The General Data Protection Regulation (GDPR) is highly complex and imminently due to transform global privacy law. As a lawyer and chief privacy officer for data governance firm Evidon — a leading risk and compliance solutions provider — Todd Ruback works with many of the leading law firms on GDPR matters, and has an insider’s perspective of the GDPR’s commercial impact.
With a year to go before the GDPR becomes effective, we asked him to share his insights on the GDPR and how legal firms can help clients navigate it successfully.
What is the GDPR and why do companies need to be aware?
Disclosure. I’m a U.S. lawyer, not an EU licensed attorney. That said, because the U.S. does not have a national privacy law, and since the GDPR’s scope reaches almost all multinational organisations, it could well become a de facto national privacy law in the U.S. The brilliance of the GDPR, whether by design or not, is that it destroys the traditional notion of borders by extending its application to any organisation that merely offers its services to an EU resident or carries out large-scale internet monitoring. This low threshold sweeps up almost everyone, which will cause most organisations to standardise to the GDPR as their baseline compliance approach.
The main aspect of the GDPR is codified accountability, meaning an organisation has to be able to demonstrate that it complies with 39 of the 99 articles that make up the law. It’s a tall order for any company to do as a one-time event, much less as a sustainable business model. Companies are already resource constrained, so they are naturally turning to their trusted fiduciaries, often outside counsel. This means the GDPR will be big business for the legal industry. In fact, the IDC estimates overall the GDPR will be a $3.5 billion services opportunity by 2019.
What are the most important aspects for clients to understand?
While the GDPR is dense, the majority of its 99 articles detail what type of evidence a company needs to maintain. Interestingly, the GDPR signals a subtle shift in EU privacy law by moving away from a proscriptive approach and instead adopting a risk based approach toward compliance. In other words, the GDPR allows for flexibility. Compliance is not one size fits all.
The GDPR is also nuanced, and companies should consider thinking through a top-level data governance strategy that focuses on gaining the right permission or consent from the consumer in order to collect and use her personal data. The consent management aspect of the GDPR will be the lynchpin of any mature data governance strategy.
How will the GDPR affect companies’ digital marketing supply chains?
Digital marketing on websites and apps drives a lot of revenue for many organisations. The supply chain is complex and opaque however, which is of concern to many policy makers. Companies should take care to ensure they know who exactly is allowed on their websites and who is actually visiting their sites. They need to have the right contractual limitations in place, along with adequate and appropriate liability and indemnification provisions. Many digital supply chain vendors, in a quid pro quo, however, will want their website customers or publishers to get consumer consent on their behalf. We’re already seeing these conversations in the market, all being driven by the GDPR, resulting in a new level of collaboration between websites and their digital supply chain.
What are the most common misconceptions around the GDPR?
US-based companies frequently assume the GDPR doesn’t apply to them because it’s a European law, but the triggering mechanism for the GDPR’s application is so low that, it applies to almost everyone. As I mentioned above, all you need to do for the law to be triggered, exclusive of being established in the EU, is merely offer your services to an EU resident — so having a website that can be accessed from the EU is sufficient — or if you are engaged in website monitoring. This last one is specifically aimed at the adtech industry.
There’s also the belief that non-observance is less expensive than compliance. This is improbable given that the fines soon to be enforced are at minimum, up to €10 million or 2% of turnover, and at maximum, up to €20 million or 4% of annual turnover.
Are most companies doing their own GDPR readiness assessments or are they using outside resources?
It’s a mixture, but many use qualified outside counsel, and with so many tasks to be completed, that is a great idea. We’ve also seen a hybrid model, where external counsel, business consultants and experts are hired by law firms are combined to cover all bases, which seems to be effective.
How much are clients likely to spend on compliance? How can law firms help clients and themselves avoid wastage?
Cost estimates vary greatly in accordance with the size and data usage levels of a company. In Europe, studies suggest companies will spend an average of €1.3 million, while in the US it’s predicted budgets will be between $1 million and $10 million. Factors that will increase spend for some include the need to appoint a Data Protection Officer (if they employ over 250 people) and the extent to which systems need to be reconfigured.
For law firms, the best way to reduce cost is ensuring their engagement model is aligned with client needs. This long-term approach requires some initial set up, but will prove a beneficial asset with ongoing GDPR preparation and maintenance work on the horizon.