We’re entering the home stretch of the GDPR countdown now, with just about two months to go. At this point, you may or may not have realized that you need good advice about what to do and how to do it. Ideally, you’ve started the process of implementing a thoughtful data security plan (or have at least thought about thinking about it). But with new breaches and investigations beginning seemingly every day (Under Armour, Saks, Panera, all in the last five days), it raises a critical, and practical, issue: how are regulators going to approach data security enforcement after May 25? And who are the regulators anyway?
We’ve talked before on this blog and in the podcast about the Data Protection Authorities (DPAs) which vary by country, and the European Data Protection Board (EDPB), which will replace the Article 29 Working Party. But a general understanding that there *are* regulators is no substitute for understanding who they are and what they do.
In one sense, they’re enforcers, intervening on their own or at the behest of individual complainants. The Regulation empowers each national DPA to set their own parameters for when and how to become involved in disputes, although they must resolve every individual complaint as they come. At the recent IAPP conference, several DPA leaders expressed their position that there was a difference between involvement in an informal sense and the opening of a formal “investigation.” The difference, it seems, is that when the DPA believes it can achieve compliance by working with a company, it will, but that more difficult or egregious cases will require a more structured approach. Fines and penalties, of course, are always a component of such actions, formal or not.
But in another important way, each DPA is a regulatory authority with lawmaking power and the ability to influence national legislation. The GDPR requires that each DPA set individual requirements in Member States related to a variety of issues, including, for example, the contours of legitimate purpose-based processing. That authority is extremely important, given that there is so much ongoing confusion about what constitutes a legitimate purpose under the Regulation.
To my mind, the most overlooked power of the DPAs is their ability to establish the requirements for Data Protection Impact Assessments and the creation of Codes of Conduct/Model Clauses/BCRs. DPIAs are the preliminary step a company must take to analyze the potential affect of processing if there is a potential for significant risk to individuals – if the DPIA demonstrates that the risk exists, you must first consult with the DPA prior to proceeding. That creates a massive power to halt or modify business plans, and can slow processing substantially.
The ability to create Codes of Conduct and BCRs, on the other hand, can be a great help in facilitating the flow of data across borders and within companies. Until and unless more countries are given adequacy determinations, Codes of Conduct, Model Clauses, and BCRs are going to be the primary way for data to move freely. Be prepared for DPAs with more lenient or flexible approaches to these important tools to spur businesses to move their establishments, much as Delaware’s business-friendly approach to corporate law created a cottage industry out of incorporation in Wilmington.
DPAs are already preparing, frenetically, for the onset of GDPR and their new powers. I typically recommend that clients spend time learning which DPA will have jurisdiction over their activities, and how to establish, or deepen, the company’s relationship with their regulator. In many ways, knowing the DPA will be just as important as knowing the Regulation, but, to be datasmart, there’s no substitute for knowing both. With less than two months to go, it’s time to get to work.