Privacy + Security Forum: Emerging Perspectives on GDPR Compliance

By Trevor Schmitt

On October 4-6^th, 2017, The George Washington University Law School hosted the 3^rd annual Privacy + Security Forum. The event, organized by GW Law’s Daniel Solove and Berkeley’s Paul Schwartz, is a veritable who’s who of the global privacy and data protection law landscape with hundreds of speakers addressing a range of topics. As with any privacy and data protection event held in the last five years, the General Data Protection Regulation (“GDPR”) was a primary focus of panel discussions.

For those unfamiliar with the massive European Union (“EU”) regulation, the GDPR is a privacy and data protection law going into effect May, 2018. As a replacement for the EU’s current data protection law, the GDPR regulates the collection, use, and storage of personal information related to individuals in the EU. Key to this regulation is its inclusion of non-EU organizations that offer goods or services to individuals in the EU. This means that organization with any identifiable information related to individuals in the EU should be worried about the GDPR. And with fines up to €20 million or 4 percent of global annual turnover (whichever is higher) for non-compliance, that concern seems justified.

The event continued many of the ongoing conversations relating to issues involved in private sector efforts toward compliance. But that’s not all. Among these issues several overarching themes rose above the normal fray of navigating technical GDPR compliance. Those charged with conforming to the GDPR should be aware of these emerging perspectives: 

“Do what you say. Say what you do. Be able to prove it.” This quote, brought to light by Constantine Karbaliotis, exemplifies the need for entities regulated by the GDPR to provide extensive documentation of their compliance efforts. Doing the right thing is great. But show your work. Not being able to prove compliance with the GDPR is just as damaging as not being compliant at all.

The GDPR is not going away. May 2018 marks the beginning—not the end—of GDPR compliance. The regulation contains a myriad of requirements associated with individual personal information that fundamentally changes how technology will operate. These include the right to erasure (to have one’s data deleted from an entire system), data portability (to move data from one service to another), and privacy by design (keeping privacy involved in every step of engineering data systems) to name a few. Many organizations will need to overhaul their systems to become compliant. These provisions, as well as others contained in the GDPR, promise a transformation of how technology will handle personal data on a global scale.

The most obvious nails will be hammered first. The governmental organizations (Data Protection Authorities) charged with GDPR enforcement have limited resources. They cannot investigate every organization who handles EU personal data. So unless an organization falls into the spotlight realm of GAFA (Google, Apple, Facebook, Amazon), chances are it will not be an initial target of investigation. This leeway, however, only goes so far. Outdated privacy policies, overt non-compliance indicators, and massive data breaches will raise flags to regulators that an organization may not be compliant.

Brexit might leave the UK out in the cold. As of March 29^th, 2019, the United Kingdom (“UK”) will no longer be part of the EU. This means that the UK will become a third country according the the GDPR. Under the GDPR, third countries must undergo a verification process to determine if municipal data laws provide adequate protection for handling personal data related to individuals in the EU. And while lawmakers have announced their intention to adopt an almost exact copy of GDPR regulations, the former EU State must still apply for adequacy following its official exit from the EU. These means that, at least for a time, the UK will not have free flowing data from the EU.

Despite these additional perspectives on the global concerns over GDPR compliance, much is still unknown about how the regulation will impact organizations at scale. What is clear, however, is that organizations who want continued access to EU markets must be compliant or face potentially debilitating fines. These issues will continue to be explored in the Privacy + Security Forum’s internationally-focused sister event early next year.