By Trevor Schmitt
On October
4-6th, 2017, The George Washington University Law School hosted the
3rd annual Privacy + Security Forum. The event, organized by GW Law’s Daniel Solove
and Berkeley’s Paul Schwartz, is a veritable who’s who of the
global privacy and data protection law landscape with hundreds of speakers
addressing a range of topics. As with any privacy and data protection event
held in the last five years, the General Data Protection Regulation
(“GDPR”) was a primary
focus of panel discussions.
For those
unfamiliar with the massive European Union (“EU”) regulation, the GDPR is a
privacy and data protection law going into effect May, 2018. As a replacement
for the EU’s current data protection law, the GDPR regulates the collection,
use, and storage of personal information related to individuals in the EU. Key
to this regulation is its inclusion of non-EU organizations that offer goods or
services to individuals in the EU. This means that organization with any
identifiable information related to individuals in the EU should be worried
about the GDPR. And with fines up to €20 million or 4 percent of global annual
turnover (whichever is higher) for non-compliance, that concern seems
justified.
The event
continued many of the ongoing conversations relating to issues involved in
private sector efforts toward compliance. But that’s not all. Among these
issues several overarching themes rose above the normal fray of navigating technical
GDPR compliance. Those charged with conforming to the GDPR should be aware of
these emerging perspectives:
“Do what you say. Say what you do.
Be able to prove it.”
This quote, brought to light by Constantine Karbaliotis, exemplifies the need for entities
regulated by the GDPR to provide extensive documentation of their compliance
efforts. Doing the right thing is great. But show your work. Not being able to
prove compliance with the GDPR is just as damaging as not being compliant at
all.
The GDPR is not going away. May 2018 marks the beginning—not
the end—of GDPR compliance. The regulation contains a myriad of requirements
associated with individual personal information that fundamentally changes how
technology will operate. These include the right
to erasure (to
have one’s data deleted from an entire system), data
portability (to
move data from one service to another), and privacy
by design (keeping
privacy involved in every step of engineering data systems) to name a few. Many
organizations will need to overhaul their systems to become compliant. These
provisions, as well as others contained in the GDPR, promise a transformation
of how technology will handle personal data on a global scale.
The most obvious nails will be
hammered first.
The governmental organizations (Data Protection Authorities) charged with GDPR
enforcement have limited resources. They cannot investigate every organization
who handles EU personal data. So unless an organization falls into the spotlight
realm of GAFA (Google, Apple, Facebook, Amazon), chances are it will not be an
initial target of investigation. This leeway, however, only goes so far. Outdated
privacy policies, overt non-compliance indicators, and massive data breaches will
raise flags to regulators that an organization may not be compliant.
Brexit might leave the UK out in
the cold. As of
March 29th, 2019, the United Kingdom (“UK”) will no longer be part of the EU. This means that the UK will
become a third country according the the GDPR. Under the
GDPR, third countries must undergo a verification process to determine if
municipal data laws provide adequate protection for handling personal data related
to individuals in the EU. And while lawmakers have announced their intention to
adopt an almost exact copy of GDPR regulations, the former EU
State must still apply for adequacy following its official exit from the EU.
These means that, at least for a time, the UK will not have free flowing data
from the EU.
Despite
these additional perspectives on the global concerns over GDPR compliance, much
is still unknown about how the regulation will impact organizations at scale. What
is clear, however, is that organizations who want continued access to EU
markets must be compliant or face potentially debilitating fines. These issues
will continue to be explored in the Privacy + Security Forum’s internationally-focused
sister event early next year.
0 comments:
Post a Comment