking educated guesses on how certain portions of the regulation will come to reality.
Specifically, panelists Susan Bingham of Privacy and Data Protection Bloomberg, Uwe Fiedler, CIPP/E, of PAREXEL, William Long of Sidley Austin and Susan Symes of Northern Trust discussed preparing for such provisions as the one-stop-shop, the right to be forgotten, data transfers and pseudonymization.
Bingham said, for her part, she’s most concerned about the one-stop shop in terms of clarity. She fears the uncertainty in some of the words in the draft could cause confusion, especially among large organizations that may act as data controllers in several European jurisdictions. For cost reasons, she said, a single company might have one data controller for HR data and another for customer data, often located in different places—and sometimes not based in the EU.
“I think we’ve come a long way,” she said of the mechanism. “But we almost need to have a discussion of how this will work in practice for very large organizations as well as the small ones,” she said.
For his part, Fiedler, who works in the pharmaceutical industry and runs multiple data centers across Europe, said there needs to be harmonization.
“My dream is that during the trialogue process, we may get something we believe is harmonized,” he said. “Eighty percent of the data I’m processing is on behalf of clients, and the office is half in Berlin and half in the U.S.” That creates complicated compliance issues, he said. Under the proposed regulation, he wonders how that will affect his company’s responsibility as a processor and controller both.
“Do I have to do a PIA internally and on my clients?” he wondered. “Do I have to go to all the project managers and ask about what they are processing? I’m not sure this form of harmonization would be really as I expected in the beginning.”
In Germany alone there are 16 data protection authorities (DPAs), he said, all with different ideas about what data the industry can and cannot process. He said he hopes DPAs will look at mutual recognition systems like Binding Corporate Rules (BCRs) and apply the same logic to the one-stop shop. But he’s not confident that will happen.
Bingham agreed she’d like regulators to follow the BCR model of cooperation—in which a lead DPA is backed by two supporting DPAs in approving a company’s data transfer processes—because it’s been shown to work. As it stands now, there’s “an assumption you’re just going to have one authority that will make all the decisions, and that just isn’t possible. We’re asking for something that just can’t happen,” she said.
On international data transfers, the panelists agreed Safe Harbor is still a viable solution and believe it’s getting a bad reputation unfairly. But if there are to be changes to transfer mechanisms, the panelists largely agreed the idea of a privacy seal has merit and perhaps that, together with a code of conduct, could suffice.
“I would love a seal,” Symes said, adding that data transfer mechanisms are “only as good as the infrastructure you introduce internally.”
“I like your thinking,” she said. “I have come from two Safe Harbor companies and one BCR company, and I can vouch that the compliance programs were the same for all three. It’s not the mechanism; it’s how you comply with it that makes the difference.”
So what can privacy pros do now, while we wait for the final reg?
Bingham said pros should take inventory of the data they have.
“If you can address that and document it, it can go a long way toward accountability,” she said. “While there’s uncertainty with the reg, if from the roots up, and you know you’re compliant with what you have at the moment, it’ll be easier to flex to comply with the reg.”
Symes suggested pros take steps to understand their “gaps.”
“Where do you sit in relation to what’s been published so far?” she asked collected attendees. “That should be your action plan. Spring clean.”
If you want to comment on this post, you need to login.