Alejandro Padín, partner of Garrigues’ Corporate/Commercial Law Department and head of the IT, Data Protection and E-Commerce area, looks back at the first year of application of the General Data Protection Regulation (GDPR). He considers that, in this time, the new regulation has helped change businesses’ mentality, which has often led to a change in strategy. In his expert opinion, proper compliance with the Regulation requires an in-depth knowledge of legislation, experience in this area and awareness of data processing issues. He also believes that despite being a European regulation, it is having an impact in the United States, where many multinationals are voluntarily introducing privacy management requirements on a par with the GDPR.
May 25 marks the first anniversary of the date the GDPR took effect in all EU countries. What do you make of these last twelve months?
The GDPR has marked a change in mindset as regards the way businesses approach their data protection strategies. In some cases it has led to a change of strategy and in others it has caused a strategy to be implemented for the first time. This is very positive in itself, since the digital economy revolves to a great extent around the value of data and information and therefore not having a data strategy in place, or implementing the wrong strategy, means dooming the business to failure.
Has there been a big difference in the extent to which it has been implemented in the various EU countries?
In general, at a corporate level, there has been a similar reaction in all EU countries. This has been influenced by the fact that there is a single regulation for all of Europe, because even if a country implements its own legislation differently to others, the minimum compliance standard is already defined in the GDPR.
What is the level of compliance at companies?
This is difficult to assess and a distinction needs to be made between quantity and quality of compliance. I think I’m right in saying that a very large percentage of companies have done something to adapt to the new regulation. However, I fear that a significant number of these companies have merely implemented superficial changes and are now in a position where they appear to be compliant but are in fact concealing a serious breach of the regulation. This has led to a sudden influx of so-called consultants with little training and even fewer scruples, who in theory offer to help companies adapt to the regulation but in practice place these companies at serious risk of breaching the GDPR.
In what areas do most breaches arise?
Data protection is a cross-cutting business strategy. We cannot say that there have been more breaches in one area than in another, because if there is a breach, what is at fault is the company’s strategy as regards compliance (lack of training, failure to adapt correctly, etc.). What we do find are areas of greater risk that can give rise to breaches. In this regard, the areas most affected are those that process more data or more sensitive data, such as marketing, HR and IT. As far as fast-moving consumer goods are concerned, the sales or customer service areas are also affected. And at startups that generate data-driven disruptive businesses, the business development area.
What is the key to good advice?
As the GDPR itself indicates, proper compliance with the regulation requires an in-depth knowledge of legislation, experience in the area and awareness of data processing issues. These characteristics, which are attributed to Data Protection Officers (DPO), can be applied to all good privacy advice. The companies that have done the best job have increased the priority level of privacy management within their various business priorities. From the standpoint of the advisor, in addition to all these characteristics, it is also necessary to apply principles relating to data ethics, something which is crucial if we look at how the digital economy is evolving.
Has awareness increased?
Businesses are undoubtedly much more aware now. I believe that we can raise awareness in two ways: the best way is to convince ourselves of the importance of protecting the data we process in an organization, understanding its significance and the value that good data management can bring to any organization. The other way, the fundamental way, is to know the risks involved in noncompliance.
What are the main legal questions that have arisen following its implementation?
There are many questions, often deriving from the new approach taken by the Regulation. The problem is that, in many cases, the GDPR does not establish a specific list of requirements to be met or a detailed procedure for complying with specific obligations. Instead, it provides a principle-based system for compliance, obligations based on unspecified legal concepts and general guidelines. The reason for this approach, something that we are unaccustomed to in our Napoleonic legal system, is so that the Regulation can be adapted to each company according to its risk level, which will always be different in each case.
What role are the DPOs playing?
The role of DPOs continues to evolve. Internal and external DPOs have different functions and a different approach. We are also seeing the emergence of service providers — again with few scruples and little respect for customers— who are setting themselves up as DPO, advisor and representative in cases of noncompliance, something the European Data Protection Board, has expressly advised against, since it can give rise to clear cases of conflict of interest. In many organizations, DPOs are still finding their feet and their place in the organization. A DPO needs to receive proper advice in order to be able to fit comfortably into the role created by the Regulation.
Are the data protection authorities being strict (in Spain, the AEPD) in their supervision of effective compliance with the Regulation?
There has been a period of some flexibility in the EU as regards fines, but authorities in several European countries have recently started to impose fines. We have witnessed a bit of everything - from small fines of 3,000 euros to the largest fine of all, issued in France, of 50 million euros, as well as intermediary fines, such as the one levied in Portugal of 400.000 euros. In all cases the breaches were quite basic, such as a lack of transparency in the information provided to data subjects, or processing data without the appropriate safeguards. In Spain the fines imposed so far are similar to those imposed under the previous legislation. However, it is important to bear in mind that the maximum fines established by the GDPR are much higher. Moreover, the AEPD has also issued reprimands in several cases, giving the organization concerned the option of remedying any potential breaches.
What other effects has the approval of the Spanish Data Protection Law had? Are any other legal reforms expected?
The Spanish Law on Data Protection and the Safeguard of Digital Rights, passed in December 2018, supplements the GDPR with respect to aspects that the Regulation established could be regulated or specified at national level. Perhaps the biggest impact of the new Spanish law is its Title X, which safeguards digital rights and precisely deals with issues that are not addressed in the GDPR, but which are related to other rights that lawmakers considered necessary to protect technology and the digital economy. This includes rights of internet users, workers’ rights related to technology, digital wills, etc.
Do you believe that the regulation of data protection in Europe could hamper the activities pursued by companies vis-à-vis other markets such as the US market?
Curiously enough, in the United States, the GDPR effect is making many multinationals voluntarily establish privacy management requirements on a par with the GDPR. In addition, State and federal government authorities are already thinking about the need to issue a data protection regulation similar to the European one. The GDPR has already been emulated in some states, such as California, and others are moving in that direction. On an international level, countries such as Brazil have enacted laws that follow the lead of the GDPR, and others are likely to follow. It could be said that the GDPR is emerging as the international standard for data protection. By that I mean that in the short term this regulation could be seen as hindering competitiveness (limitations, cost of implementation), but in the long term it will offer a competitive advantage in terms of reputation and financially.
What effects does the privacy regulation have on other areas that have been regulated recently, such as the recording of hours worked by employees?
Any activity within a company that involves data processing is going to be affected by privacy legislation. The recording of hours worked is one of these areas, and it is naturally affected. Companies will have to ensure that the system they use to control the hours worked by employees does not breach data protection legislation. This is one of an increasing number of cases in which labor law advice has to be accompanied by good data protection advice in order to avoid risks.