What did the GDPR bring us? “A lot of compliance work,” most clients would say, after months of tough and challenging work implementing the European Union’s new comprehensive data protection regulation. And in many cases that work is still unfinished. The prevalent view on the market is that the regulation is an artificial creation of another compliance requirement upon data controllers. But is it fair to say that the GDPR brought nothing but a very expensive compliance exercise?
We don’t think so. And these are the five most important reasons that we believe the application and implementation of the GDPR has added value to companies.
Business Process Review
A GDPR project, if it is done right, means a complete mapping of the company’s business processes. This is essential to identify all purposes for which personal data is processed, which is the precondition to being able to identify any gaps and compliance to-dos. The mapping exercise often identifies inactive and/or inefficient business processes, which can then be revised. Such reviews often reveal unused databases, which are ticking compliance bombs. Recently, the Danish company IDDesign was fined EUR 200,000 – among the largest fines imposed since the GDPR became applicable back in May 2018 – for retaining an unused customer database.
Cooperation Between Teams
The new “privacy by design” principle means that data protection aspects must be considered and built in the operations and products of companies. This principle requires different departments to cooperate from the start. For examples, the legal teams responsible for privacy must be involved even at the project planning phase to ensure compliance with data protection requirements. We have seen many good practices at clients, with the IT and marketing teams establishing/reinforcing cooperation channels with the legal department. Building in a requirement for different departments in the early stages of ensuring GDPR compliance is much more cost-effective in the long-term than doing the same in the final phase, when this might even be impossible. The GDPR has introduced and demands this good practice, which is likely to benefit not only the privacy governance channels.
The GDPR has incorporated many modern legal concepts developed by the privacy practice in the last few decades, such as effective transparency and freely-given consent. The preparation of GDPR documents requires more from lawyers than legal knowledge and some marketing, corporate communication, and technology skills. In modern data privacy, “paper-wall-like” notices are considered misleading to data subjects, and only straight to the point and clear documents are considered acceptable. These practices are expected to have impact other areas of the law as well, like consumer protection and contracts. Controllers are also encouraged by the GDPR to make the law visual (with privacy icons and infographics, for example) to enhance transparency, which can be a useful tool for communicating complex compliance setups to consumers.
The May 25, 2018 deadline for the application of the GDPR in all EU member states received an unprecedented amount of attention by the general public and, as a result, awareness of data privacy rights has significantly increased. Consumers are looking for GDPR-compliant services and products, especially if the core of the service is built on processing their personal data. Companies that can communicate GDPR compliance and readiness can build stronger relationships of trust with their customers and will continue to have a competitive edge on the EU market and in third countries.
While country-specific legislation maintained its importance after the 25th of May, 2018, the GDPR has more or less unified privacy legislation in the EU. Internal and external compliance teams are working with this common and “unified” legislation in dealing with the same (or very similar) challenges, which enables companies to use EU-level governance systems, solutions, and documents. Although compliance with local sector laws still need to be ensured, especially in connection with special categories of personal data, companies are usually able to use their GDPR solutions with minor modifications. Therefore, the cost of a GDPR audit and implementation (which can indeed sometimes be significant) can be reduced and/or split between jurisdictions where the same framework is applied. In addition, many significant non-EU jurisdictions like India, Thailand, Ukraine, and Serbia are adopting GDPR-inspired privacy laws, which could enable companies to use their compliance frameworks and know-how in other markets as well (and, of course, vice versa).
By Zsombor Orban, Head of Hungarian TMT, and Daniel Nagy, Junior Associate, Kinstellar Hungary
This Article was originally published in Issue 6.8 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.