The General Data Protection Regulation (GDPR) becomes effective May 25, 2018, and there are at least three areas of concern for the compliance practitioner that are explored below.
First, data privacy. Leaving aside the issues raised in the Facebook/Cambridge Analytica matter around the behavioral advertising business model, companies will now be faced with a very robust requirement to protect personal identifiable information and will also be prohibited from harvesting such data for an investigation, absent informed consent. This consent is not a condition of employment, but rather a matter of employee agreement. This means that data review, oversight, and monitoring, currently routine procedures in American companies, are now illegal, absent this consent. This will mean a big change in procedure for how companies gather and maintain data.
A second potential headache for compliance practitioners will be the liability for third parties that engage in due diligence. Any violation of privacy under GDPR will relate back to the company that hired the due diligence provider. Once again, consent will be needed to obtain information during a deep-dive investigation by the third party, so it may well be stymied under GDPR. And, significantly, if a due diligence provider violates GDPR, it could be the hiring company that is charged by regulators and/or subject to a civil action.
The third area is the right to be forgotten. This right allows anyone with negative information to demand information be deleted from records, and it could very well play havoc with due diligence or other background investigations. As a result, a company’s due diligence could be less robust and will put more pressure on other steps in the management of third-party risks.
One last consideration: It is very possible U.K. and EU regulators will be scrutinizing U.S. companies closely when it comes to GDPR, which could mean attendant fines, penalties, and investigative costs. Better to be prepared now, than penalized later.