LBB: What has been the hardest part of preparing?
BH: A lot of companies don’t realize what personal data they process. They may know pieces of what goes on, but in order to approach the GDPR appropriately, one of the first steps is to get your arms around exactly what data you process, what third parties you use to process it, where the data is located, etc. Everything else falls from that.
LBB: What is the role of in-house lawyers in this process?
BH: Usually in-house lawyers will be part of a team that is put together to work toward compliance. But it has to be a team. In-house counsel certainly can’t do it on their own. They can help guide the effort from a legal perspective, in terms of the actual requirements and regulations, and they can help pull together the various team members, but there are multiple operational, compliance and governance issues at play. Sometimes there’s a project manager along with the legal counsel, and sometimes the legal counsel will serve that function as well. I think they’re critical to the effort. Compliance with the GDPR is significant from a number of different perspectives, reputationally as well as potentially financially, given the penalties that can be involved.
LBB: Can you compare the GDPR to the U.S. rules on privacy?
BH: The U.S. continues to evolve much the way it has over the past few decades. We see states being a little more proactive in terms of legislation on things like biometric data, and they continue to be active in the data breach response area, which focuses on personally identifiable information. While popular opinion has continued to swell around appropriate handling of personal information, we haven’t yet seen any comprehensive privacy legislation make its way too far.
LBB: So the GDPR is a more up-to-date approach to data privacy than the U.S. model?
BH: I believe so. The nature of processing today is very complex and not readily ascertainable by an individual, nor is it necessarily understandable by an individual who’s not skilled in internet systems. So the notion of accountability is essential, since the consumers can't individually control or make decisions about how their data is used. Especially when data is not being controlled just by people anymore—increasingly, it’s also being processed at the direction of algorithms in the context of artificial intelligence. So the GDPR puts into place this notion of accountability that the processor of the data has to be prepared to demonstrate: compliance with fundamental fair principles of processing. You can’t just rely on the consumers.
LBB: What about vendors and service providers? Does a company need to ensure that vendors are in compliance with the GDPR as well? And if they’re not, could a company be held liable for the failures of its vendors?
BH: Absolutely. That’s very much the case under the EU system and under the U.S. system, traditionally. The primary data custodian—referred to in the EU as the data controller—has ultimate responsibility for processing personal data, and a lot of the requirements imposed on the vendors flow from that. So, for example, the data controller under EU law must keep records and be able to demonstrate compliance. And obviously they can’t do that if their vendors don’t also keep records. Data controllers must notify data subjects of breaches. And, of course, they can’t do that in every case if the vendors don’t notify them of breaches when they occur. So a lot of the requirements just flow naturally from the fact that the controller is ultimately responsible.
LBB: That would seem to be a big issue for many companies, because there’s growing evidence—as we’ll see in another article we’re running this month—that companies are not always clear on how involved they need to be in auditing and monitoring their vendors. Is that something you’re concerned about, and that you talk about with your clients? BH: Yes, this is a classic task for any data controller or data custodian. There are three aspects to handling vendor relationships appropriately with respect to personal data—and, frankly, it also applies to other confidential data. You’ve got to have diligence on the front end. You’ve got to have contractual protections. And then you’ve got to have some method of reasonable oversight or validation. And that series is baked into requirements even in the U.S., going back to the Federal Trade Commission’s Safeguards Rule under the Gramm-Leach-Bliley Act. It certainly is the case in the GDPR that that is expected of the controllers. Both the first and the last of those three aspects involve assessment of what risk is presented by a given vendor’s processing of data. The effort that goes into auditing or requiring reports from the vendor should be proportional to the risk associated with the processing.
LBB: Are there other tricky areas involving privacy that companies and their general counsel should be thinking about, but may not be?
BH: There are a number of stages to compliance. As I mentioned earlier, the first part of the exercise is to get your arms around exactly what personal data processing you do, and which parts of that data processing fall within the scope of the GDPR or other privacy law. Once you do that, there are different buckets to think about. For instance, take processor agreements under the GDPR. Those have to be buttoned up and complied with under Article 29. There’s the issue of data transfers. If you’re transferring data out of the EU, you’ve got to think of the requirements under Chapter 5. If you’re handling any sensitive data, you are faced with default prohibitions under Articles 9 and 10. Interestingly, sensitive data is defined differently in the EU, because they don’t have as much of a focus on identifiers. The EU focus for sensitivity has its roots more in anti-discrimination: things like race, ethnic background, religious affiliation, philosophical beliefs, association in trade unions. And underneath it all, you’ve got to comply with the fundamental principles of appropriate handling of personal data, and you have to make sure that you have a basis for processing the data to begin with. As a comprehensive scheme, the GDPR requires personal data protection to be taken into consideration from a number of different perspectives, both internally and in processing arrangements that involve third parties.
LBB: While the GDPR was about to roll out, we had the Facebook and Cambridge Analytica scandal explode in the media, further exposing the shortcomings of the way that U.S.-based companies handle customer data. Do you think that’s likely to spur legislation? There’s been talk.
BH: There continue to be spikes of interest within the public that are centered around big events, going back to the Target breach, when consumers started to get much more anxious about payment card data, and companies started to get much more careful about third-party service providers. Also, there was the Sony breach, where everyone woke up to the fact that not only might the cyber criminals get in and steal your personal data, but they might get in and set your house on fire, take all of your IP assets and shut down your communication systems. The Equifax breach was another major event, and then of course we’ve had Facebook. I think there will continue to be a lot of good thought around the need for privacy legislation, but we have yet to see anything concrete and comprehensive in the U.S. I think there will be a lot of learning from the fact that so much of American business is focused on the GDPR, and the GDPR requires a cultural shift in the way people think about privacy. And I think that that kind of approach, or something like it, is what’s going to be ultimately needed in the U.S., but it’s probably a little ways down the road.
LBB: it seems that some companies have already recognized that the GDPR applies to them and is superior to what we have in the U.S., and they’re taking steps to adopt it globally. Do you have a sense of how popular that approach is now?
Do you think that’s likely to catch on?
BH: I think it is likely to catch on, for several reasons. One is that there has been this explosive growth in the privacy profession in general. The International Association of Privacy Professionals membership has grown, year over year, by astounding levels. Privacy professionals continue to get certified, and there’s a real demand for them now, especially in Europe. So there are a lot more people thinking about privacy, and a lot more people skilled in working with privacy matters. That has a strong influence on its own. The other reason is that there are numerous privacy laws being enacted around the world—in Japan and Australia, for example—that are going to have an impact. Starting a few years ago, companies began to realize that they need to embrace a global privacy platform, because it is going to be hard to comply with all of these various requirements by segregating data and treating the data differently. It’s very difficult to treat an email that is sent from your U.K. office to an office in Brazil and is stored in the U.S. in compliance with any particular law. You really have to have a baseline standard that’s calculated to meet the best practices and the essence of the various laws involved.
LBB: Is this something you recommend?
BH: To the extent that companies can do it, they should definitely be thinking about that. Sometimes it doesn’t make sense from an economic perspective, because there are restrictions associated with the use of data that can be problematic for U.S. businesses. For example, the spam laws in the EU are fairly strict compared to those in the U.S. We have pretty much an opt-out basis for commercial email, but in the EU, the existing opt-in approach is going to become more ingrained, and that can put a serious impediment on the ability to communicate even with business contacts—and certainly with consumer contacts—in the way that most people do today with email.
LBB: On a personal note, I recently organized my high school reunion, and I realized that my classmates wanted to be in touch with each other. But because I’ve spent a good deal of time focusing on privacy issues, I also decided that I didn’t want to unilaterally give out email addresses to the larger group without individuals’ opting in. Some of them appreciated that. Some of them didn’t get it, or hadn’t read my explanation and didn’t understand why I’d excluded their addresses from the list I sent out. But the idea of opting in seems like an important thing to recognize now.
Next month, in Part Two of this interview, Huffman will talk about the right to be forgotten and other tricky features of the GDPR that have lawyers wondering how it will all play out.