WASHINGTON, D.C. — The International Association of Privacy Professionals’ (IAPP’s) recent Global Privacy Summit 2018, came at an interesting time for the privacy industry — a mere 60 days before the European Union’s General Data Protection Regulation (GDPR) takes effect.
Erica Kitaev, Managing Editor for Privacy and Data Security for Thomson Reuters’ Practical Law, sat down with Kimberly Wong, senior counsel for the data and technology practice group at McDonald’s, and Laura Jehl, partner and co-lead of Baker Hostetler’s GDPR and Blockchain Technologies and Digital Currencies initiatives, to discuss how the various articles of the GDPR that allow for country-specific derogations could significantly alter the privacy landscape for clients.
“While GDPR was designed to be a one-stop shop for privacy compliance, intended to harmonize EU data protection laws, in reality companies could soon be looking at more than 30 different schemes with which to comply,” warned Kitaev. Indeed, GDPR may have a short-lived moment as that one-stop shop, as four member states have already enacted their own legislation, with Germany and the UK’s legislation painting a broader brush on which data is affected than GDRP itself does.
Jehl questioned the inconsistency of the expansive German law versus the GDPR but noted that there has been no ringing condemnation of it. Kitaev speculated that the German and UK’s broader scope may not have been the result of intentional extraterritorial expansion but rather the result of loose drafting. Still, both predicted that the first enforcement of Germany’s implementation law may result in legal battles.
While GDPR was designed to be a one-stop shop for privacy compliance, intended to harmonize EU data protection laws, in reality companies could soon be looking at more than 30 different schemes with which to comply.
For clients who have a few employees but not lawyers in a member state that passes new laws, they will face a heavier burden from such a patchwork of differing laws among countries. “This will add more levels of bureaucracy, complexity, and cost for smaller companies,” said Jehl, as they will have to hire local counsel to ensure compliance with local laws. Larger multinational organizations can put data privacy officers in most areas to provide consistency, establish relations with authorities now, and demonstrate to consumers and clients how much the company values the security of their data.
Kitaev noted that her attorney editors try to stay on top of the rapidly changing data privacy laws in each jurisdiction by regularly talking to data privacy practitioners in the member states, but even local attorneys don’t always have a good handle on the changes and how they interplay with various other local laws around employee data, human resources, customer data, litigation holds, and more.
Due to the uncertainty, the panelists suggested advising clients to ensure any IT systems they build are flexible enough to later be changed to meet new searching and retention requirements. But for IT folks and engineers used to specific rules and “1s and 0s” to follow when creating and building systems, the vagueness and uncertainty is frustrating. Wong suggested that because of this uncertainty, companies may actually prefer the countries that put in place more stringent regulations because they may presume compliance with those may mean automatic compliance with any less stringent laws other member states adopt.
Kitaev agreed, and urged companies to take a risk-based approach, figuring out the hottest areas of risk for them and shooting for changes that will help them hit the bullseye, or majority, of compliance in the spirt of the new regulations.
In terms of where the biggest changes could arise from these country-specific laws, Wong and Jehl advised attendees to pay close attention to changes around storage, retention, and use of employee records and data as well as to the definition of “sensitive” data.
While Wong optimistically noted that country-implementation laws could allow for some diversity in interpretation and may lead to better protection of data, other panelists suggested the uncertainty for companies trying to comply has resulted in basically taking away the benefit of GDRP — that by May 25, companies could tell their customers, business owners and investors they were fully GDPR-compliant.
However, Kitaev warned that companies are not done with data privacy compliance on May 25, but rather that date is just “the start of a marathon that now may be changing into an Iron Man competition, so companies may need to get ready to switch to swimming” as more countries pass implementation laws.