In less than one year, from 25 May 2018, the General Data Protection Regulation (GDPR or Regulation) will become enforceable. The GDPR introduces a rigorous, far-reaching privacy framework for businesses that operate, target customers or monitor individuals in the EU. Companies now have just one year left to meet the suite of new obligations imposed under the GDPR and implement compliance programs to protect data subjects and avoid hefty enforcement penalties.
In this LW.com interview Latham & Watkins partner Gail Crawford and counsel Ulrich Wuermeling discuss the latest guidance issued in relation to the GDPR and how companies can achieve compliance with Europe’s new privacy regime by the deadline.
What is the GDPR and why was it introduced?
Crawford: The GDPR was drafted to establish a single pan-European law to replace and modernize the current patchwork of national laws that seek to protect consumer data. While imposing new obligations on data controllers and processors, as well as introducing significant fines for non-compliance, the GDPR provides a lot of leeway for the individual EU Member States in how it is implemented, including room for derogations from at least 50 articles. This “margin of manoeuvre” creates a degree of uncertainty for all businesses that are established in the EU, as well as non-EU organizations that offer goods or services or monitor the behavior of EU data subjects.
Are national implementation plans by EU Member States underway?
Wuermeling: Member States are trundling towards national implementation plans, however, many are still in the early stages of this process. Consequently, businesses are facing uncertainty and there is also the risk that harmonization will be undermined by divergent interpretations by different Member States of the Regulation. Germany has just passed the first stage implementation law and the new Act introduces a number of derogations from the GDPR.
Crawford: National regulators have also stepped up to assist data controllers and data processors in meeting their obligations. The UK’s Information Commissioner’s Office (ICO) has issued draft guidance on consent and profiling, and plans to release further guidance on contracts and liability.
Wuermeling: Similarly, in France, the Commission Nationale de l'informatique et des Libertés (CNIL) has prepared guidance on Privacy Impact Assessments (PIAs) and the German Parliament (Bundestag) passed a new Federal Data Protection Act (Bundesdatenschutzgesetz) on 27 April 2017 to complement the GDPR. On 12 May 2017 the Federal Council approved the Act. Together with our colleagues at partner law firms, we have set out a summary table of how the GDPR is being implemented across the different Member States.
Does Brexit impact the implementation of the GDPR in the UK?
Crawford: The UK has now formally served notice under Article 50 of the Treaty on the European Union, which has triggered a period for negotiation of the terms of the UK’s exit. The UK’s data protection law exists in the form of the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations 2003 (as amended) (PECR), which currently govern the processing of data by companies established in the UK or companies established outside the EEA who use equipment in the UK to process personal data.
Following the recent reform of the EU data protection laws, DPA will be replaced by the General Data Protection Regulation (GDPR) and therefore, Brexit aside, the DPA would likely be repealed with effect from 25 May 2018 — the date when the GDPR takes effect, which will be before the UK leaves the EU. As long as the UK remains a member of the EU, the GDPR will have direct effect, i.e., its terms will apply directly without the need for implementing UK legislation (unlike a directive), and it will be enforced by the Information Commissioner’s Office (ICO).
Can companies prepare for the GDPR if national implementation plans are not yet in place?
Wuermeling: Companies, especially those processing sensitive personal data, will need to respond to what Member State governments are proposing for some areas of the GDPR. However, guidance for data controllers and data processors exists, including guidance by the Article 29 Working Party (WP29) on the new right to data portability, lead supervisory authorities, data protection officers and data protection impact assessments. Further guidance on consent and profiling, data breach notifications, as well as administrative fines and data export is also expected.
Crawford: It should be noted, however, that some of this guidance has been contested. For example, the European Commission wrote to the WP29 expressing concern that its interpretation of the new right to data portability is overly broad. While further guidance is expected, businesses cannot afford to wait. The time needed for compliance, especially for longer-term projects such as records of processing and compliant contracting, need to be addressed as soon as is practicable.
With the one-year countdown on, what should data controllers and data processors do now?
Crawford: Businesses that operate, target customers or monitor individuals in the EU should audit their existing data practices. We have prepared a GDPR Checklist to help businesses identify key remediation areas in order to achieve compliance by the deadline.
Wuermeling: Companies should also immediately start maintaining a record of data processing activities. While requiring significant internal resources, this mandatory record will help companies to plan for and implement GDPR processes.
Crawford: Businesses should also look to renegotiate existing commercial and outsourcing contracts. The GDPR requires that contracts with data controllers include additional obligations. As you come to renegotiate contracts, it is critical that adequate data protection clauses are added.