The European General Data Protection Regulation (GDPR) that comes into force in May 2018 intends to strengthen and unify data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU.
With this in mind we have joined forces with UK legal firm Fieldfisher to help you get a better understanding of what is involved and how it will affect your business. This first feature is by Phil Lee, a partner in Fieldfisher’s leading Privacy, Security and Information law group.
Some time back, in the early dawn of my legal career, a colleague took me aside and said to me, “You do realize that this whole privacy thing is just a fad? It’ll soon pass.” That was some ten years ago or so, and it’s gratifying (and, frankly, a relief) to find that the area of law I chose to settle on has proven far from a fad.
There is a danger when speaking with fellow privacy professionals, though, that we become something of an echo chamber. Every privacy professional tends to believe that privacy is of paramount importance (why else would they move into it?) and we tend to reaffirm one another’s beliefs that the significance of data protection law will endure indefinitely.
That isn’t a view always held by non-privacy colleagues though. Many view the current GDPR as something of a flash in a pan – a kind of Y2K for privacy professionals. There can be a sense that, while privacy is a big deal now as companies rush to complete their GDPR implementation projects, come May 25th next year everyone will breathe a big sigh of relief and things will calm down again.
This won’t be the case. Privacy will only grow in importance over the coming years. For now, I’ll leave aside the social and ethical arguments about why privacy will continue to dominate since these are necessarily more subjective in nature. Instead, I’ll just point to a few objective legal reasons why privacy will be a big ticket compliance concern for many years to come:
1. The GDPR is not a project
Within some organizations, there is still a tendency to see the GDPR as a one-off project, but it’s not. Getting GDPR-ready will mean implementing ongoing privacy governance, policies and processes that will endure on an ongoing basis. Think, for example, about Privacy by Design programs, the conduct of Privacy Impact Assessments, DPO appointments, and security incident reporting, among others – quite aside from the need to train staff on privacy compliance measures and to audit compliance and effectiveness on an ongoing basis.
2. The story doesn’t begin and end with GDPR
Quite aside from the GDPR, there are other important ongoing legislative, regulatory and judicial developments in the privacy and security space. Think, for example, about the implementation of the Network and Information Security Directive, the incoming (and wildly debated) e-Privacy Regulation, and Member State local law developments (such as the continuing controversy surrounding the UK’s Investigatory Powers Act), to name a few. The e-Privacy Regulation, for example, will significantly impact any business operating in the online space, by reforming cookie consent requirements and communications privacy rules. Put simply, there are many more privacy and security reforms coming down the pipeline over the coming years – it’s not all GDPR.
3. International transfers are in peril
The future of international data transfers between Europe and other worldwide territories (especially the US) is under particular scrutiny. Think, for example, about the ongoing court cases concerning the validity of the Privacy Shield and the Standard Contractual Clauses. Beyond that, consider the European Commission’s announcement that it is reviewing the ‘adequacy’ status of those countries currently deemed safe to receive EU data. Not to mention that many our existing data export mechanisms will all need updating by the regulatory bodies to ensure that they too are GDPR-ready. These developments will introduce significant turbulence for the international data movements that are the lifeblood of every global organisation – and that’s before you start to consider the rise of data localisation rules in territories like Russia and China.
4. There’s more to the world than just Europe
The world of data protection extends beyond just the EU and its legislative reforms. Over the past few years, there has been an explosion in the number of territories worldwide that have data protection laws (see, for example, here) to the point that there are now more countries with, than without, local privacy legislation. While there is inevitably an upper limit on how many countries can adopt privacy laws (there are only so many countries in the world), it does make the business of privacy ever more complicated: each of those laws will approach privacy issues in ever-so-slightly-different ways; those laws will inevitably be reformed and adapted over time; and organizations operating on a global scale (especially online businesses) will face significant challenges in meeting the laws of all the countries where they do business.
5. Privacy has become a commercial imperative
It’s easy to get excited about the regulatory and ethical risks when talking about data protection, but there’s another dimension too: the commercial risk. The reality is that, in commercial deals, privacy has gone from being a last minute, minor consideration (if it was even a consideration at all) to becoming a major impediment to deal closure. Organizations that do not have a robust answer to privacy compliance issues are finding it increasingly difficult to close deals – or, at least, to close them quickly – and this is an issue that will grow with time, especially in light of points 1 to 4 above.
What do you take away from this? Well, it’s important for organizations to think strategically and to prepare for the scale of the challenge ahead of them. Identifying temporary resource and allocating one-off budgets to “solve” GDPR compliance projects grossly underestimates the ongoing work (and risk) over the years to come. Privacy won’t go away after May 2018; quite the opposite – it’s going to become more and more of a challenge. The GDPR has been helpful in raising an awareness and driving a new generation of professionals into the privacy community, but organizations now need to ensure that they value, retain, develop and support those professionals – those that do will ultimately be the ones that are the winners in terms of building trust, managing risk, and winning business. To quote a meme someone sent me recently: “Privacy’s not dead. It’s hiring.”
Phil Lee is a partner in Fieldfisher’s leading Privacy, Security and Information law group, working out of the London team. His personal specialisms are in data privacy, digital media and disruptive technologies and is recognised as a data protection expert in Chambers and Who’s Who Legal.