EU data protection rules
The EU data protection regulation: effects and fallout
Unless your commercial activities consist of running a corner shop or a food stand, then it is likely that you are only too aware of the General Data Protection Regulation (GDPR).
There is also a distinct possibility that you are scrabbling around hither and thither ensuring that your company is compliant. There is a powerful incentive to do so as penalties for non-compliance are severe. The maximum fine for a breach of the GDPR is a whopping 20 million euros OR 4% of the organisation’s worldwide turnover, whichever is the higher.
The legislation was passed in April 2016 but did not take effect until 25 May this year; the two-year introduction period was designed to allow the companies and organisation affected by the new law sufficient time to upgrade their systems and procedures to be compliant.
Despite this, it appears that there is still a great deal of uncertainty and many companies are struggling to meet the compliance standards in terms of handling, managing and securing the data they collect and already hold. Only 50% of organisations were reporting their compliance by the 25 May deadline. Some sources go further and suggest that the number of non-compliant companies is as high as 80%.
The GDPR was well publicised in advance so it’s not like the problem is due to lack of awareness. Rather, many companies have assumed it be largely, or even solely, an IT issue. But that is not the case.
Duncan Gillespie, a senior solicitor consultant and specialist EU and Competition Lawyer with My Business Counsel says:
“It’s not just a question of software updates. Every organisation will have to employ a DPO and also ensure that their internal systems are geared towards compliance. For example, if an organisation receives a right of access request, they have just 28 days in which to respond. Failure to do constitutes a breach of the rules.”
It is this misunderstanding that may have led to so many organisations being rather flat-footed about the compliance issue, although organisational inertia and a tendency towards “last-minute-ism” could both be contributory factors.
But, stop a moment. Is all this pandemonium necessary or warranted? Alexander Egerton, a partner in the London law firm Seddons, provides some clarity:
GDPR has been greatly misunderstood. This reform is seen by its advocates as the only way in which people can protect their privacy against misuse by large technology companies. Its detractors see it as another example of Europe regulates while the US innovates.
The crux of GDPR is to empower people to hold companies to account and for regulators to intervene if the companies do not respond to individual’s concerns. All that is expected is for companies to know what personal data they hold, why it is held and how the data is used. Although lawyers have reduced this analysis to a procedural exercise, there is no prescribed method. The test is that when an individual holds a company to account can the company can respond quickly and comprehensively? The UK regulator is concentrating its resources at the high-risk players – social media etc. and is not going to punish a small business that is doing what it can and whose data processing is low risk.
GDPR compliance is an ongoing process. 25 May 2018 was never meant to be a one-off EU wide privacy exam. But the longer it is since GDPR became law, the less forgiving the ICO will be. The problem we have is that because GDPR was misunderstood with many exaggerating what would happen in May 2018 getting clients to continue to engage is difficult. The point about cry wolf is that the wolf showed up.
So it would seem that the issues can, in large part, be addressed if companies just took the trouble to get a complete picture of the information that they are holding and the ways that it is being used. In principle, this sounds straightforward but, for larger companies, the task may prove herculean.
While GDPR compliance should not have been too hard to achieve, the reality is that even the tech giants are struggling with the cost and complexity. In this past August, a civil claim was launched against Facebook by one of its investors who claimed to recoup losses that they allege was due to the fact that Facebook failed to properly inform them about the full extent of GDPR compliance costs in their July earnings call. It is still not entirely clear whether Facebook has achieved full compliance although there is no doubt that they have been working on the issues.
But further developments are only highlighting the apparently spiralling compliance costs. In the last few days, Europol, the EU’s policing agency responsible for monitoring cybercrime, have suggested that large companies might be tempted into a “devil’s bargain” with hackers who successfully carry out ransomware attacks or effect data breaches by paying off the hackers for negotiated sums that are less costly than EU fines.
It is easy to see how such ugly calculations can be made, despite the fact that the cost and complexity may be perceived rather than actual. A test case would help to clarify matters but which company wants to risk the potentially calamitous results of being a guinea pig?
Given the imbroglio of uncertainty, would it not behove the EU to review the Regulation with a view to watering it down? Ruth Boardman, a partner in the London law firm of Bird & Bird thinks not:
GDPR tries to prompt privacy innovations – such as the new data portability right and new mechanisms for regulatory action via the consistency mechanism. It’s too early to think of change: these innovations need time to develop. Change at this stage would also be an unwelcome disruption for the businesses which have already had to reorganise so much to become GDPR-ready.
So, for the time being, at least, we are saddled with the Regulation as is. Given that, the best advice for businesses right now would be to step back and focus on forming a complete picture of the information that they hold.
Comment or question? Don’t hesitate to contact: feedback@inhouse-legal.eu
