I fear my European legal cousins share a character trait with my US colleagues – the ability to make the simple complex. I have practiced law longer than I am going to admit, with the past four years in-house as the Chief Privacy Officer and VP of Legal Affairs at a tech company that creates privacy products. I rely upon counsel from many outside firms for concise business-oriented advice and also speak on a daily basis with in-house counsel for many of our clients. Those who I go back to time and again are those who keep it simple and make their advice relevant to my business – no easy feat considering the complexity of many laws.
The General Data Protection Regulation (GDPR) is meaty and dense, certainly a legislative tome. Coming in at 186 pages, it makes an excellent bookend. Personally I view it as a brilliant piece of legislation, irrespective of whether it was by design or default. First, the four year EU-wide legislative process was staggering. When it began I couldn’t conceive of it being completed, but it was. Secondly, guidance on regulatory expectations is embedded within the law, stripping away a lot of ambiguity that is often coupled with legislation. And third, given the twin realities of an explosion in borderless digital commerce and the lack of a national privacy law in the United States, the GDPR’s extra-territorial application will make it the de facto national privacy law of the US, which is good news.
Don’t get me wrong, compliance necessitates paying attention to the details. But before any of us, however, can pay attention to the small things of the GDPR, we need to understand the big picture to best explain it to CEOs, CFOs and Board of Directors. The GDPR is a seismic event for many organizations, even greater than Y2K leading up to 2000. It goes way beyond data protection – it’s title is a misnomer – and should be named the General Data Governance Regulation.
The GDPR is really pretty simple. The law is all about giving power back to the people. That plays well to my revolutionary youth still buried inside this middle-aged mind. And the way this will be done is by requiring companies to do the two things: be both accountable and transparent for their data practices.
Accountability requires companies to be introspective and take a good hard look in the corporate mirror to get a comprehensive understanding of what data they collect, how they collect it, whether it’s personal or nonpersonal, and how they use it. It’s a pretty reasonable ask, despite the public discussion on about how unreasonable this obligation is. Unsurprisingly, Big Law and Big Consulting have quickly seized upon this, rightly seeing it as a massive business opportunity, ramping up their assessment teams, to begin their complex GDPR gap analysis. This new GDPR services industry will spawn billions, in fact IDC estimates it will create a $3.5 billion market opportunity for security and storage vendors by 2019.
This is important. A baseline is needed to measure where you are against where you need to be by 25 May 2018, the go live date. But it’s not the whole story. Remember, process review is only the first step, but the goal is to get that full picture understanding so you can know what your weak spots are and put in the right privacy controls to protect those vulnerabilities. Once you get all that, then you can accurately document it both to the regulatory authorities, and clearly and honestly communicate your data practices to your customers and employees.
The second top-level obligation, after the introspection, is to be outward facing and transparent about how you use data. This transparency obligation is manifested in a few ways, but at the end of the day it boils down to this: communicate clearly to your audience. There’s a dilemma, however, namely how to communicate effectively while still satisfying the law’s disclosure requirements. This is something many organizations have been wrestling with for quite a while. The GDPR codifies the obligation to be transparent in a concise easy to understand why, which will force counsel to shift their advice from a no-risk approach, to a contextual based risk approach.
The new individual rights under the GDPR should not come as a surprise to anyone. The concepts have been around for years in one form or another, usually as high-level principles. Now though, these well-established privacy concepts are rights: to access and correct your data, to get your data in a readable format, right to erasure, the ‘right to be forgotten’, whereby a person can ask for offending information about her to be removed from a website, and to object to profiling, also known as ‘tracking’ in the US.
While the right to erasure has proved vexing and controversial, the important thing to remember is that a data controller really needs to have a process in place that allows: (i) for a person to request certain data be removed or taken down, (ii) triggering the data controller to review the request and go through a determination process using the GDPR’s guidelines in deciding whether to honor the request, and (iii) respond to the request. For example, if an individual wants evidence that he is a registered sex offender taken off a website, it may be in the public’s best interest that such data should not be removed.
Clearly many new processes will be created, and companies will assuredly rely upon counsel to help understand how to deploy them. From my experience, where counsel adds the most value is in keeping it simple. I already know that the GDPR is a big deal and penalties for non-compliance can be crippling. However, the regulation is also an opportunity. It’s a once in a career moment when legal and privacy can plant a flag in the ground and demonstrate that if done right, and the essence of the GDPR is captured by good data hygiene practice, then compliance with the law will be the least of the things to accomplish. That’s the advice I need.