Companies’ priorities regarding compliance with the General Data Protection Regulation (GDPR) are likely to become more focused because of a mixture of recent legal decisions and efforts by the European Commission to keep privacy rules in sync with changes in technology.
Sarah Simpson, senior associate at law firm Katten Muchin Rosenman, predicts three trends companies will need to consider over the following year regarding data compliance.
First, companies should focus on the cleanup of “data graveyards”—old and unused personal data stored on company servers—as regulators ramp up scrutiny of data retention practices. Financial services firms, in particular, are at risk because the sector has tended to embrace a culture of data retention (partly because of a fear of regulatory investigations).
Second, companies will need to appoint “representatives” in the European Union and/or United Kingdom if they are processing citizens’ data in either market but do not have a physical presence there, such as company offices.
On May 12, the Dutch Data Protection Authority (DPA) fined Canada-based Website Locatefamily.com €525,000 (U.S. $625,000) for failing to appoint an EU representative less than two months earlier. The regulator said it would fine the company a further €20,000 every two weeks following its decision (up to a maximum of €120,000) until the company put a representative in place.
Third, says Simpson, companies will need to share data roles and responsibility.
“Given the GDPR purposely gives EU countries a fairly broad discretion in many areas of the law—including penalties—we will certainly observe a growing disagreement.”
Ilia Kolochenko, CEO, ImmuniWeb
“Since May 2018, it has become apparent the role of a single data protection officer (DPO) can be a mammoth task and responsibility needs to be shared,” mainly across assurance functions including HR, legal, compliance, and marketing, Simpson says. New roles might need to be created within organizations.
“That isn’t to say a DPO shouldn’t have overall responsibility, but they should have more freedom to conduct investigations across organizations alongside more support from those allocated responsibility for compliance within different departments,” she says.
Experts are also concerned about what steps the European Commission, the EU’s executive body, will take to keep the GDPR in sync with emerging technologies and new ways personal data can be exploited in the future.
Currently, the law seems to clash with technological innovation. The GDPR imposes strict rules around data subjects’ rights against automated decision-making and profiling, the right to erasure, the right to data portability, and the right to explanation—all of which pose difficulties to the functioning of artificial intelligence (AI).
Meanwhile, the law’s “right to be forgotten”—which allows data subjects to demand removal of their personal data—may frustrate blockchains, complex databases that are designed to last indefinitely.
There is no specific practical guidance yet from either the European Data Protection Board or national DPAs about how the GDPR can truly accommodate such technologies.
Learning from the past
The EU’s earlier efforts of legislating for data protection resulted in a 1998 directive that missed the dawn of the internet or the use of email. Its focus was on paper records rather than electronic communications. The Commission is keen not to repeat the same mistakes.
European DPAs expect the GDPR to provide enough flexibility to enable tweaks to keep it current while also working in tandem with other complementary legislation aimed at addressing specific privacy or technological issues, such as the upcoming ePrivacy Directive and proposed legislation on trustworthy AI.
Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center, agrees the GDPR is “relatively future-proof,” but warns “it is a product of the environment in which it was created” and will need to be amended to suit changing circumstances.
“The primary threats to the data of a data subject five years ago didn’t include the impact of ransomware or that compromises of classes of immutable data like health data would become recurring, for example,” he says.
There are other ongoing developments that are likely to impact how companies need to prepare for possible changes. Dyann Heward-Mills, CEO of data protection consultancy HewardMills, says there is likely to be more regulatory convergence between competition and data protection authorities, as evidenced in the United Kingdom, over ways tech giants—and companies that use their services—are utilizing and sharing personal data.
The slow turnaround in cross-border investigations also remains a problem and adds to confusion about what practices might be deemed uncompliant. At the end of May, EU Justice Commissioner Didier Reynders said the European Commission is working out how to expedite decisions on time-sensitive data privacy investigations by considering a fast-track mechanism.
Differences in enforcement approach between national DPAs is perhaps a more pressing issue.
“Given the GDPR purposely gives EU countries a fairly broad discretion in many areas of the law—including penalties—we will certainly observe a growing disagreement,” says Ilia Kolochenko, CEO at security software vendor ImmuniWeb. “Most likely, the European Data Protection Board will have to step in and attempt to resolve all the ambiguities, but it will be a time-consuming and arduous task.”