The GDPR, which came into effect on May 25 2018, continues to cause headaches for organisations looking to navigate the compliance landscape. It’s still relevant, because it’s an ongoing compliance requirement for all businesses operating in the UK.
The GDPR was ground-breaking and it acted as a catalyst for an explosion of regulatory and compliance standards, such as the California Consumer Privacy Act (CCPA). The result, however, is that the EU compliance landscape has become an increasingly complex and challenging environment to navigate.
Guiding organisations through this is a challenge — there are many considerations to be addressed, from complying with different local regulatory laws and knowing what data is where, to deciding whether or not to pursue legal appeals against a heavy-handed fine.
To find out how businesses should operate in this evolving EU compliance landscape moving forward, Information Age spoke to Tim Hickman — partner at White & Case LLP and renowned data protection law expert.
But first, it’s important to understand the challenge.
Understanding the local law
The GDPR has provided a data protection foundation for the EU’s Member States. However, compliance standards vary depending on the local regulatory laws of each country — “this represents the biggest challenges for businesses wanting to operate in those areas,” said Hickman.
“There is a high level of national variation from one member state to another and the problem for organisations is working out which of those natural variations actually matter,” he continued.
For example, if a business has offices in London, Madrid, Prague and Stockholm, it’s not enough to just read and understand the GDPR. Compliance officers need to establish what the local law — which is in continual flux — wants them to do differently, depending on what the business does with data.
Hickman illustrated this point with how different countries treat the personal data of deceased persons, which is relevant for healthcare and insurance providers.
He said: “In the UK, once a person dies, they no longer have rights to their personal data under the Data Protection Act 2018.
“But, in other EU member states, like France or Italy, there are provisions whereby an individual can specify what should happen to his or her personal data after death, or designate a person to exercise his or her rights on his or her behalf, after death.
“If a UK organisation holds lots of information about people over a long period of time, (e.g., in the context of clinical trials or life insurance), then they’re unlikely to face any data protection problems in the UK once a person has died. But in other member states, these same businesses are not necessarily safe. And so, a lot of the time needs to be spent working out which of those national data protection divergences matter, and how much effect they have on any particular business.”
Once this picture of local law is established, the question becomes; how can I comply? According to Hickman, there are four strategies.
1. A high watermark
The first strategy focuses on finding the strictest laws in the EU, “which if you’re in doubt, default to Germany,” advised Hickman.
For this compliance strategy, an organisation should adopt the strictest approach and apply it to all EU operations. This approach is very simple — once the strictest approach has been identified, an organisation will be compliant everywhere.
However, there is a downside, as Hickman explained; “because an organisation is imposing a stricter standard, it’s leaving a gap between what it’s doing and the minimum that it has to do to achieve compliance in those EU member states that have lower standards on that issue.”
In certain circumstances, this would allow a competitor to undercut that organisation, because in some EU member states it can lawfully use the available data in a way that the high watermark organisation cannot.
Privacy regulators and the challenge of enforcement
2. Targeted compliance
The second strategy focuses on targeted compliance. Here, an organisation would seek to comply in each jurisdiction with just the applicable national law. “This is a good way of reducing your risk without giving up any business advantage in a particular jurisdiction,” continued Hickman.
The challenge of this strategy is that a business will have to keep track of the national regulatory boards in every member state. This will result in a lot of administrative work.
“By adopting this strategy, an organisation will save itself a lot of lost business opportunity, but it might be eating all that cost right back up in terms of additional legal spend on compliance,” added Hickman.
How to approach modern regulatory change management in financial services
3. Targeted non-compliance
The third approach is called targeted non-compliance. “In this instance, an organisation will look at the enforcement pattern of regulators in a specific space and if they’re not enforcing the law to the letter, then the organisation won’t prioritise complying with it,” explained Hickman. “At the moment, most of the enforcement is focused on specific areas and there are lots of other areas that aren’t being enforced at all.”
To validate this, Hickman said that he “had yet to see a meaningful fine being issued to any organisation for failure to maintain a record of processing under Article 30 of the GDPR, or failure to have a compliant privacy notice under Article 13.”
The GDPR was necessary and ambitious, but it seems the realities of enforcing some of the laws are proving difficult, because of a lack of resource and precedent for regulatory bodies.
Coming back to targeted non-compliance, some organisations would rather sit on their hands and carry on with business as usual, rather than spending substantial sums on complying with requirements that are not currently being enforced.
“This can be a risky approach, but depending on your level of comfort with risk and how confident you are in your analysis, it could be the right decision,” added Hickman.
Has Brexit made UK data protection and the right to privacy more uncertain?
4. Chaotic non-compliance
Chaotic non-compliance applies to most businesses in most areas. “These are the businesses that are not compliant. Maybe they have some idea that they’re non-compliant, but there are still a lot of gaps to be filled in,” explained Hickman.
The risk here all depends on what data an organisation holds, and what it does with the data. The regulators are less likely to enforce fines on an organisation that has lost non-sensitive data during a data breach. However, if an organisation has lost financially or politically sensitive data then there is a significantly higher likelihood of enforcement.
For those businesses that are in the chaotic non-compliance space right now, the most important step is risk-minimisation. These businesses should start looking at what types of data they hold, and consider whether or not they need to improve cyber security and their approach to compliance in general.