Data protection risks: shifting from carrots to big sticks to enforce compliance
In absence of significant enforcement and serious sanctions, data protection laws were often found at the bottom of the priority list of the compliance function. The GDPR is changing all this. In about one year from now, the EU General Data Protection (‘GDPR’) will impose more detailed obligations on companies, which are backed by almost draconian enforcement instruments: the maximum fines for breaches of the GDPR will rocket to amounts as high as 4% of a company’s worldwide turnover (or 20 Million Euro – whichever is higher).
The issue with the GDPR is not that the requirements are all that new; the real problem is that personal data is processed everywhere, by everyone – and generally not in a compliant manner.
So first and foremost, there is a lot of catching up to do for organizations that want to manage their exposure under the new rules. The General Counsel has an important role to play here. One of the things (s)he should bear in mind (and probably explain to management) is that data protection compliance is not something the lawyers can “deliver” by themselves. At the end of the day, processes and priorities will have to change: managers will have to delete old CVs and application letters from their folders, the IT department should ask their vendors to minimize the personal data stored in new systems and the marketing department will have to get grips on their CRM and limit the processing of personal data – just when they have started to use “Big Data”. And the CEO will have to realize that he should not have access to transaction data or employee records, simply because they typically don’t have a “need to know”.
Change management and corporate culture
Roughly speaking, about 70% of the GDPR compliance is about change management, 20% about technology and 10% concerns the “legal bits”.
And for change management to be successful, one should start with the company’s culture. There is a lot of talk about software tools, policy frameworks, governance structures and the right privacy strategy, but that is only the easy and most tangible part.
GDPR Game Plan
A first step that usually makes sense, is to work on a detailed understanding of its personal data flows. Making an inventory of the personal data that is being processed and the grounds for which this is done is killing two birds with one stone: it is instrumental for prioritizing your action items and it satisfies the “data mapping” requirement of the GDPR.
How the GDPR game plan should look further, pretty much depends on the company’s corporate culture. For instance, a centrally managed, hierarchic company could probably define quite detailed policies and standards for the common data processing operations and “push” them into the organization. That is unlikely to be as effective in a decentralized organization, however.
Because of the importance of the individual corporate culture, our experience is that there is no “one size fits all” GDPR Game Plan. Example plans, tools and templates, such as the GDPR Game Changers package developed by Baker McKenzie, can support in-house counsel and GDPR project managers in crafting a game plan that fits their organization.
Since successful day-to-day compliance will always heavily depend on ‘the business’ (see graphic), any game plan should also address a proper handover to and maintenance of the GDPR processes by the business owners. In order to be ready for this challenge, the time is now for General Counsel to kick off their GDPR project with a multidisciplinary team.
About the author:
Wouter Seinen is a partner in the IP/IT & Commercial Practice Group of Baker McKenzie Amsterdam. He has significant experience in assisting national and international clients with respect to issues concerning ownership and protection of electronic data.
Seinen has a particular interest in all internet-related issues on the subject of intellectual property rights. Seinen’s practice focuses on complex licensing and partnership contracts, business process outsourcing projects, manufacturing and various internet-related issues involving data protection, copyright infringements and database rights. He is also a litigator who is experienced in automation projects and relevant litigation, arbitration, mediation and negotiations. His practice also involves data protection law and associated compliance matters, such as data security and data breaches.