Much work to be done, as confusion ensues over GDPR’s 200 pages of uncertainty
In 1995, Europe introduced its first broad omnibus piece of privacy legislation, the Data Protection Directive.
Given that it had been negotiated in the years preceding 1995, it hadn’t really contemplated the Internet-based world it found itself in immediately on being passed.
It was immediately dated because it didn’t understand the Web, smartphones, the Internet of things and cloud computing. All of these things were about to emerge.
Ultimately, it was a tool badly designed for its time, yet it’s lasted 20 years. Five years ago, the European Union started on an initiative to redraft and create a new standard for Europe and, in December 2015, the General Data Protection Regulation (GDPR) was introduced in Europe.
There are about 50 components within the GDPR that DPAs have retained interpretive capabilities over. For example, age of consent in relation to privacy for children can range from 13 to 16 from country to country.
And there are now a lot more obligations for companies to fulfil. There’s a two-year implementation period, which we’re a few months into, and about 20 months from now we’ll have compliance obligation in force. Those greater obligations will come with significant risk.
Regulators can fine a company in Europe, which does not meet its GDPR obligations, up to four percent of its annual global turnover – a tidy sum of money, especially for large enterprises.
So what impact will the GDPR really have on data protection and what are companies doing to prepare for its implementation? TechWeekEurope caught up with privacy specialists at Microsoft, Google and Adobe to find out.
Brendon Lynch, chief privacy officer, Microsoft
I view the introduction of the GDPR as an incremental step, but it’s probably a big step. The reality is that there are more obligations and things we still need to work out. Ultimately, at Microsoft, we’re taking into account the new requirements and we’re conducting gap analysis, looking at what we already have in place, and there will be some areas where we’ll still have to do some more work.
I don’t want to trivialise it because it’s big. What is different is that there’s fining involved and that doesn’t necessarily change your posture – we have to be in compliance with laws regardless. But it does change the stakes of a mistake. It’s an additional driver and it probably has those of us managing privacy programmes thinking more about how can we get more assurance that all the controls we have in place are effective.
MeMe Rasmussen, VP, chief privacy officer, Adobe Systems
We have to keep in mind that the GDPR is 200 pages long. It’s huge and it’s written by people who don’t run businesses. So we have to look at it and figure out how we can comply.
This has been written by the EU, which has 28 member states and they all have their own agendas. With the GDPR they’ve left a lot open for resolution. We were hoping for one law that would govern all of Europe, as apposed to each of the countries having different interpretations.
We kind of ended up with a little bit of a mixed bag, and we don’t yet know a lot of what we’re going to have to do. The GDPR just came out a few months ago so it’s still breaking news. There’s a lot in there that will be up to interpretation by local authorities in each of the countries.
We’re a little worried that each of the countries will approach it differently. And we’re also waiting for guidance from data protection authorities on what certain terms mean.
Once the dust settles, and it’s not going to settle for another few years, it probably will be incremental but we’re still uncertain as to what it all means.
Keith Enright, legal director, privacy, Google
There always has been, and I suspect always will be, challenges incumbent upon multinational businesses. I don’t think we ever deluded ourselves, given our experience in Europe. into thinking that we would have absolutely uniformity of law.
In some respects there is probably more delegation under the GDPR than we anticipated in some areas.
We’re very actively engaged with data protection authorities across Europe. If anyone has interacted with that regulatory community you come to understand they have a sovereign interest in protecting the privacy of citizens in the respective member states they represent. That was never going to go away with GDPR.
A lot of the hard work is still in front of us. It’s going to be driven by active engagement with the regulatory community across Europe. There’s a good bit of work to be done, not only to tease out what the data guidelines actually means, but what they mean to individual DPAs and DPAs collectively.
We, as leaders in the industry around privacy practices, need to engage with those folks, and try to make sure we can negotiate and try to draw out as much rationality and application as we can.
Our interests are aligned with DPAs. We want to protect the security and privacy of our users to the greatest extent possible. the GDPR gives us a framework within which we should be doing that.
I think the GDPR is evolutionary. I think one area everyone is going to have work to do is bringing our privacy programmes to this next level of security that’s not only about protecting the privacy of the data but also becoming more robust in our ability to demonstrate we’re doing so.
How much do you know about privacy? Try our quiz!