17 October 2018
EU data protection rules
GDPR: The Herculean quest for compliance
The European Union’s General Data Protection Regulation has kept many businesses and legal departments busy in recent months. Efforts to become compliant with the new law are on-going, amid complaints of spiralling costs.
This is not due to a lack of awareness. Instead, many companies have assumed it be largely, or even solely, an IT issue. However, that is not the case. Duncan Gillespie, a senior solicitor consultant and specialist EU and Competition Lawyer with My Business Counsel says: “It’s not just a question of software updates. Every organisation will have to employ a Data Protection Officer and also ensure that their internal systems are geared towards compliance. For example, if an organisation receives a right of access request, they have just 28 days in which to respond. Failure to do constitutes a breach of the rules.”
It is this misunderstanding that may have led to so many organisations being rather flat-footed about the compliance issue, although organisational inertia and a tendency towards “last-minuteism” could both be contributing factors.
But is all this pandemonium necessary or warranted? Alexander Egerton, a partner in the London law firm Seddons, provides some clarity: “GDPR has been greatly misunderstood. This reform is seen by its advocates as the only way in which people can protect their privacy against misuse by large technology companies. Its detractors see it as another example of Europe regulates while the US innovates.”
Egerton believes that the crux of GDPR is “to empower people to hold companies to account and for regulators to intervene if the companies do not respond to individual’s concerns. All that is expected is for companies to know what personal data they hold, why it is held and how the data is used.“
“Although lawyers have reduced this analysis to a procedural exercise, there is no prescribed method. The test is that when an individual holds a company to account, can the company can respond quickly and comprehensively?”
“The UK regulator is concentrating its resources at the high-risk players – social media etc. and is not going to punish a small business that is doing what it can and whose data processing is low risk,” Egerton argues.
GDPR compliance is an ongoing process, and 25 May 2018 was never meant to be a one-off EU-wide privacy exam. However, the longer it is since GDPR became law, the less forgiving data protection regulators will be. The problem we have is that because GDPR was misunderstood with many exaggerating what would happen in May 2018 getting clients to continue to engage is difficult. The point about cry wolf is that the wolf showed up.
Unless your commercial activities consist of running a corner shop or a food stand, then it is likely that you are only too aware of the European Union’s General Data Protection Regulation (GDPR).
There is also a distinct possibility that you are scrabbling around hither and thither ensuring that your business is compliant as there is a powerful incentive to do so. Penalties for non-compliance are severe. The maximum fine for a breach of the GDPR is a whopping 20 million euros or 4 percent of an organisation’s worldwide turnover, whichever is higher.
The legislation was passed in April 2016 and took effect only on 25 May 2018 as the two-year introduction period was designed to allow the companies and organisations affected by the new law sufficient time to upgrade their systems and procedures.
Despite this, it appears that there is still a great deal of uncertainty, and many companies are struggling to meet the compliance standards in terms of handling, managing and securing the data they collect and already hold. Only 50 percent of organisations were reporting compliance by the 25 May deadline. However, some sources go further and suggest that the number of non-compliant companies could be as high as 80 percent.
So it would seem that the issues can, in large part, be addressed if companies just took the trouble to get a complete picture of the information that they are holding and the ways that it is being used. In principle, this sounds straightforward but, for larger companies, the task may prove Herculean.
While GDPR compliance should not have been too hard to achieve, the reality is that even the tech giants are struggling with the cost and complexity. In August, a civil claim was launched against Facebook by one of its investors who claimed to recoup losses due to the fact that Facebook failed to properly inform investors about the full extent of GDPR compliance costs in their July earnings call. It is still not entirely clear whether Facebook has achieved full compliance although there is no doubt that the company has put a great deal of work into the issue.
Other developments also highlight the apparently spiralling compliance costs. In the last few days, Europol, the EU policing agency responsible for monitoring cybercrime, suggested that large companies might be tempted into a “devil’s bargain” with hackers who successfully carry out ransomware attacks, or effect data breaches, by paying off the hackers for sums inferior to possible EU fines.
It is easy to see how such ugly calculations can be made, despite the fact that the costs and complexity of the tasks may be perceived rather than actual. A test case would help to clarify matters, but which company wants to risk the potentially calamitous results of being the guinea pig?
Reform of the GDPR?
Given the imbroglio of uncertainty, some might be tempted to argue that the EU ought to review the regulation. Ruth Boardman, a partner in the London law firm of Bird & Bird thinks not: “GDPR tries to prompt privacy innovations, such as the new data portability right and new mechanisms for regulatory action via the consistency mechanism. It is too early to think of change: these innovations need time to develop. Change at this stage would also be an unwelcome disruption for the businesses which have already had to reorganise so much to become GDPR-ready.”
So, for the time being, at least, the regulation is likely to remain unchanged. Given that, the best advice for businesses right now would be to step back and focus on forming a complete picture of the data they hold.
Comment or question? Don’t hesitate to contact: firstname.lastname@example.org