For those wondering how many sleeps are left until the GDPR comes into force, it was confirmed at the sixth annual Thomson Reuters Future of Data Protection Forum, which took place last Thursday, that there were only 161 business days remaining.
With the looming deadline in mind, and a reminder in Ardi Kolah’s introductory address that the new regime is as much about reputation as regulation, business readiness and priorities were key themes of the day, with speakers and delegates sharing practical tips for managing core aspects of the Regulation.
Sharing the load: decision matrices and data ownership
A straw poll conducted early in the day revealed that only 12% of delegates thought that the biggest barrier to implementing data protection change in their organisation was getting buy-in, while 55% saw the main obstacle as securing sufficient budget or resource (the remaining 33% identifying ‘time’ as their overriding concern).
Several sessions discussed methods of making existing resources go further and avoiding the GDPR project team being perceived as a ‘blocker’ to the business. These included technological solutions allowing the business to help themselves to the answer to their question, such as online portals containing FAQs, handbooks and templates and even bespoke software containing a decision matrix guiding a user to the correct resource.
A point made several times during the day was, however, the importance of imparting the message that establishing and maintaining GDPR compliance was not the responsibility of those charged with managing the organisation’s GDPR project alone. Delegates discussed methods for ensuring that responsibility for a data category’s GDPR compliance rested with the appropriate business unit – and the challenge that identifying that business unit sometimes posed in circumstances where systems are complex to map and data can serve multiple purposes within an organisation.
One suggestion for a practical way of getting to the heart of the matter when the waters are truly muddy was seeing which department objected most strongly when it was announced that access to an ‘ownerless’ category of data would be denied. Once that had been done, the data owner could assist the GDPR team to determine the data’s purpose and retention period and so on.
Data protection ‘culture’: messaging and mascots
Participants also discussed methods for instilling a ‘data protection culture’ and using training on GDPR and data protection more generally to get home the message that any employee can cause a data breach that may have significant consequences. Methods used for doing so ranged from bread-and-butter corporate training to newsletters, quizzes, crosswords and ‘awareness weeks’ and, most strikingly, the use of animal ‘mascots’ to make messages about data protection more memorable.
Among other speakers, Sainsbury’s gave delegates some useful insights on all these issues during a session discussing how they have been managing their GDPR project on a day-to-day basis. For those interested in benchmarking their own organisation’s approach, but who were unable to attend the Forum, Practical Law has to date published two case studies detailing how Tesco and Pearson are approaching the task. See Article, Case study: How Tesco is preparing for GDPR compliance and Article, Case study: How Pearson plc is managing GDPR compliance as part of a larger transformation.
The results of the Practical Law survey investigating how in-house lawyers and their organisations are approaching GDPR compliance will also be published shortly: our October vlog includes a preview of some of the results.
Contract remediation: pressure points
An in-depth session led by Yukiko Lorenzo of Mastercard and Paul McCormack of HSBC focused on reviewing contractual arrangements in light of GDPR from the point of view of both data controllers and data processors – a process which may be one of the more ‘painful’ aspects of an organisation’s GDPR project.
One of the biggest concerns in this area was the time required to conduct the process satisfactorily, beginning with explaining the need to conduct it to business units (in particular within processor organisations not accustomed to an exposure to direct liability in this area), through gathering the contracts together and analysing them, to negotiating and finalising new agreements.
Various approaches were discussed, including:
- Repapering all contracts in bulk, rather than directing the GDPR lens at each contract individually.
- Entering into a new standalone data protection agreement with counterparties, with a view to then being able to amend that agreement in isolation as changes to data processes require, rather than having to engage in a larger process of renegotiating the entire underlying relationship agreement.
- The use of standard clauses produced by industry bodies, such as those drafted by the International Regulatory Strategy Group.
A specific issue which had been occupying delegates’ days was that of liability clauses. Audience members referred to a range of issues encountered, from counterparties’ relative ignorance of the incoming regime resulting in delays and misunderstandings, to the difficulties experienced by small data processors with relatively little bargaining power when trying to negotiate liability clauses with both large clients on the one hand and powerful sub-processors on the other.
While there was no one-size-fits-all solution to these, or the other issues raised, one suggestion for their resolution was to hold workshops with relevant counterparties – again, however, a process that takes time.
The ultimate takeaway in this area was: if you have not started the process of contract remediation, do so now.
Practical Law has published numerous materials relevant to these issues. See, for example, Rosemary Jay’s free video discussion of the responsibilities imposed on data processors by the GDPR and Standard clauses, Data processing clauses (GDPR version).
Separate breakout session considered consent and the alternative legal bases on which data can be processed, and the role of the DPO within an organisation: see Blog post, Employee “consent” under the GDPR and this free video discussion of the role of DPOs for more information on these issues.
The E-Privacy Regulation
While 25 May 2018 is a date that data protection practitioners are unlikely to forget for its association with GDPR, speakers on Thursday took the opportunity to remind attendees that the proposed E-Privacy Regulation is also slated to come into force on that date, and to review the draft legislation and raise any concerns they may have about it well before then.
While this deadline may well not be met, it is possible that any new deadline may not be that far into the future.
Practical Law has published materials on this Regulation including, for example, Article, The New E-Privacy Regulation: what it will mean for businesses, and has also made available this free video, in which Phil Lee of Fieldfisher gives an overview of its content.
For more information on GDPR and data protection generally, go to Practical Law’s EU General Data Protection Regulation toolkit, which summarises the materials available, including those dealing with the interaction between GDPR and Brexit.
