Preparing for Europe's General Data Protection Regulation

Early in 2012, the European Commission (EC) published its draft proposal for a General Data Protection Regulation (GDPR), a new pan-European Union standardized law to update and replace the aging Data Protection Directive of 1995. It was expected that 2014 would be the year for implementation of the GDPR.

By the second half of 2013, given extra impetus by Edward Snowden’s revelations of alleged personal information abuse by both the NSA and GCHQ, the speed of progress increased – and May 2014 appeared to be a realistic implementation target. But now two major problems have emerged.

Firstly, the UK is activating for its entire removal – or to at least have it ‘downgraded’ to a Directive. Some have suggested that this is partly to better protect the GCHQ surveillance programs; but the official argument is that it will prove costly to business, will inhibit innovation, and that individual nations need to be free to interpret data protection requirements within individual national priorities.

The second problem emerged at the end of 2013. A key element of the GDPR is known as the ‘one-stop-shop’. This would mean that the national regulator in the country in which a business has its European headquarters would make rulings for the entire EU. The proposal appeared to have been agreed on at a meeting of Europe’s justice ministers in October, paving the way for rapid implementation.

But in December, Hubert Legal, head of the legal service for the European Council (which represents the EU’s national governments) unexpectedly questioned the legality of the one-stop-shop. “The problem is the results you get in terms of respecting the functioning of justice and people’s rights is actually a very bad outcome, a very bad result – and as your legal adviser I have to tell you it’s a bad outcome.”

The combined effect of UK reticence and Hubert Legal’s concerns put a sudden and dramatic halt to the EC’s optimism. Implementation of the GDPR in 2014 is no longer likely, although not impossible. Indeed, the reversal is so absolute that some people doubt that it will proceed at all. “This legal delay, coupled with the low level of investment behind the GDPR, indicates that this regulation will never actually be enforced”, suggests Richard Walters, CTO of identity management provider SaaSID.

Will there Even Be a GDPR?

The question now is what businesses should be doing in preparation for something that includes draconian data protection requirements and yet might or might not ever happen? Getting it wrong could be disastrous, because it deals with personal EU data, not the nationality of the company concerned. US companies that handle EU data are as much in the sights of this legislation as domestic European firms.

British privacy expert and advocate Alexander Hanff takes a different view. “Whereas there is a slim chance that a new Data Protection Regulation won't happen (given that we have a change of EU Parliament coming up)”, he says, “the chance is very slim and it is more probable that we will see a new Regulation which is very close to the current draft. So my first message to businesses is to assume a new regulation will happen, probably in 2015 but maybe as late as 2017 – and to start preparing for changes based on the current draft.”

Chris Pounder, once of the Pinsent Masons law firm and subsequently founder of the Amberhawk information law training company, agrees: the GDPR will happen, but won’t be implemented in the UK before 2017 at the earliest. “Hence there is no need to rush and implement detailed data protection changes; however, one can begin to respond to the direction of travel of the data protection changes”, he argues.

The primary need to prepare for change is the size of the potential sanctions: €1 million or up to 2% of global turnover. European companies will have no choice but to comply. US companies have an apparent but perhaps unrealistic option: comply or withdraw from Europe. “Losing a huge market like the EU is a hit, but so is a potential percentage of global revenue if you only have a small base in Europe”, warns Catherine Pearce, security consultant at Neohapsis. “Then again”, she adds, “in the internet age is it even feasible to withdraw from a market in a meaningful way?”

Preparing for the GDPR

The balance of opinion is that the GDPR has been delayed, not derailed; and that early preparation would be advisable on both sides of the Atlantic. Hanff goes further – he believes that it would be good business practice even for those companies that still don’t think the GDPR will happen. “Why?”, he asks. “Well not just because the regulation has some significant changes, but also because it will be good for their business to do this. Trust is at an all-time low at the moment, given the ongoing Snowden revelations, and one of the encouraging emerging trends as a result is using privacy as a competitive differentiator.”

In the last year Hanff has spoken to the European Parliament, the Privacy by Design Conference in Canada and the International Association of Privacy Professional's European Congress on the subject of ‘Privacy as a Competitive Differentiator’. The overwhelming response, from audiences that primarily comprised politicians, lawyers and privacy experts, has been supportive. “Furthermore”, he adds, “we are seeing more interest from venture capitalists and business angels in funding startups with ‘privacy’ as their unique selling point – there is a growing trend and one that I as a privacy advocate, would like to see continue.”

So the first step in preparing for the GDPR is to accept that it will happen; and it shouldn’t be considered in an entirely negative light. What then should companies do? Perhaps the most important step is to appoint a data protection officer (DPO). A DPO will be required by the regulation for all public bodies and all private companies employing more than 250 staff. “If you have not done so already, have a member of staff appointed to be responsible as data protection officer – the post does not need to be full-time but for many large organizations it is already”, suggests Pounder.

Hanff agrees, but suggests the very first step should be a privacy audit to help determine whether a full-time DPO is actually necessary. DPOs, he says, “can either be in-house or external consultants, and they don't need to be full-time.” He advises an audit within the next 12 months to assess the amount of consumer data processing a business does.

“If your processes are mature”, he explains, “and are not expected to change in any significant way, and more importantly are not a major business focus – for example, you keep customer details on file for the purpose of shipping them your products, but you do not use that data for any other purpose – then you probably don't need a full-time in-house Privacy Officer [DPO] and would be more suited to using an external consultant that carries out an audit every three to six months and works with you whenever you are planning to introduce new processes.”

Using the DPO

By appointing the DPO now and undertaking a thorough privacy audit, companies will be able to monitor the inevitable compromises that will ensue before final implementation of the GDPR. When that day comes, companies with an existing DPO or arrangement with a third party providing that service will be able to move seamlessly into compliance and lessen the danger of heavy sanctions.

Some of the proposals likely to change between now and then include the one-stop-shop (currently thought to be contrary to the European Convention on Human Rights) and the ‘right-to be forgotten’ (currently thought to be infeasible).

But many of the existing primary principles will remain – and Pounder urges that companies should use the next couple of years, with a DPO in situ, to prepare themselves. First, companies should implement a data protection compliance regime with all parts of the company aware of their roles and responsibilities. Second, they should take this opportunity “to review data loss reporting arrangements… as such reporting will eventually become mandatory.” Third, companies should review all fair processing notices published on websites and customer-facing forms to ensure the all-important statutory-required details are included (for example, all purposes of the processing). Fourth, explains Pounder, they should “review subject access procedures and the rights in relation to objections to direct marketing; and finally they should augment their “standard security risk assessment processes (which focus on the threats to an organization's assets) with privacy impact assessments (which focus on the threats to individual privacy).”

What about the US?

The same requirements will be made on US companies operating in Europe, and so the same advice will apply. But while the Regulation is largely a matter of turning the screw on what European companies should already be doing, it is a cultural step change for US companies. Catherine Pearce explains: “The current US environment is very friendly to organizations collecting and using data on individuals, with limited exceptions when the data has certain properties. Many businesses, business models, and even whole industries rely on the regulatory environment continuing to favor companies, or to at least provide regulatory burden which doesn’t prevent their existence. Whether this is a moral or optimal state is irrelevant as it is simply the way things are at present.”

Several US companies that process European personal data are already being tested by existing European legislation – such as Google and Facebook. This will get worse under the GDPR.

“Europe is a very different regulatory environment, and if they put regulations in place which force international businesses to comply, we could be in for a transatlantic showdown unless a compromise is made. If a compromise largely prevents change, many will be dissatisfied and we will probably see a renewed push in several years. If change occurs, whether from within the USA or forced upon international companies by changes in the USA, then a paradigm shift in how data is collected, stored and used will occur”, says Pearce. 

American companies are in danger of assuming that Europe will not impose its privacy requirements on them – but this would be a mistake. Following Edward Snowden’s revelations of the American government’s PRISM surveillance program, Europe is in no mood to make special concessions for US businesses. Even the existence of the ‘safe harbor’ arrangement for US companies is being questioned. “If the EU were to remove the safe harbor provisions in the GDPR then there may be nowhere to hide”, Pearce warns.The problem is that US companies do not yet seem to be taking the GDPR seriously. “I have no doubt some organizations in the US are scrambling already”, she says, “but I’m not seeing them do so on a large scale.”

Put simply, it would be a mistake for either European or US companies to assume that the GDPR either won’t happen or won’t have any effect. In both cases it almost certainly will. But if companies start preparing for it now, based on the current draft proposals, then they will not be caught out when it is implemented in two or three years’ time.