Will the “Real” GDPR Please Stand Up?
If you haven’t been living under a rock for the past year or so, you’ve probably heard something about the new European Union Privacy Law referred to as GDPR. The acronym stands for the General Data Protection Regulation and it went into effect on May 25, 2018. As with most newly introduced laws and regulations, there are two keys to successfully complying: 1) interpreting the requirements; and 2) being able to defend your interpretation and resulting actions.
This is where the fun begins!
The goal of GDPR is to protect individuals and their personal information – a goal that we enthusiastically endorse. However, achieving such noble goals is challenging. Sweeping legislation such as GDPR typically is designed and drafted such that it can accommodate myriad variations and situations to which it will be applied. For example, a company the size of Joe’s Garage cannot (and should not) be held to the same degree of scrutiny as a company the size of General Electric.
As you can imagine, this is no easy feat for the lawmakers to get right. If it overreaches and requires more than can responsibly be accomplished by the primary demographic driving the economy (typically, small to medium size businesses), it could create major economic disruption. In addition to the challenge of where to set the compliance bar, the legislation also defines penalties for non-compliance, which is Euro20 million or 4% of gross revenue, whichever is HIGHER! This is a significant increase over prior legislation and enough to put many companies out of business. Clearly, this is not what legislators have in mind.
First Step towards compliance: Understand how precedence influences expert advice
Well, just like with every new law that’s come before GDPR, it seems as though everyone has an opinion on how the law is to be interpreted. Of course, these are only opinions until the judicature responsible for enforcing it has established legal precedence. It’s just not possible for all variations in condition, scope, and impact to be considered and specific guidance for each to be provided by the lawmakers prior to ratification and enforcement.
One of the biggest question marks this seems to create is around the enforceable requirements given that the type and size of the entity in question can vary widely. For example, consider a scenario where various experts from different departments and geographies of the same company (e.g. internal counsel, customer counsel, external counsel, all acting as subject matter experts) need to work together to craft the company’s strategy for complying with GDPR. Given their different backgrounds and specific areas of expertise, they are certain to interpret the requirements differently and share widely differing opinions on the same issues. Mind you, all provided with the same degree of confidence, fervor, and conviction as the last!
Each of these qualified experts had a valid reason for their opinion and it may very well be great advice or guidance for whatever specific situation they have in mind at the time they provided it. However, there have been several instances where it was determined that the advice from a qualified “expert” wasn’t exactly in alignment with the “spirit” in which the law was written. So, where does this leave the company and their compliance plans?
Then there’s the well-meaning newly found and self-proclaimed “experts” who are on their first voyage through the sea of vague and ambiguous legalese. They, too, speak with the same degree of passion as the lawyers after reading a book or a blog or attending a conference on the subject. With GDPR they’re getting their sea legs on a law that’s just getting off the ground with no history from which to learn the application of it in real life. For these folks, it may be best to stay as quiet as possible and learn from the experienced ones who’ve been here before instead of attempting to act knowledgeable after having only read the legal text.
Again, none of this is based on anything tangible in reality given there is no prior judgment to base it on. It’s simply the opinion of another who CANNOT have direct experience with a NEW law where there is no precedence to draw from?
My recommendation when it comes to expert advice is to consider it guidance, not a mandate. Be sure to get someone with experience with previous new regulations and working with a variety of organizations. Those with an open mind and ability to adjust controls to meet specific needs and resources are worthy of their salt. Be leery of those using cookie cutter approaches. There is room built into GDPR for customization, so don’t be afraid to use it. Remember, it all comes down to defensible positions for the over-arching requirements in the end. And always use your own good judgment in the context of what’s realistic given your company’s size and available resources.
The Real GDPR will emerge with time and precedence
The Real GDPR will manifest itself as a result of the application of the law…once legal precedence has been established. Everything else must be considered speculation until proven through a legal enforcement process.
So, how do responsible judiciaries typically establish legal precedence without doing harm to those who are making attempts to satisfy the requirements? They ease into them in a responsible manner.
GDPR is the most comprehensive piece of privacy legislation to date with a much larger scope in terms of the organizations to which it applies, thus, the unusual degree of hullaballoo surrounding it. If you’ve had the “privilege” of working through other newly introduced laws, you’ve seen the initial chaos that occurs until that legal foundation that’s needed to remove all doubt is established.
So, why should companies do anything until there is valid case law providing “real” guidance on interpretation? Because there will be blood in the water in order to establish it! And you don’t want it to be yours. Therefore, we shouldn’t take establishing a baseline defensible position for the major tenets of the law lightly…there will always be a need for “examples” to be made in order to establish legal precedence and we should all be diligent to avoid being one at all cost.
What can be expected in the initial phases of the legal application of GDPR?
You’ve probably noticed with other new laws introduced how there is usually a period of time where everyone, including the regulators, is getting up to speed on the enforcement of them. Every indication I’ve seen so far leads to a similar scenario for GDPR. A recent survey by Reuters showed 17 of 24 authorities that had responded having said, “they did not yet have the necessary funding, or would initially lack the powers, to fulfill their GDPR duties.”
The UK Information Commissioner provided a bit of insight into what can be expected as it relates to GDPR sanctions. She explains that massive fines are not expected to be levied for every violation, and warnings, reprimands, enforcement notices, and “stop processing” orders are often more appropriate and effective tools to use.
Bottom line: Stay calm, and make a credible effort to comply with new laws such as GDPR
But I’m not saying ignore it. We are tasked to perform some action to show credible and ethical intent to comply to the level where those actions will survive public scrutiny. Will an officer of the company be able to articulate why you thought your actions were sufficient?
But where are we to draw the line? How far do you go down the rabbit hole that an “expert” opinion can send you before you realize you’ve gone well beyond that which is required by the law or realistic for the size of the company, and the business is now suffering as a result?
Not only can doing too much put unnecessary pressure on the business, it can be what some call a career-limiting move. As a CISO in today’s world, too often there are accusations of trying to “boil the ocean,” wasting resources, and subsequently, there’s a changing of the guard. It’s a dance that one seldom feels comfortable with, especially, if you’re as passionate about security as sales is about the almighty dollar.
What I believe is a responsible approach is to do all you can with the resources your business can reasonably afford to apply. Privacy laws aren’t new and we do have those experiences to draw upon.
Whatever you do, do not become complacent. The law will be enforced, and precedents will be set. It’s probably best to remain calm, adopt the spirit of the law, work towards continuously improving the areas of your business that involve personal data, and present where you are in an honest and transparent manner.