Effect of GDPR yet to be felt, says law firm Hogan Lovells

Compliance with the EU’s General Data Protection Regulation (GDPR) is an ongoing endeavour, according to Eduardo Ustaran, co-director of the privacy and cyber security practice at Hogan Lovells.

“One could never regard it as a job done. Having adopted a GDPR compliance programme, organisations need to keep it alive without ever losing focus of what matters most and how the law is evolving,” he said.

Despite the fact that no multi-million euro fines have been imposed and many organisations have adopted a “business as usual” approach to GDPR compliance, Ustaran warned that this may change as the digital economy continues to grow.

“Complete certainty might be an unachievable goal, but being alert to the practical priorities and getting on with the work will go a long way,” he said.

In the second year of the GDPR, Ustaran said organisations should ensure that they are getting the basics right as a top priority.

“As regulatory guidance on some of the essential aspects of the law – from its extra-territorial applicability to the lawful grounds for processing – continues to pour in, determining the appropriate legal basis for the use of personal data has become an absolute priority,” he said.

“Regulators expect nothing less than a solid foundation matched by a wholly transparent approach through a clear and comprehensive privacy notice.”

In addition to ensuring they get the basics right, Ustaran said organisations should ensure that they should stick to the following five points:

1. Meet individuals’ demands: After the initial influx of data subjects’ requests in the early days of the GDPR, Ustaran said the pace of requests seems to have dropped to a ‘business-as-usual’ level.

“However, since EU data protection law is still primarily about putting people in control of their data, dealing with any requests from individuals seeking to exercise their rights under the law should always be a top priority,” he added.

2. Adopt a credible Data Protection Impact Assessment (DPIA) strategy: Out of all the new accountability requirements in the GDPR, aside from the role of the data protection officer, Ustaran said carrying out DPIAs is likely to be the “single most important factor” to ensure compliance with the law.

“For this reason, regulators often seek to understand how organisations are deploying DPIAs,” he said.

3. Engage with the regulators: One of the most significant features of the GDPR from a practical compliance perspective, said Ustaran, is its enforcement arrangements.

“Central to this is the One Stop Shop system of supervision, which gives a single regulator full authority to oversee the pan-European data processing activities of an organisation. This approach is still compatible with the data protection authorities. As a result, a well-thought out strategy for regulatory engagement will be essential for many organisations.”

4. Prepare for data security incidents: Ustaran said 72 hours to decide whether to report a data security incident is a very short timeframe and that experience shows that the most sensible way of dealing with the inevitable incident is to be ready.

“In particular, organisations should ensure they know how to assess the possible risk for individuals to determine whether to report it and, if so, how,” he said.

5. Legitimise global data flows: One of the unintended consequences of Brexit, said Ustaran, has been to highlight once again the importance of legitimising international data transfers.

“This is not a new issue, but adopting a workable and future-proof strategy to enable global data flows is a must. For many organisations, this may start with intra-group agreements and evolve towards BCR [binding corporate rules]. Whatever the mechanism used, it should be kept under review,” he said.