Businesses are working to prepare for the 25 May 2018 effective date of the General Data Protection Regulation (GDPR). Throughout and beyond the EU, companies across sectors are embracing the challenge of mapping their data processes and revising existing policies and procedures - or implementing new ones - to ensure GDPR compliance. Multinationals' reactions to the process vary widely . While some have welcomed the GDPR as an opportunity to expand their compliance culture and strengthen their compliance framework, others have been overwhelmed by the resulting strain on the range of internal resources that this detailed process entails.
But what will happen after 25 May 2018? May businesses declare their GDPR efforts completed and pivot to meet other challenges arising in today's seemingly turbulent environment? This seems unlikely. Although the date itself is seen as a watershed, we anticipate that businesses will continue to face a range of significant GDPR related challenges long after 25 May 2018 - even for those who are compliant already, the work of maintaining and updating their GDPR framework is just beginning. Acknowledging that the GDPR will continue to evolve from 25 May onwards, with many uncertainties, some of which are outlined below, means companies will continue to have to allocate resources to GDPR compliance even after this fateful date.
First, we anticipate that, across the EU, differences in the interpretation of the GDPR's wording will arise. Despite Europe's more or less unified privacy law, the cultural background and current policies and politics of the EU member states seem to signal a likelihood of significant differences in the application and interpretation of the GDPR. The GDPR's terminology that we anticipate could give rise to potentially divergent interpretations includes concepts such as "fairness", "transparency", "legitimate interests", "high risk", "risk based approach", "accountability" and "best interest of the child". Interpretational differences seem likely to arise because EU member states' data protection authorities might choose to analyse that terminology starting from their prior, longstanding and diverging national case law and legislation. That law diverges on, for example, the concepts of: the extent to which the result of a balancing test must to be disclosed to the data subject; whether categories of recipients or specifically identified recipients must be disclosed in privacy notices; or whether consent wording may simultaneously authorize data processing operations covering several data controllers at the same time - and, if so, in what context?
The impact of national laws
Second, while the GDPR will be directly applicable in the EU member states, it contains 50+ opening clauses which each member state may fill by way of national law supplementing the GDPR. While the vast majority of member states are yet to draft or adopt such law (as explored in detail in our GDPR National Legislation Survey), we expect the interplay between those national laws and the GDPR to give rise to significant challenges and require businesses to understand not only the GDPR but also various national laws. Pre-GDPR national laws are also likely to have an impact, in that member states will be likely to hold on to certain provisions and practices to the extent permissible under the GDPR. Those are likely to be most profoundly felt in those sectors in which EU member states have traditionally maintained stricter legislation, such as HR and healthcare. But, more generally, an example impacting all sectors - on which different approaches could emerge - would be the legality of processing of criminal personal data when conducting background checks on potential employees. Additionally, it remains unclear whether the national law of the service provider's member state or of the data subject's member state will apply in a cross-border services provision scenario.
New concepts and regulator guidance
Third, the GDPR articulates requirements that are relatively new to many businesses, such as Privacy-by-Design-and Privacy by Default. The GDPR mandates data protection impact assessments - as the practical execution of the Privacy-by-Design requirement - if data processing activities involve a high risk to the individual. So, while many businesses seemingly will be required to undertake data protection impact assessments, the GDPR does not prescribe the process for doing so. Guidance from supervisory authorities will be needed before it is clear what will actually be required in practice.
Furthermore, the expanded range and scope of data subjects' rights, coupled with strict data retention requirements, are likely to be issues that will have systematic and (more or less) clear interpretation only after the GDPR has been in force for some time. In the meantime, companies and practitioners will be challenged to define the (possible) limits to the rules set up by the GDPR.
GDPR compliance will require new approaches to privacy compliance. Rather than focussing only on their privacy policies as such, businesses must implement privacy controls into their project management methodologies and software management processes. Internal and external data privacy lawyers will need to work with businesses in new and different ways. Lawyers must closely cooperate with Information Security specialists to identify the appropriate technical and organizational controls and understand the operational, IT and information security risks that collecting, storing, processing and transferring personal data could pose to a business. The ability to provide innovative solutions across the EU to enable businesses to address these myriad and potentially inconsistent requirements, while remaining competitive, is key.
While 25 May 2018 will soon be here, much more time will be needed to fully bring to light and address the challenges that businesses will face in processing personal data under the GDPR. On a final note, we recommend seeing the GDPR as an opportunity to overhaul your business's approach to data and ensure the responsible handling of data moving forward.