Since the General Data Protection Regulation (GDPR) was proposed, IT professionals, lawyers, and consultants have been talking about the potentially game-changing effect that it may have on businesses around the world. Similar to how US citizens in the 1950s and 60s were trained to prepare for a nuclear war, the vast majority of articles and presentations on GDPR relate to how one should prepare for a potential doomsday scenario. The looming risks and challenges to GDPR are real and daunting. Among other things, the regulation has an over-reaching territorial scope, includes the potential requirement of a Data Protection Officer in company practices, and encourages the incorporation of Data Protection Impact Assessments into an amended privacy program. However, there is a silver lining for almost everything, and GDPR compliance is no exception. This article discusses four “silver lining” benefits of GDPR as compared to the current data protection scheme in Europe.
Harmonization of EU privacy laws
One of the biggest complaints from companies operating in Europe is that they have to monitor and comply with the laws of 28 different countries. Under the EU Directive 95/96/EC (“EU Directive”), data privacy laws are essentially addressed at the member state level. To put it in another way, the EU Directive provides a framework for EU countries to develop and maintain their own privacy rules and regulations. This results in current data privacy laws essentially being a patchwork of different laws from various member states, which often leads to uncertainty for businesses and their EU-based clients, as well as substantial costs associated with compliance efforts.
Except for employment or national security-related privacy matters, GDPR will allow companies to focus on one all-encompassing, uniform set of data privacy regulations. This has the potential to help small- to mid-sized companies operating in or collecting information from EU residents. Rather than deciding between “full” compliance, which involves spending significant amounts on legal fees and relying on subjective analyses of various EU member state laws, or rolling the dice with non-compliance in certain EU countries, GDPR may permit companies to save costs and reduce risk by following a uniform set of rules that apply to the entire European Union.
Lead authority one-stop shop
Under the aforementioned EU Directive, there are over 20 different privacy regulations that a company operating in Europe must comply with. Although the EU Directive created a mechanism that was designed to facilitate communication between member state data protection authorities, investigations and enforcement actions are often done separately by various member states.
While companies would have preferred a system where one single privacy regulator has exclusive competence over regulation, GDPR allows companies to deal with one “lead authority” in the company’s place of main establishment. Various state data protection authorities will still have the ability to investigate and enforce data protection issues if a complaint is directed to them, but they must notify the lead authority of its intention to investigate or take action.
The lead authority will then have three weeks to determine whether it wishes to intervene and operate in a joint manner. While there are other nuances and exceptions, as a whole, GDPR’s designation of a lead authority has the potential to effectively promote various countries to work together on enforcement and investigation matters in a predictable and efficient manner, allowing companies to focus time, energy, and resources on dealing with one regulator.
Data breach reporting
The United States does not have a general federal breach reporting statute. Instead, most US states have their own data breach reporting rules and regulations. The current EU Directive also does not contain a general data breach-reporting obligation. Rather, data breach reporting requirements are predetermined by each member country. Some member states like Germany and the Netherlands have implemented data breach reporting obligations, while other countries such as the United Kingdom, Denmark, and Ireland have not. GDPR introduces a general obligation to report data breaches. GDPR Article 33(1) states that the breached entity must, without undue delay, notify the supervisory authority within 72 hours of becoming aware of personal data breach.
GDPR’s breach notification requirement may be advantageous to most companies. Similar to the burden of keeping track of changes in breach reporting statutes in the United States, the current EU Directive creates a burden upon companies to keep track of breach reporting statutes with member countries. For in-house counsel, contract negotiation over data breach provisions can be lessened and streamlined by virtue of the vendor company, providing detailed data breach reporting obligation provisions in their standard contracts as a component of GDPR compliance. Furthermore, it is often hectic during a data breach. In addition to keeping up with breach reporting regulations, breached companies also have to deal with contractual liability, PCI-DSS issues, and internal business/PR issues. Having to report to only one supervisory authority rather than figuring out which member states to report to saves time and energy for in-house counsel, particularly for smaller in-house departments. GDPR allows companies to have one all-encompassing EU data breach response plan.
Competitive advantage for GDPR compliant US entities
Compliance with GDPR, in addition to the cost and time savings mentioned above, can also serve as a competitive advantage in the US marketplace. Although not directly applicable in the context of a US-based customer company in most cases, a vendor company has the optical advantage of boasting its compliance with more stringent data privacy regulations in the form of GDPR than required under US law. This engenders trust in the vendor, and provides the customer company with the tangible benefits of transparency, privacy, and security with respect to the vendor’s treatment of the customer’s data. Customer companies are increasingly seeking to rely upon their vendors’ regulatory compliance as part of their overall compliance policies, and vendors that comply with GDPR support furthering those initiatives.