On January 16, 2019, Hunton Andrews Kurth hosted a breakfast seminar in London, entitled “GDPR: Post Implementation Review.” Bridget Treacy, Aaron Simpson and James Henderson from Hunton Andrews Kurth and Bojana Bellamy from the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth discussed some of the challenges and successes companies encountered in implementing the EU General Data Protection Regulation (the “GDPR”), and also identified key data protection challenges that lie ahead. The Hunton team was joined by Neil Paterson, Group Data Protection Coordinator of TUI Group; Miles Briggs, Data Protection Officer of TUI UK & Ireland; and Vivienne Artz, Chief Privacy Officer at Refinitiv, who provided an in-house perspective on the GDPR.

The briefing provided an opportunity for companies (the “Companies”) to reflect on their achievements so far and to benchmark their GDPR experiences ahead of Data Protection Day, which is on January 28, 2019. A main takeaway of the day was that building a business friendly privacy environment is an ongoing process that must be viewed from a global perspective.

We have summarized below some of the key discussion points from the seminar.

GDPR Implementation Insights

  • Generally Satisfied with Compliance: While the Companies were reasonably satisfied with the bulk of their GDPR implementation work and are now engaged in fine-tuning their data protection compliance programs, the Companies recognized that a number of challenges remain.
  • Global Privacy Challenges: Data Protection Officers are seeking to move their companies toward sustainable privacy programs that ensure GDPR compliance, yet also address global privacy challenges beyond the GDPR. The Companies view GDPR compliance as important, but not an end in itself, at least not given recent developments in other parts of the world, such as India, Brazil, etc. The Companies recognize privacy as the new normal, and are working to build efficient programs to address privacy challenges at an international level.
  • Maintaining a Culture of Privacy Awareness: Maintaining and developing a culture of privacy awareness within their companies is a key concern for privacy leaders. Some business leaders viewed the GDPR as a completed task once the implementation date of May 25, 2018, had passed, rather than an ongoing responsibility; and privacy leaders have been working hard to correct this view.
  • Territorial Scope: Many of the Companies have struggled to interpret the territorial scope of the GDPR. Insights from the European Data Protection Board’s Guidelines on Territorial Scope (3/2018), published in November 2018, have helped to clarify the position on topics such as the location of the protected data subjects, the use of non-EU based processors and the nature of a non-EU processor’s obligations.
  • Data Processing Agreements: Implementing Article 28 requirements continues to challenge the Companies, with a broad range of positions being adopted when negotiating data processing agreements. Negotiating liability caps and exclusions can be complex, due in part to the risk of reopening broader liability and other contractual issues. It will likely take some time for market practice to evolve.
  • Increased Training and Tech-enabled Compliance Tools: The Companies mentioned that, in the year ahead, conducting data protection training and awareness programs and rolling out tech-enabled compliance tools (e.g., for DPIAs and DSARs) will play a key part in enabling ongoing compliance with the GDPR.
  • GDPR and Future Privacy Challenges: The Companies stressed the difficulties encountered in interpreting and implementing GDPR obligations in the context of artificial intelligence, machine learning and the big data challenges of tomorrow. Companies will need to find innovative ways to accommodate big data while respecting data subject rights.

Regulatory Perspective

  • Increase in Complaints and Breach Reporting: As expected, data protection authorities (“DPAs”) have already been required to deal with a significant volume of complaints (on one report, 42,230 throughout the EU), and reports of data breaches (some 500 per week in the UK in the first few weeks after the GDPR took effect). Breach notifications across EU Member States have reached levels that are barely sustainable for most EU regulators. This is a consequence of the low notification threshold set by the GDPR, and of organizations adopting a very conservative approach towards notification. The ICO has reminded organizations that not all data breaches need to be reported. Other DPAs have a differing view, pointing to the need for more comprehensive guidance on this topic.
  • Inconsistency across Member States: There are already examples of inconsistent approaches by EU DPAs in relation to the implementation of the GDPR framework. Perhaps the starkest example of this is the 21 separate DPIA frameworks adopted at a national level. Staffing levels between DPAs differ, and differences in enforcement strategy are also likely. It will take time for differences to be reconciled, and in some areas, they will remain. Just as companies require time to embed and fine tune their implementation of the GDPR, regulators will also require time to adjust to the new regulatory environment.

Future Challenges

  • Moving Beyond Local Compliance to Global Privacy Accountability: Privacy frameworks are evolving and organizations face the challenge of moving their focus from local legal compliance to implementing a global operational privacy framework. The GDPR is now viewed as a template by countries seeking to craft new privacy laws. It offers a major step forward towards an operational privacy framework, but global privacy accountability will remain a challenge.
  • Local Challenges: Privacy leaders aspire to ensure that at every level of their organization, staff recognize the privacy issues raised by each decision, and assess the privacy risk for affected data subjects.
  • Future Challenges: Major legal challenges highlighted by participants included Brexit, the e-Privacy Regulation and the likelihood of legal challenges under the GDPR.