Expert Q&A: Frank Madden, Data Protection and Privacy Legal Counsel
We spoke to Frank Madden, a market leading associate in our network who is currently working on Privacy, Data Protection and Intellectual Property at Fujitsu about the key impacts of GDPR from a Legal Counsel perspective.
What do you consider to be the main challenges of GDPR from a Legal Counsel perspective?
The biggest challenge is a change of mindset. The GDPR is not the compliance-only regime that parts of the Data Protection Directive 95/46/EC, and the corresponding Data Protection Act 1998, were. That means the traditional arm’s length relationship between Legal Counsel and an organisation’s compliance function must end. This is due in large part to the accountability framework that the GDPR requires for all Data Controllers as well as Data Processors. Accordingly, the GDPR requires implementation and continuous monitoring of performance to ensure that processing activities under the GDPR have been recorded and can be demonstrated to regulators, and possibly even data subjects too.
Other challenges are the initial need to undertake a thorough gap analysis, the completion and maintenance of data mapping, as well as managing the enhancement of data subject rights under the GDPR, such as data portability and the ‘right to be forgotten’.
How do you see privacy innovations developing under the new rules?
Firstly, the innovations are quite stark when you consider that it was not until the year 2001 that the law of England and Wales would “recognise, and, where appropriate, protect a right of personal privacy” (Douglas and others v Hello! Ltd
 2 WLR 992, Court of Appeal). Accordingly, privacy was previously the domain of the rich and famous. But under the GDPR, with its enhanced rights of protection for all data subjects, everybody matters.
Secondly, there are divergent paths emerging between ‘data protection’ and ‘privacy’ under the GDPR. The previous Data Protection Directive 95/46/EC used the term “right to privacy” no less than 8 times in its recitals. But in the GDPR, the word ‘privacy’ does not appear once within its 173 recitals nor within any of its 99 articles. Accordingly, innovations in regards to privacy are going to go well beyond just the GDPR.
Thirdly, in regards to data protection, there will be challenges, as the extraterritoriality concept of the GDPR – i.e. its global reach if overseas companies offer goods and services to EU consumers, or they monitor consumer behaviour – means that global organisations will have to plan their policies with the GDPR at its epicentre. The concept of “data protection by design” must be at the heart of any good or service offered in the EU, or when monitoring the behaviour of EU data subjects.
How do you plan to manage the new rules alongside existing compliance and regulatory obligations?
The existing compliance and regulatory obligations under the Directive 95/46/EC, and the corresponding Data Protection Act 1998, are a base upon which organisations can build from. The keys to ensuring that organisations will be able to be ready on the go-live date of 25th May, 2018, is: not to leave it too late; ensure senior management are fully engaged; and ensure adequate resources are allocated. The later will be particularly relevant in the initial stages when a gap analysis must be undertaken by all organisations to fully understand the GDPR’s requirements, and where further resources may need to be allocated.
How can Legal, Compliance and Information Security teams effectively collaborate to ensure GDPR is embedded into standard processes?
Legal and Compliance will have to work effectively together, given the accountability requirement. As regards Information Security, Data Protection Law has never been specific about security measures. Indeed, under the current Data Protection Directive 95/46/EC, as well as under the forthcoming GDPR, its states only that any processing is subject to implementation of “…appropriate technical and organisational measures…” But neither the Directive nor the GDPR define what is “appropriate”, nor do either provide any detail as to what “technical and organisational measures” are. For example, an individual’s bank details are not deemed as sensitive personal data. Under the GDPR, as under the Directive, sensitive personal data requires a higher standard for processing. Nevertheless, we all demand the highest security levels for the processing of confidential data such as bank details. Accordingly, this will continue to obligate organisations to have sector-specific measures and processes in place, which the GDPR does not define. These security measures must be reviewed and updated regularly.
If you would like any information around our current opportunities across GDPR or how our associates can assist your business, please get in touch 0161 457 1145.