Articles

GDPR, What's in it for you?

GDPR, What's in it for you?

GDPR, What's in it for you?

27.01.2017

The GDPR is the single most important change in the data protection landscape since the 1995 Privacy Directive. It will have a profound impact on the way processing of personal data will be organized and how companies will prioritize the item of data processing on their corporate agenda. Companies involved in the processing of personal data having a connection with the EU will have no choice but to comply and respect the requirements.

Our Stibbe data protection team has been involved with privacy related matters for more than 20 years.

Over the last months, we have published a number of articles about the GDPR. We have combined our articles in one contribution.

In this contribution, and drawing upon our wide experience, we have sought to acquaint you with the key changes brought about by the new Regulation. Rather than seeking to paint an exhaustive picture of the new rules, we have taken a topical approach and have touched upon a series of carefully selected items which in our view are most representative for the changes brought about by the GDPR.

In addition, it should be underlined that the landscape of data protection is a very dynamic one and will always extend beyond a set of rules on a legal document, however impressive that document would be.

For example, the specific content and boundaries of the obligations and requirements will be further shaped by the guidance to be provided by the Article 29 Data Protection Working Party (“WP 29”). This platform, consisting of representatives of the various DPA’s has set forth a plan for the implementation of the GDPR, as part of which it will issue opinions on several priority subjects. Three sets of guidance have already been published, i.e. on data protection officers, on data portability and on the role of the lead supervisory authorities. Other topics that should be addressed in the near future relate to the notion of high risk, data protection impact assessment and certification. Going forward, the role of the WP 29 will be taken over by the EDPB (European Data Protection Board), who will continue to provide guidance and updates.

In addition, there is a broad call for standardization and for development of best practices across different industries. Various provisions of the GDPR reflect such a call and also the guidance provided by the WP 29 calls for standardization and industry best practices. This is for example the case for the new data portability right, the WP 29 advises data controllers to technically implement a standardized approach in relation to application programming interfaces.

Likewise, the DPA’s (Data Protection Authorities) will issue guidance and ensure compliance in a way that aligns the harmonized rules with other national laws, local customs, cultural expectations and sensitivities.

Finally, there is the role of the courts. While it is clear that national courts will have their role to play, it is hard to predict what their impact will be. It is fair to note that up and until now, the role of national courts in sharing data protection law has been limited. The same can obviously not be said about the ECJ (European Court of Justice), which appears to be on a mission to further shape and progress the data protection landscape, especially at times where other European institutions appeared to have difficulty to deliver on the subject. For example, in a series of unprecedented decisions, the ECJ has tackled very complex issues such as the right to be forgotten, the data retention issue, and the EU-US data transfers. At this very moment, applications for the rescission of the “Privacy Shield” have been introduced before the General Court.

All of the above mentioned factors will turn the data protection landscape into a very dynamic one. This means that companies, in seeking to comply with the GDPR, should ensure not only that they stay informed about the further developments and evolutions, but also that the processes, systems and tools they would select to secure compliance are sufficiently flexible so that they can be easily adjusted and refitted to embrace the new developments and evolutions. Our team will be on the look-out and we will report regularly on any important changes in the field.

And what is more, it is not just about complying with the GDPR as of 25 May 2018 and in a “forward looking mode”. The challenge posed is wider as companies today still suffer significant gaps in complying with the Data Protection Directive 95/46/EC and the implementing legislations. These gaps will first need to be filled in before thinking about the next steps to be undertaken for compliance with the GDPR. For example, companies will need to consider if the personal date which they have on record today has been collected and is being processed and retained in accordance with the currently applicable rules. If that is not the case, they may have a considerable historical compliance gap which will continue to undermine their state of compliance going further. It is very difficult to build in a sustainable way if the foundations are not sound.

Companies are well advised to duly consider the relevance of data protection and understand that compliance has become a “must have”. Compliance is in fact not just a matter of law, it is also a matter of ethics. They should be ready to commit to their new obligations, and free up budget and resources. To this end, it is important that they adopt a very structured approach, in view of the limited timing available, and of the fact that this is a broader challenge that crosses all business lines and segments of companies. In view of the foregoing, only a company-wide approach makes sense. Rather than seeing all of this as a nuisance, companies should also see the opportunity in all of this, namely that compliance with data protection rules can be a quality label and a competitive advantage.

For a deeper insight into what can be done in practice, and how Stibbe could guide you along this compliance road, please click here

Team

Related news

07.12.2018 BE law
GDPR-roundtable on practical questions encountered during implementation

Roundtable - After the success of the roundtable sessions we held before the GDPR took effect (in May this year), our TMT team is enthusiastic about the session of 7 December, focusing on the lessons we have learned from working on multiple GDPR-matters in the past year. We will tackle some practical questions that we have encountered and that are not or cannot be readily answered by the new regulation.

Read more

07.12.2018 BE law
Virtual Currency Regulation Law Review

Articles - The first edition of the Virtual Currency Regulation Law Review is intended to provide a practical, business-focused analysis of recent legal and regulatory changes and developments, and of their effects, and to look forward at expected trends in the area of virtual currencies on a country-by-country basis.

Read more

20.11.2018 NL law
Seminar 'Personal data from a broader perspective: overlap inside and outside the privacy domain'

Seminar - On 20 November 2018, Stibbe will host a seminar on privacy. Several Stibbe lawyers will discuss personal data from a broader perspective and the overlap that can occur inside and outside the legal privacy domain.

Read more

Our website uses cookies: third party analytics cookies to best adapt our website to your needs & cookies to enable social media functionalities. For more information on the use of cookies, please check our Privacy and Cookie Policy. Please note that you can change your cookie opt-ins at any time via your browser settings.

Privacy – en cookieverklaring