GDPR One Year On: A Completed Task for Legal Counsel?

Despite their positive intentions, legislators and regulators have posed major problems for corporate counsel by failing to foresee the enormity of the task of auditable compliance, both within the public and private sector.

So if anything, the one-year mark is a timely opportunity to reflect on whether or not guidance from legal practitioners – in-house or external – has been capable of execution. Answering this question, Lawyer Monthly hears from David Kemp, business strategist, Security Risk and Governance at Micro Focus.

GDPR policy guidance and regulatory enforcement

If we look closely at a number of key GDPR principles such as the “right to be forgotten” and “purpose limitation”, they each require major investment not only in policy and process but also in technology. For example, the regulation effectively demands that organisations have complete visibility over all data stored, in any format and in any location. This involves near real time reporting and requires the ability to respond to a Subject Access Request in a month and data breach within 72 hours.

From an enforcement perspective, legal counsel will have noted the relatively small and infrequent sanctions throughout the year – save for the French regulator, the CNIL, fining Google €50 million in January 2019. However, legal practitioners are recommended to ensure client enforceability of their guidance, especially in light of the ICO UK’s use of jail terms under the Computer Misuse Act 1990. Ultimately, non-compliance is now a matter of deprivation of liberty, not just fines.

Compliance – the story so far

In practical terms, the private sector has largely taken the GDPR seriously, providing direction on active and demonstrable consent to retail customers. Anecdotal evidence has also suggested that the “privacy by design” concept is being respected when it comes to integrating compliance features into new products and services. In one instance, a global UK-headquartered bank CDO has made sure that anonymisation is in place when analysing its Personal Data to improve its wealth management products and services.

Yet, surprisingly large institutions, especially insurers, are still at an early stage of data discovery. This includes identifying precisely where, and in what form and volume, Personal Data lies across their legacy data landscape. As a result, such discovery should be urged by legal counsel, along with a gap analysis on their processes and technology – at least to provide an in-flight road map for remediation.

Beyond sanctions – the business benefits of successful compliance

While defending against fines and reputational damage is undoubtedly front of mind for the private sector, there are a number of positive up-sides to effective GDPR compliance – all worth the attention of legal practitioners.

• Utilising GDPR compliance to improve operational efficiency

Deletion of unwarranted Personal Data retention has led to two major UK insurers to pro-actively down-size the “dark data” they hold, representing on average in excess of 30 per cent of all information held by corporates. This has resulted in reduced back-up and data storage costs and, in turn, increased ROI. Simultaneously, they have effectively cleansed data in anticipation of executing digital transformation initiatives.

• Applying GDPR as a bench-mark for better due diligence during M&A

This can be applied both from the point of view of a subsidiary sale, as well as the data discovery necessary on a subsidiary purchase.

• Contextual linkage of data in all formats for revenue gains

By ensuring compliance, organisations have the ability not only to facilitate replies to a Subject Access Request, but also achieve greater goals from compliant data mining and value extraction – ultimately leading to enhanced revenues.

• Relating GDPR standards to other perennial internal security corporate issues

Cleansing data for internal issues regarding security provides organisations with greater visibility, clarity and prospect of advance warning – made possible by using Identity Access Management and encryption technology.

The GDPR paradox

For legal counsel, the GDPR has sparked a host of complex issues from both the regulatory enforcement and policy guidance side. However, for the perceptive the regulation has, somewhat paradoxically, provided a key opportunity for executing key business goals and driving a competitive edge.