At the IBA Annual Employment and Discrimination Law Conference in Montreal, I spoke about the GDPR this morning. Here are excerpts of what I said:
We are going to talk about the GDPR this morning. I am the founding partner of a German IP and IT boutique. For the past two years, we have had 15 lawyers working exclusively on GDPR projects of all shapes and sizes. And I am here to share some of my experiences with you.
Big Budget & Differences in Perspective
GDPR work is big. Not just in Europe. But also in the US and in Canada. An estimated 9 billion US dollars has been spent by global companies on legal fees – in the US and in the UK alone (Smith, „The GDPR Racket: Who’s Making Money From This $9bn Business Shakedown“, Forbes 2 May 2018). Heaven for lawyers and privacy professionals. In Europe, in America and all over the world.
From a European perspective, the GDPR is about protecting the fundamental rights of European citizens. From an American point of view, there is a clear extraterritorial touch. As soon as a US or Canadian company does business in Europe – be it online or offline – the GDPR applies.
Driving Force
The GDPR is not so much about new rules on data protection. Most of the rules are old, Some bits and pieces have been changed. No more than that. There is, however, one truly revolutionary change. Under the GDPR, data protection will have teeth. Fines of up to 20 Mio EUR are introduced. Under existing laws, fines varied from country to country. In Germany, the maximum was 300.000 EUR.
The fines are the force that is driving compliance work. The fines are the reason why privacy lawyers are making very good money at the moment.
Nobody invests as much into GDPR compliance as US companies. They will be the preferred targets of European regulators when it comes to enforcing huge fines. And compliance is an American invention. US companies tend to take compliance much more for granted than their European counterparts. European companies are often more pragmatic. They look at the modest resources of European regulators and do not expect much enforcement of the GDPR.
The 3 Most Important Steps Towards GDPR Compliance
When you do, however, have risk adverse clients and they ask you for the three most important steps towards GDPR compliance, here is my answer:
- Step One:Â A data inventory is required.
Be it employee data or customer or marketing data, data processing needs to be described and justified. Should there be a complaint by an (ex-)employee or a dissatisfied customer, chances are that the first thing the data protection authority will ask for is the inventory. - Step Two:Â Update all privacy policies.
There are extensive lists of obligatory bits of information that need to be included in privacy policies. Do, however, avoid drafting policies in US style, giving your clients maximum leeway in order to prevent regulators from finding that the clients have stepped beyond their own policies.
In Europe, privacy policies are irrelevant when it comes to the lawfulness of data processing. The lawfulness depends on „legal grounds“ outside the policy. When a policy is worded too widely, this may be considered as clear evidence of data processing that is illegal for lack of legal grounds. What is good for the US will often be counterproductive and damaging in Europe. - Step Three: Prepare for answering access requests in obligatory response time.
Mark my words. And chances are that I will be proved wrong. I do, however, expect access rights to become a major issue once the GDPR applies. Under the GDPR every European citizen can randomly bombard companies and organizations with access requests: „What data are you storing on me?“. Such access requests need to be answered within a month.
This is likely to be quite a challenge for many businesses and organizations. Especially with the threat of dissatisfied citizens turning to the Data Protection Authorities complaining the company has not timely reacted to access requests. On top of that, consumer organizations, privacy activists and plaintiff lawyers are likely to encourage citizens to be highly proactive when it comes to their „right to know“.
Companies had better be prepared for that. Access requests need to be identified without delay whoever may be the recipient in control of the mailbox where the request arrives. The Person receiving the request needs to know who in the company is responsible for dealing with the request. And the person who is in charge must have the tools and resources to identify relevant data without losing too much time.
The Elusive 100-Percent-Compliance
Three steps towards compliance. This is, of course, far from 100 pc. But 100 pc is no more than an illusion. Even organizations that have spent many millions on GDPR compliance will fall short of 100 pc. And when you talk to data protection authorities and ask them how they achieve GDPR compliance in their own sphere, they will admit that there will be weaknesses and failures. Chances are that they will understand that 100 pc is nice to have but impossible to achieve.