Compliance With Looming GDPR Deadline Seen as Challenging
With the clock ticking toward May 25 implementation of EU general data protection regulation, work toward compliance is becoming an increased challenge that many businesses won't meet, said speakers Thursday evening at an FCBA CLE. Verizon's Anjali Hansen said an area of heavy lifting in GDPR compliance is ensuring suppliers are compliant, with the company having a 30- to 40-person team doing just updates to supplier contracts. "You take a lot of Advil ... and go through them one by one," she said.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Meanwhile, implementing Privacy Shield hasn't been met with a deluge of consumer complaints about their personal data's handling, experts said. FTC International Consumer Protection Counsel Guilherme Roschke said the agency has seen "less than half a dozen" since the mid-2016 implementation. Commerce Department Data Flows and Privacy Team Lead Shannon Coe also said there have been few complaints from EU citizens in the first year. An inaugural European Commission PS review found it was working but needed improvement (see 1710180001). Coe said the U.S. and EC are working on addressing those recommendations.
More than 2,600 companies are taking part in PS, with roughly 20 more joining weekly, Coe said. Those include U.S. subsidiaries of EU-headquartered companies. She said information and communications tech companies dominate, but other industries represented include healthcare, retail, aerospace and defense. Coe said companies taking part are rising as there's increased confidence in the framework. She noted the Swiss privacy shield that mirrors PS has more than 1,200 companies.
PS shows the need for countries to proactively address privacy mechanisms, Coe said. While 100-plus countries have privacy legislation, many others are considering it, and often looking to the EU as a model, she said. The Asia-Pacific Economic Cooperation's cross-border privacy rules system -- with five countries joined, Singapore in the process and China, Australia and the Philippines expressing interest -- creates a rival model of a multilateral framework that doesn't impose sameness on countries, speakers said.
As they work toward GDPR compliance, companies need to document due diligence efforts at compliance, Hansen said. She said the EU is likely going to be more concerned with blatant disregard than with those that can demonstrate good faith efforts at compliance. ACT|The App Association President Morgan Reed said smaller businesses are likely to be out of compliance with certain elements of the regime, but there likely will be forgiveness if they are straightforward with customers about how data is being used. He said GDPR Article 9 gives a carve-out to businesses that collect data on a limited basis or occasionally, but any use of analytics "is going to blow you through that in a heartbeat."
The rules have particularly strong provisions on consent for processing personal information, but there's not clear EU guidance on what consent means and what constitutes doing a good job on consent, said Joe Jerome, Center for Democracy and Technology policy counsel. There was disagreement over the regulation's benefits. Hansen said it goes "well beyond what it needs to" as regulatory overkill, yet brought more attention to data hygiene and good data processes. Given the penalties, she said, "Everyone gets it." Reed said the rules are a severe burden for small and mid-sized companies without money for a privacy compliance department.