When General Data Protection Regulation — a new EU-wide data protection framework that will replace Safe Harbor — was introduced by European Union on December 2015, global companies such as Adobe cheered.
“We were hoping for one law that would finally govern all of Europe, instead of differing interpretations,” MeMe Rasmussen, chief privacy officer (CPO) for the software company, said at a RSA 2016 panel session.
The current text of the regulation, however, seems far from a one-stop shop: For starters, the 200-page document is made up of 50 different components. Moreover, data protection authorities (DPAs), or the local authorities of each EU country, have retained interpretive capabilities over each of these components.
“It was written by people who don’t run businesses. [Companies] have to look at it and figure out how we comply. … What they did was leave a lot open to resolution,” Rasmussen said.
GDPR aims to create stronger standards for data protection, but won’t be finalized until later this year and won’t go into effect until 2018. This hasn’t stopped Adobe, along with Google and Microsoft (which were also represented in the panel), to already start considering the risks that could arise once the regulation is in full force.
Not only does the regulation’s sheer breadth mean challenges in deciphering its terms, but it could also create a greater number of compliance obligations that spell significant risk for organizations. Moderator Trevor Hughes, president and CEO of the International Association of Privacy Professionals, cited one sobering statistic: The maximum fining authority given to DPAs and regulators in Europe amounts to 4% of a company’s annual global turnover.
So how are organizations like Adobe, Google and Microsoft looking at GDPR and preparing their responses?
Rasmussen said Adobe is still waiting for the dust to settle — which she doesn’t expect to happen soon. “We kind of ended up with a mixed bag and don’t yet know a lot of what we’re going to have to do. … We’re still waiting for guidance on what certain terms mean.”
Microsoft CPO Brendon Lynch said his company has been developing and investing in its privacy management program for several years, and views GDPR as an “incremental step” instead of a huge shift.
“The reality is, yes, there are more obligations and details to work out, but ultimately it feels like [Microsoft has] taken into account all the new requirements,” he said. “We’ll do a gap analysis against what we currently have. I’m sure there will be some places where we have to do some more.”
Lynch added that while he doesn’t intend to play down GDPR, it doesn’t necessarily change Microsoft’s security posture. It does, however, raise the stakes of failing to comply.
Microsoft also expects greater assurances from GDPR. “How can we get more assurance that all the controls we have in place are effective … that everything is working as they should?” Lynch said.
Keith Enright, legal director of privacy at Google, said that his company is fully aware of GDPR’s diverse requirements that it will have to decipher for users.
“I don’t think we ever really deluded ourselves, given our experiences in Europe, that we would have absolute uniformity of law,” he said.
Enright added that Google and other global tech industry leaders must actively engage with DPAs and regulators in Europe around data privacy.
“[We need to] negotiate and draw out rationality and application as much as we can so that our interests aligned with the DPAs’. We want to protect user privacy to the greatest extent possible, and GDPR gives us the framework,” he said.
One area in which Google will have more work to do under GDPR, said Enright, is developing its privacy programs so that it not only addresses protecting users’ data privacy but also strengthens the transparency of the company’s compliance efforts.