Preparations for data compliance can't wait, as clock ticks on EU overhaul

26 May 2017. By Magnus Franklin*.

With one year to go until new European privacy rules give EU regulators the power to fine companies 4 percent of their annual, worldwide income when they mishandle data, the bloc has one message to companies: don't plan for delays.

The EU General Data Protection Regulation will enter into force on May 25, 2018, which means companies don't have a moment to lose in preparing for the impact of the overhaul. Their boards should be signing off on compliance reviews today.

With its antitrust-scale fines and focus on the beating heart of the digital economy — the personal data that we knowingly and unwittingly share on the Internet — the GDPR is arguably the most important development for the ever-evolving digital economy since the invention of the world wide web.

Yet the sheer volume of the work has led some specialized lawyers to conclude that companies that are not well advanced in their work to comply with the GDPR are already behind schedule — even with a full year to go.

The businesses' legal teams — or the small for-hire army of external consultants in the field — will have to review all their contracts for compliance, a potentially mind-numbing exercise that involves examining thousands of lengthy legal documents that need to be renegotiated.

It's not just about consumer contracts, but also the agreements involving third-party vendors. 

Rush to comply

The EU knows there will probably be a compliance scramble and, for its part, has fired up a powerful machine to help companies come to grips with their new data-handing obligations.

National regulators have set about explaining to companies in their countries when they need to obtain consent for the use of data, when the manipulation of data requires safeguards, and when they can rely on their own "legitimate interest" to process data without having to seek permission from customers. And, of course, what will happen if they break the rules.

During the coming year, the EU will launch two waves of information campaigns targeting smaller companies and individuals, to inform them in a simple way about their obligations and rights, respectively, under the new law.

National governments, meanwhile, have been busy drawing up secondary legislation to enshrine the EU laws. While the GDPR is directly applicable, it permits national parliaments to adopt rules on how specific categories of sensitive data, such as patient records, should be treated.

In parallel, an entire industry has sprung up to assist with the adoption of the law. It is a world that offers compliance apps, toolkits, checklists and bespoke assessments to help companies get their GDPR procedures just right.

A web search for "GDPR Compliance" delivers 500,000 results, and four ads, for such services. All of this adds up to big business.

A law like no other

It's unusual for so much attention to be paid to an EU law, once it has been passed. But the GDPR isn't like any other law, with an exceptionally broad scope that spans the globe, and with a compliance regime only matched by that which now applies to antitrust enforcement.

And as companies work to get their data-handling processes in line with new rules, EU officials insist that the scramble to map the legal clauses onto real-world situations doesn't mean the deadline will budge.

The European Commission says that secondary national laws, official guidelines or the booming business model of compliance specialists will all be part of a second tier of legal standing in the eyes of courts, once the paragraphs that make up the GDPR become enforceable.

EU officials who spoke to MLex say their principal advice to companies is that, no matter what their circumstances, the basic 88-page EU regulation reigns supreme.

At the same time, national data-protection regulators, which until now have been chronically underfunded and understaffed, will also have their work cut out for them.

The silver lining for the vast majority of companies, and small and medium-sized enterprises in particular, is that unless your business name is Google, Facebook, Apple or Amazon, you might not be at the front of the line for audits, once the GDPR kicks in.

The take-home message for companies trying to navigate the jungle of advice on GDPR compliance is that they shouldn't be too concerned about new domestic laws, guidance issued by a national regulator somewhere in the bloc, or the scaremongering of compliance experts, as they spruik for new clients.

What matters most is that the companies' processes and contracts are in line with the GDPR itself.

But they should make no mistake: the GDPR will come into force in a year. Once that deadline has passed, the cost of mishandling the personal information of Europeans, for companies across the world, can't be ignored.

* Additional reporting by Vesela Gladicheva and Mike Swift

Privacy report