The GDPR is the single most important change in the data protection landscape since the 1995 Privacy Directive. It will have a profound impact on the way processing of personal date will be organized and how companies will prioritize the item of data processing on their corporate agenda. Companies involved in the processing of personal data having a connection with the EU will have no choice but to comply and respect the requirements.
Our Stibbe data protection team has been involved with privacy related matters for more than 20 years.
Over the last months, we have published a number of articles about the GDPR. We have combined our articles in one contribution.
In this contribution, and drawing upon our wide experience, we have sought to acquaint you with the key changes brought about by the new Regulation. Rather than seeking to paint an exhaustive picture of the new rules, we have taken a topical approach and have touched upon a series of carefully selected items which in our view are most representative for the changes brought about by the GDPR.
In addition, it should be underlined that the landscape of data protection is a very dynamic one and will always extend beyond a set of rules on a legal document, however impressive that document would be.
For example, the specific content and boundaries of the obligations and requirements will be further shaped by the guidance to be provided by the Article 29 Data Protection Working Party (“WP 29”). This platform, consisting of representatives of the various DPA’s has set forth a plan for the implementation of the GDPR, as part of which it will issue opinions on several priority subjects. Three sets of guidance have already been published, i.e. on data protection officers, on data portability and on the role of the lead supervisory authorities. Other topics that should be addressed in the near future relate to the notion of high risk, data protection impact assessment and certification. Going forward, the role of the WP 29 will be taken over by the EDPB (European Data Protection Board), who will continue to provide guidance and updates.
In addition, there is a broad call for standardization and for development of best practices across different industries. Various provisions of the GDPR reflect such a call and also the guidance provided by the WP 29 calls for standardization and industry best practices. This is for example the case for the new data portability right, the WP 29 advises data controllers to technically implement a standardized approach in relation to application programming interfaces.
Likewise, the DPA’s (Data Protection Authorities) will issue guidance and ensure compliance in a way that aligns the harmonized rules with other national laws, local customs, cultural expectations and sensitivities.
Finally, there is the role of the courts. While it is clear that national courts will have their role to play, it is hard to predict what their impact will be. It is fair to note that up and until now, the role of national courts in sharing data protection law has been limited. The same can obviously not be said about the ECJ (European Court of Justice), which appears to be on a mission to further shape and progress the data protection landscape, especially at times where other European institutions appeared to have difficulty to deliver on the subject. For example, in a series of unprecedented decisions, the ECJ has tackled very complex issues such as the right to be forgotten, the data retention issue, and the EU-US data transfers. At this very moment, applications for the rescission of the “Privacy Shield” have been introduced before the General Court.
All of the above mentioned factors will turn the data protection landscape into a very dynamic one. This means that companies, in seeking to comply with the GDPR, should ensure not only that they stay informed about the further developments and evolutions, but also that the processes, systems and tools they would select to secure compliance are sufficiently flexible so that they can be easily adjusted and refitted to embrace the new developments and evolutions. Our team will be on the look-out and we will report regularly on any important changes in the field.
And what is more, it is not just about complying with the GDPR as of 25 May 2018 and in a “forward looking mode”. The challenge posed is wider as companies today still suffer significant gaps in complying with the Data Protection Directive 95/46/EC and the implementing legislations. These gaps will first need to be filled in before thinking about the next steps to be undertaken for compliance with the GDPR. For example, companies will need to consider if the personal date which they have on record today has been collected and is being processed and retained in accordance with the currently applicable rules. If that is not the case, they may have a considerable historical compliance gap which will continue to undermine their state of compliance going further. It is very difficult to build in a sustainable way if the foundations are not sound.
Companies are well advised to duly consider the relevance of data protection and understand that compliance has become a “must have”. Compliance is in fact not just a matter of law, it is also a matter of ethics. They should be ready to commit to their new obligations, and free up budget and resources. To this end, it is important that they adopt a very structured approach, in view of the limited timing available, and of the fact that this is a broader challenge that crosses all business lines and segments of companies. In view of the foregoing, only a company-wide approach makes sense. Rather than seeing all of this as a nuisance, companies should also see the opportunity in all of this, namely that compliance with data protection rules can be a quality label and a competitive advantage.