Data – the gold of the 21st century: Data protection lawyer Silvia C. Bauer looks at the roots of the GDPR and its challenges for business
“The difference between the EU and other countries,” says Luther partner Silvia C. Bauer, privacy specialist and External Data Protection Security Officer, “is that we have a history of protecting the personality and privacy of our citizens. In fact, you might even say that Germany has exported our approach to data privacy to the rest of the EU.” The first court ruling safeguarding data privacy was made in West Germany in 1983.
This fundamental principle – that everyone has the right to the protection of personal data and to decide who shall handle their data, and for what purpose – is key to the EU’s understanding of data protection: And it`s the base for the “General Data Protection Regulation” (GDPR) which comes into force on 28 May 2018.
It also separates the EU from the US, where traditionally data has been owned by companies and not by individuals. Despite the recent Privacy Shield agreements with the US, Ms. Bauer’s experience is that multi-national companies remain uncomfortable as to whether they are fully compliant with EU requirements and are turning to specific contractual clauses, the so-called Standard Contractual Clauses provided by the European Union, to govern this aspect of their trans-Atlantic business relationships.
The UK has committed to opting in to the GDPR, or at least to providing an adequate level of data protection. But again, says Ms. Bauer, there is some scepticism as to whether the UK’s commitment will be too limited. “The UK has eight data protection principles,” she adds. “In Germany, we currently have 44 paragraphs – with more to come! And this complex legal system is reflected in the GDPR.”
It’s reputation, not only fines
Ms Bauer sees that companies are worried about more than the fines which will be payable for data breaches once the GDPR is in force. It’s reputational risk. If a company suffers a major data breach, everyone will know about it and its position in the market will suffer accordingly.
“Whatever its size, a company needs an up-to-date risk assessment of its data management processes and an emergency plan to deal with any failures or breaches. It’s essential for a company to understand how it shares information about data flows and data use. It also needs a system in place to notify both the individuals affected and the supervisory authority in case of a breach. The GDPR casts its net very widely. If you sell products or services to people in Europe, you’re caught.”
For example, one of Ms Bauer`s clients, Imperial Tobacco, has its headquarters in the UK but operates globally. The company has already confirmed that it will implement the regulation independently of any action that may be taken by the UK government.
European compliance rules – a Pandora`s box for international companies
“But even a company which only holds data on its employees or on B2B transactions can be sanctioned: penalties will apply to CEOs and Managing Directors. In future, not only data controllers but data processors – Cloud providers - can be sanctioned,” she adds.
“If challenged, you must be able to prove you are compliant. If you can’t prove it, it will be assumed you are in violation. This can lead to an in-depth audit by the supervisory authority, who will look at all your processes. Do you have a Data Protection Officer? Have all necessary consents been obtained? Have appropriate contracts been signed? Is there a procedures index? It’s a real Pandora’s box, with the possibility of sanctions, claims for damages and having to respond to formal complaints.”
In her role as an External Data Protection Officer, Ms Bauer sees particular challenges for the pharmaceutical industry in managing highly sensitive patient and consumer data. “The GDPR defines ‘data concerning health’ and is very specific as to when this data may and may not be processed. Member states will be able to introduce their own restrictions, locally, and there are also concerns as to how pharma companies will manage the exchange of data within and between countries where data protection is inadequate.”
Crucial lessons from Germany
European Works Councils also have a key role to play in data management and particularly in Germany, they are well informed: “They know more and they challenge employers. With employee data being stored in the Cloud, Works Councils are monitoring, for instance, the technical security of the data to ensure it is being handled in legitimate ways. The same is true for access to employee data: only persons with a valid ‘need to know’ can have access. This means exchanging employee data between different companies, even within a company group, must be legitimated. Works Councils are requiring information about who has access, and how, to employee information, as well as clarity about the purpose of any data exchange.”
There is, of course, another option: not to transfer data. The headline example is Office 365 Germany, in which (as explained on its website) services are delivered from German data centres, all customer data is stored in Germany, and an independent German data trustee controls data access. The structure allows Microsoft to access the data only in very limited cases, and only with the customer’s prior consent. It specifically excludes requests to transfer German data to the US authorities. For German customers, this is a very attractive model because transferring personal data to the US authorities without a sound legal basis in European law might be considered illegal.
Silvia Bauer and her Luther colleagues are, however, well placed to offer advice. “Because the GDPR has its roots in German law, not only companies but UK lawyers are getting in touch with us for advice on the new requirements. Companies know that data is the gold or the oil of the future, but unlike gold or oil, it is not theirs alone. And if you think compliance is expensive, you should try being non-compliant!”