GDPR Compliance: We've Only Just Begun

Complying with the GDPR is a marathon, not a sprint.

GDPR compliance: ready, set, go!

You’re an in-house lawyer for a company with significant European operations. For the past two years, you’ve been getting your company ready for the General Data Protection Regulation (GDPR), which goes into effect in the European Union less than two months from now.

You’ve read a million articles about the GDPR. You’ve listened to Above the Law’s webinar on GDPR readiness. You’ve appointed your Data Protection Officer (DPO). You’re ready to respond to right-of-access requests. You’re all set, right?

Not so fast. That was the overarching (and perhaps depressing) theme of a great panel at the Global Privacy Summit of the International Association of Privacy Professionals (IAPP), GDPR: Country-Specific Implementations and Derogations. It featured the following panelists:

  • Erica Kitaev, Managing Editor for Privacy and Data Security, Practical Law (Thomson Reuters), and former partner, BakerHostetler;
  • Laura Jehl, partner and co-leader of the GDPR initiative, BakerHostetler; and
  • Kimberly Wong, Senior Counsel, Data and Technology Practice Group, McDonald’s.

The panelists noted at the outset that GDPR is the first comprehensive overall of EU data protection rules in twenty years. It seeks to provide a consistent set of data protection rules across the European Union, and as of May 25, it will apply in all EU member states. But what many observers don’t realize is that the GDPR explicitly permits member states to enact legislation to supplement the GDPR — and the laws passed by individual EU nations will greatly complicate GDPR compliance for companies with operations in multiple EU countries.

The GDPR gives leeway to individual nations across a wide range of areas. For example, the GDPR’s default age for a child giving consent to the processing of her personal data is 16 — but under Article 8, “Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.”

Sponsored

But that’s just one example. Other areas where member states enjoy GDPR-granted discretion including the processing of sensitive personal data, such as genetic or health data (Article 9); the processing of data related to criminal convictions (Article 10); the scope of the rights of “data subjects” (Article 23); and additional requirements for DPOs (Article 37).

Have EU nations exercised their discretion under the GDPR? As of this month, four nations have passed GDPR legislation (Austria, Belgium, Germany, Slovakia); 16 nations have published draft bills; and eight nations don’t even have draft bills. It’s a dynamic situation, constantly changing. (Kitaev’s team members at Thomson Reuters follow these developments closely, to maintain TR’s Data Privacy Advisor product.)

Two nations that seem to be exercising their GDPR discretion in fairly aggressive fashion are Germany and the United Kingdom, which arguably broaden the scope of their national laws beyond the terms of the GDPR itself. For example, the draft U.K. law seems to expand the GDPR by applying U.K. law as long the data subjects reside in the U.K., even if the non-U.K. data controller is established in another EU country.

Kitaev did counsel caution here, noting that the German and British laws might reflect “loose drafting,” rather than any intent to apply their privacy laws more broadly. But Wong, looking on the bright side, noted that some organizations might actually appreciate the German approach. A number of the GDPR’s provisions are vague, especially compared to U.S. laws, but the German implementing laws are relatively clear (even if more demanding in various respects). So perhaps a company might take the view of “if we’re compliant with Germany, then we’re compliant with everyone.”

Right now, however, what it will take to comply with most EU nations’ individual privacy laws isn’t clear. Most countries have not passed their GDPR-implementing laws or have not even proposed draft legislation — meaning that in-house lawyers for companies with European operations will need to monitor the situation for quite some time, well after May 25 has come and gone. (The folks at Thomson Reuters who keep its Data Privacy Advisor up to date will be very, very busy for the foreseeable future.)

Sponsored

“People see May 25 as a finish line, but I view it as a starting line,” Kitaev said. “We’ve had all this time to train, and now we need to run the marathon.”

Kitaev asked the panelists for closing comments. Jehl had just two words: “Good luck!”


DBL square headshotDavid Lat is editor at large and founding editor of Above the Law, as well as the author of Supreme Ambitions: A Novel. He previously worked as a federal prosecutor in Newark, New Jersey; a litigation associate at Wachtell, Lipton, Rosen & Katz; and a law clerk to Judge Diarmuid F. O’Scannlain of the U.S. Court of Appeals for the Ninth Circuit. You can connect with David on Twitter (@DavidLat), LinkedIn, and Facebook, and you can reach him by email at [email protected].