On January 16, 2019, Hunton Andrews Kurth hosted a breakfast seminar in London, entitled “GDPR: Post Implementation Review.” Bridget Treacy, Aaron Simpson and James Henderson from Hunton Andrews Kurth and Bojana Bellamy from the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth discussed some of the challenges and successes companies encountered in implementing the EU General Data Protection Regulation (the “GDPR”), and also identified key data protection challenges that lie ahead. The Hunton team was joined by Neil Paterson, Group Data Protection Coordinator of TUI Group; Miles Briggs, Data Protection Officer of TUI UK & Ireland; and Vivienne Artz, Chief Privacy Officer at Refinitiv, who provided an in-house perspective on the GDPR.
The briefing provided an opportunity for companies (the “Companies”) to reflect on their achievements so far and to benchmark their GDPR experiences ahead of Data Protection Day, which is on January 28, 2019. A main takeaway of the day was that building a business friendly privacy environment is an ongoing process that must be viewed from a global perspective.
We have summarized below some of the key discussion points from the seminar.
GDPR Implementation Insights
- Generally Satisfied with Compliance: While the Companies were reasonably satisfied with the bulk of their GDPR implementation work and are now engaged in fine-tuning their data protection compliance programs, the Companies recognized that a number of challenges remain.
- Global Privacy Challenges: Data Protection Officers are seeking to move their companies toward sustainable privacy programs that ensure GDPR compliance, yet also address global privacy challenges beyond the GDPR. The Companies view GDPR compliance as important, but not an end in itself, at least not given recent developments in other parts of the world, such as India, Brazil, etc. The Companies recognize privacy as the new normal, and are working to build efficient programs to address privacy challenges at an international level.
- Maintaining a Culture of Privacy Awareness: Maintaining and developing a culture of privacy awareness within their companies is a key concern for privacy leaders. Some business leaders viewed the GDPR as a completed task once the implementation date of May 25, 2018, had passed, rather than an ongoing responsibility; and privacy leaders have been working hard to correct this view.
- Territorial Scope: Many of the Companies have struggled to interpret the territorial scope of the GDPR. Insights from the European Data Protection Board’s Guidelines on Territorial Scope (3/2018), published in November 2018, have helped to clarify the position on topics such as the location of the protected data subjects, the use of non-EU based processors and the nature of a non-EU processor’s obligations.
- Data Processing Agreements: Implementing Article 28 requirements continues to challenge the Companies, with a broad range of positions being adopted when negotiating data processing agreements. Negotiating liability caps and exclusions can be complex, due in part to the risk of reopening broader liability and other contractual issues. It will likely take some time for market practice to evolve.
- Increased Training and Tech-enabled Compliance Tools: The Companies mentioned that, in the year ahead, conducting data protection training and awareness programs and rolling out tech-enabled compliance tools (e.g., for DPIAs and DSARs) will play a key part in enabling ongoing compliance with the GDPR.
- GDPR and Future Privacy Challenges: The Companies stressed the difficulties encountered in interpreting and implementing GDPR obligations in the context of artificial intelligence, machine learning and the big data challenges of tomorrow. Companies will need to find innovative ways to accommodate big data while respecting data subject rights.
Regulatory Perspective
- Increase in Complaints and Breach Reporting: As expected, data protection authorities (“DPAs”) have already been required to deal with a significant volume of complaints (on one report, 42,230 throughout the EU), and reports of data breaches (some 500 per week in the UK in the first few weeks after the GDPR took effect). Breach notifications across EU Member States have reached levels that are barely sustainable for most EU regulators. This is a consequence of the low notification threshold set by the GDPR, and of organizations adopting a very conservative approach towards notification. The ICO has reminded organizations that not all data breaches need to be reported. Other DPAs have a differing view, pointing to the need for more comprehensive guidance on this topic.
- Inconsistency across Member States: There are already examples of inconsistent approaches by EU DPAs in relation to the implementation of the GDPR framework. Perhaps the starkest example of this is the 21 separate DPIA frameworks adopted at a national level. Staffing levels between DPAs differ, and differences in enforcement strategy are also likely. It will take time for differences to be reconciled, and in some areas, they will remain. Just as companies require time to embed and fine tune their implementation of the GDPR, regulators will also require time to adjust to the new regulatory environment.
Future Challenges
- Moving Beyond Local Compliance to Global Privacy Accountability: Privacy frameworks are evolving and organizations face the challenge of moving their focus from local legal compliance to implementing a global operational privacy framework. The GDPR is now viewed as a template by countries seeking to craft new privacy laws. It offers a major step forward towards an operational privacy framework, but global privacy accountability will remain a challenge.
- Local Challenges: Privacy leaders aspire to ensure that at every level of their organization, staff recognize the privacy issues raised by each decision, and assess the privacy risk for affected data subjects.
- Future Challenges: Major legal challenges highlighted by participants included Brexit, the e-Privacy Regulation and the likelihood of legal challenges under the GDPR.
Hunton is hosting its next seminar in its London office on “Practical Insights on the Design and Implementation of Data Protection Impact Assessments,” on March 6, 2019.
Search
Recent Posts
- Website Use of Third-Party Tracking Software Not Prohibited Under Massachusetts Wiretap Act
- HHS Announces Additional Settlements Following Ransomware Attacks Including First Enforcement Under Risk Analysis Initiative
- Employee Monitoring: Increased Use Draws Increased Scrutiny from Consumer Financial Protection Bureau
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code