June 21, 2018

GDPR: Top 10 implementation challenges

This week, the 10th International Programme of The Sedona Conference, a non-profit legal research and educational institute, took place. The theme of the event was cross-border data transfers and data protection - with a strong focus on the recently-implemented EU General Data Protection Regulation (GDPR).

One of the early panel discussions featured in-house and private practice lawyers and representatives from global data regulators discussing the implementation challenges seen in the first few weeks since the GDPR came into force. These include:

  1. Governance and accountability: New provisions in the GDPR have created a need for enterprise-wide focus on data protection across the full processing life cycle.

  2. Enhanced data subject rights: The additional rights afforded to data subjects are proving to be a major challenge for controllers to manage, particularly in the context of cross-border data transfers where consent is no longer a viable ground to rely on in many cases.

  3. Transparency and information requirements: The level of information required to be provided to data subjects is substantial and controllers are concerned about the risks of getting this wrong. 

  4. Data portability and subject access requests: The burden on controllers has substantially increased and questions are already being raised as to how data portability and access rights overlap with concepts of privilege, confidentiality and intellectual property. The potential cost of SARs is a concern. 

  5. Records of processing activities: The requirement to maintain detailed records of processing activities under Article 30 is a particular burden. Some of the template records shared by Data Protection Authorities are deceptively simple. 

  6. Application to non-EU organisations: While there is some guidance on Article 3(2) in the recitals to the GDPR and some historic case law, non-EU organisations are keen for more guidance on the territorial limits of the GDPR. In borderline cases, some companies have taken a view that closing off services to European consumers may be preferable to falling foul of GDPR sanctions.

  7. Data protection impact assessments: Mandatory impact assessments are posing a new challenge and questions remain as to when they are required. For example, some controllers may engage in large scale personal data processing but only as an ancillary purpose or function. The extensive assessment process requires a cost commitment that may be difficult for smaller companies to bear. 

  8. Data breach notification: There is widespread concern that an abundance of caution on the part of controllers will see a flood of notifications to DPAs. This is likely to continue until regulators issue more guidance. Authorities fear that this wave of over-notification could defeat the policy objectives of introducing the breach notice requirement; controllers are equally concerned that notifications will lead to more litigation.

  9. Cross-border discovery: Litigators have raised the question of how Articles 48 and 49 should work together, particularly whether the existence of a mutual legal assistance treaty (MLAT) might mean that an organisation could not rely on the derogations in Article 49 to transfer data to third countries. The first part of Article 48 states that transfers “may only be recognised or enforceable in any manner if based on an international agreement”. However, later wording in the Article suggests a less restrictive interpretation by noting that it is “without prejudice to other grounds for transfer pursuant to this Chapter” (i.e. it does not prohibit data transfers which can be effected through other provisions of the GDPR.

  10. Enforcement against non-EU entities: In addition to doubts over the extent of the extraterritorial application, it remains unclear whether or how DPAs will be able to issue orders or enforce administrative fines against non-compliant entities without an establishment or assets in the EU.