The General Data Protection Regulation may not sound exciting, but a panel on it at the recent Thomson Reuters Regulation Summit in London quickly gathered a large crowd. And that crowd was overwhelmingly unprepared for the regulation’s implementation in May 2018 – more than half of the audience said their firm was only 25 percent ready. The same proportion believed the first enforcement action would take place within six months of its entry into force.
The EU legislation is more far-reaching than any other global data protection rule. Any firm holding data on customers in the bloc will be impacted regardless of where the firm is based, and the penalties for non-compliance or a breach are severe; the equivalent of 4 percent of global annual turnover or €20 million, whichever is greater.
“Not only will non-compliance damage a firm’s reputation, it may also send it under,” one US-based general counsel told pfm late last year.
With 12 months to go until the compliance deadline, the three-lawyer panel was quick to allay delegates’ fears over the current state of their preparedness, but did stress the importance of making a start as soon as possible.
“Most clients won’t be ready by 2018. The important thing is to take steps to implement the key areas of the regulation because some aspects of it will take much longer than others,” one of the lawyers said. “Prioritize the very high impact issues that the regulators care about.”
A second added: “You can’t be 100 percent ready, but you can be in good shape by 2018.”
For European firms that are currently compliant with existing data protection rules, preparing for the GDPR should be a gap-filling exercise as there is a lot of overlap with the rules currently in place. The task is, of course, greater for those new to EU data laws.
One of the first priorities should be a data audit – document the personal data the organization holds and note where it was obtained, with whom it is shared and for how long it has been held.
It’s a good time to put mechanisms in place that ensure, by default, only personal data necessary for each specific purpose is processed and that it is stored for no longer than necessary, the panel said. They also recommended firms identify all processes where personal data is involved, and the compliance risks those present.
“Try to embed good practice within the organization while you do this. Privacy impact assessments should become a part of the process of developing new products or launching new services,” a financial regulation lawyer from a global bank said.
The GDPR requires a high standard of consent for processing personal data, so firms should do a review of the adequacy of privacy documents and data consent forms. Data holders must actively acquire consent – it is
no longer acceptable to assume it granted if they do not hear from the source. Proving the legal standard of consent has been achieved is the responsibility of the organization, so it’s important to document policies and procedures.
“It could also be time to renegotiate your contracts with service providers to make sure their use of date you provided is compliant and they have measures in place to ensure that it remains so. It’s potentially a huge exercise,” the bank-based lawyer said. Fund managers must appoint a data protection officer to be responsible for implementing and monitoring compliance with the GDPR, and to carry out assessments of data processing in certain circumstances. If there isn’t one already in the firm, it’s time to start looking. Once this person is in place, accountability should be clearly established.
“Privacy is the problem of the whole business. It could be that with the addition of a data protection officer reporting lines change, perhaps the legal or regulatory and compliance teams are currently responsible but in the future reports of breaches or issues will be given to the data officer instead. Establish who is responsible to avoid muddles,” a law firm partner said.
National and European regulators will be responsible for enforcing the GDPR. One audience member asked if this would result in variations in the approach to breaches of the rules, and whether it would be difficult for enforcement action to be taken against firms outside EU jurisdictions.
But the panel said enforcement was being taken very seriously. The UK’s Information Commissioner’s Office, for example, has often been seen as a ‘soft touch’ but is now pitching to remain as a European supervisory agency post-Brexit.
The ICO wants to show it is serious, and it is taking privacy very seriously, the panel agreed. Its tone in relation to the GDPR is much stricter than in the past, and it has the capacity to pursue enforcement of the rules.
The GDPR also gives individuals the right to be represented by a privacy rights association in the event their data is leaked, presenting another enforcement risk – it increases the chance of being scrutinized by regulators and becoming entangled in court proceedings. Data controllers and processors will have to be ready to attend court proceedings in countries where the individual resides.
The panel said it expected a deluge of people wanting to exercise their rights and forecast an increase in class actions relating to data breaches.
“Perhaps we’ll see armies of lawyers scanning privacy notices. Though hopefully not!” one of the law firm partners said.
The regulation is likely to be a game-changer for private fund firms and their portfolio companies. If you haven’t started your preparation yet, there couldn’t be a better time to do so. ?