It’s been just about three months since the GPDR went into effect, it’s what makes sense for many people right now to be wondering just how the whole process is going. After all, it was all anyone in the media wanted to talk about for months leading up to May 25. Now? There doesn’t seem to be a peep about it. That’s comforting to some who think it means GDPR is a dud, but very worrying to most others, because in the absence of a major regulatory action by a data protection authority, everyone is still waiting to know how GDPR will be enforced.
The reality, of course, is somewhere in between, but it would be a grave mistake to think that just because people are not talking about the GDPR, that it is not an important part of daily business operations and a guiding force for how data security and privacy are going to be handled in the future. Don’t believe the (lack of) hype.
Nevertheless, now that we’re three months in, it’s possible for us to make a somewhat objective appraisal of how it’s all going, and what we should be thinking about going forward. No analysis at this early stage could be comprehensive, but at the same time, we at least have some idea now of what it means to operate in the post-GDPR world, even if the regulators haven’t come down with any serious fines. Yet. So, for your review and consideration, here are three GDPR issues that you should be thinking about.
Issue One: DSARs
Although they may have flown under your radar before, in the buildup to May 25 you probably heard a great deal about data subject access requests. This is the mechanism by which a data subject can request to know what information you possess about them, how you’re processing it, to whom you’re transferring it, and the like. Responding to these requests, traditionally, proceeded at a somewhat leisurely pace. Not any longer. Under the GDPR, you have 30 days to respond to a data subject access request and get them all the information that they want. In fact, you also have to give them copies of their data if they request it.
Obviously, that’s a substantial undertaking, especially if you don’t have integrated data management processing systems across your company. If one department isn’t talking to another, figuring out what data you both have from the same data subject can be an extremely daunting task. So, at least from one perspective, dealing with DSARs was always going to be a major complication of the GDPR, with a spike in the number of requests starting May 25.
And there was a spike, but only for a short time. In fact, after the initial increase in the number of data subjects exercising their rights under the GDPR, we’ve seen and heard from clients and others that the number of DSARs has dropped off dramatically, returning to, or in some cases, dropping below pre-May 25 levels. Why the change? The reality is that, except for those data subjects attuned to data security laws and their impact, most normal consumers were not aware of, or didn’t care about the implementation of GDPR. The great DSAR surge has leveled off, for now.
Don’t waste this opportunity. Given that GDPR is already in place, any failures to comply that occur now are going to be treated more severely as the time goes by. The thinking will be that, if you’ve had this long to get your company prepared for GDPR, any unreadiness is, effectively, intention. There’s some truth and reason and that thought process, and you shouldn’t ignore it. As such, think about ways that you can have your company’s response to DSARs be more streamlined, more rational, and speedier. We recommend developing an internal response and management protocol that allows your company to not only track what request to come in and who’s made them, but also how quickly your company is responding to the request, when the responses go out, and what the gravamen of those responses were. That kind of reporting (also helpful for your Article 30 recordkeeping obligations) is exactly what regulators are going to be looking for if they conduct an audit, or if there is a complaint from a data subject.
Again, DSARs aren’t going away, but when you have the opportunity to make your process a little better because of the low point and the number of requests that are coming in, it would be foolish not to take it.
Issue Two: Data Processing Addenda
Chances are, if you’ve negotiated any contracts in the past three months, you’ve had to
deal with at least one DPA. The reason is because (other than the irrepressible joy that lawyers derive from creating endlessly long agreements), if you’re processing data from Europe, or you’re engaging a processor in the EU, you need to have the required contractual provisions laying out exactly what your partner in the engagement will do. Many, if not most, of these DPAs look very similar, especially if they contain the standard contractual clauses that everyone seems to be relying upon in the light of the uncertain future of Privacy Shield. And frankly, that’s good thinking. Recognizing that the standard contractual clauses have a longer shelf life (for now) means that you’re giving yourself some leeway to renegotiate contracts in the event of a change in the law in the future.
Nevertheless, the process of dealing with the DPA that is on your desk right now has become somewhat burdensome. The reason is because many companies are using the negotiation of a GDPR-compliant DPA as an opportunity to renegotiate the entire contractual relationship. The view is that, because the parties have come back to the negotiating table already, why not take the opportunity to address all the things that you didn’t like about the contract anyway. Obviously, this has become a source of substantial frustration for many companies.
We’re not going to get into how you should conduct those negotiations, because not only would that not make sense for you, it would be make our malpractice insurance premiums go through the roof. Bad times. On the other hand, as a general guideline, we think that treating the DPA negotiation as a unique matter, separate from the performance of the contract more generally is a way to contextualize what you’re doing. Hopefully your counterparty will treat it the same way. If they don’t, that’s at least revelatory about the way the relationship with your partner is proceeding, and an opportunity for you to think about how it can go in the future.
There are, of course, situations where there has been no problem with the negotiation of the DPA, and things are proceeding just fine. That’s good news. It doesn’t mean, however, that in the future you won’t want to take the opportunity to use the issues raised in a DPA as leverage or bargaining points in a future negotiation of the contract. So, take the time to look through the DPA, see what promises your processor or the controller are making with respect to how they deal with data and what your obligations under the DPA are. They, and you, need to take those obligations seriously.
Issue Three: Cross-Border Data Transfers
This is the biggie, as far as we are concerned, because there is the most uncertainty about it. Most companies straddling the Atlantic have dealt with it through a combination of Privacy Shield, Standard Contractual Clauses, and good old fashioned hoping that regulators will finally provide some clarity. A very select few have been able to go through the process of getting their Binding Corporate Rules approved by the EU, a process that takes a substantial amount of time, energy, and resources, and isn’t really cost-effective for many companies. Still, it’s a guarantee, of sorts. So is the approach others have taken, which is to cease EU operations until they’ve figured out how to comply with the more onerous of the GDPR’s requirements.
There are also some companies that have decided to ignore the regulation altogether and
continue transferring personal data out of the EU for processing in the US. The thinking seems to be that, because they haven’t had a problem so far, there’s no reason to believe that one will emerge. We call this the “Ostrich Strategem,” which sounds like a Robert Ludlum thriller, rather than the terribly, terribly misguided decision it actually is. Ultimately, as we’ve said before, GDPR’s requirements for transparency, consistency, and security are going to become the norm across jurisdictions. It doesn’t matter whether you do business in Brussels, Brasilia, or Bakersfield, the obligation to safeguard data and provide data subjects with details about how and why you do so is no longer optional. That applies with added force when talking about transferring data, because a failure to disclose to consumers the fact, nature, and consequences of shipping data overseas is going to be a focus of regulators everywhere, regardless of where you (or they) are located.
For those companies that are at least trying to follow GDPR, the cross-border transfer issue is a thorny one. One reason for this is that the GDPR, like any law, is written with the sweeping confidence that legislators have when it comes to language: this shall apply to X, but not to Y. But what happens when the situation is XYZ? For instance, what if, in the course of your operations, you receive materials from a data provider like Dunn & Bradstreet. Great! You’re enriching your information about customers. But are you checking to see if D&B’s list includes data on EU residents? Are they in the US, or still in the EU? If they’re in the EU, how did D&B come into possession of the data, and what guarantees have you made to protect it? Or, alternatively, do you provide customer data to aggregators? Do you have a clear, written understanding of where that data is going?
If trying to answer the questions in that last paragraph makes you nervous, you aren’t alone. Even companies that are comfortable with their present arrangement under Privacy Shield are feeling anxious, given that the European Parliament overwhelmingly voted in favor of rescinding the program, the CJEU (which is, ahem, not so keen on US data practices) is currently reviewing its legality, and the European Commission has said not a single word in its defense.
In a sense, the cross-border transfer issue is the most important for American companies, because most don’t have operations in the EU. Instead, they trigger the GDPR by offering EU residents sales of products or services. Getting data on EU residents out of the EEA and onto American servers, then, is a primary means of commerce flowing from east to west, and provides billions’ of dollars worth of value to businesses every year. The uncertainty surrounding how exactly that will be regulated is not good for business, but it isn’t good for regulators either. In the absence of a clear standard for data flows to the US from the EU, data protection authorities are themselves in limbo, waiting to know what the (inevitable) next iteration of Safe Harbor/Privacy Shield will be.
So, Now What?
These three issues are only the ones we’ve been thinking and talking about the most — your company may be dealing with entirely different questions or concerns. The most important takeaway from our consideration of these points is that doing compliance is a lot more important than claiming to be compliant. At this point, saying “be GDPR compliant” is a lot like saying “be a good athlete” or “play the piano well.” The phrases are syntactically correct, but very often they lack any meaning unless you have a much deeper awareness of the subject. The good thing is that, like learning an instrument or playing a sport, a lot of what we call GDPR compliance is about practice: working with the right people, taking the time to learn what’s important, and committing to doing the difficult tasks, every day.