April 2018

While data is being dubbed ‘the new gold’, the implementation of GDPR will give individuals increased protection and transparency. Guadalupe Sampedro explains

The General Data Protection Regulation (GDPR)1 comes into force on 25 May 2018.  Ever since the European Parliament approved the legislation in April 2016, its implementation has proved to be a major challenge for many organisations.

Data revolution

The GDPR has its advantages, the main one being that it has undeniably helped to give more uniformity to the fragmented data protection legal framework that we have had in the EU until now. However, it has also been the source of much upheaval, as organisations have been forced to dramatically change the way in which their businesses operate when collecting, processing and transferring personal data.

This shift in mindset and in the way in which businesses have to treat and perceive data protection is probably one of the most revolutionary changes that the GDPR has provoked within business organisations. Putting the GDPR into action has not been a smooth process in most cases. It hasn't been a question of just updating a couple of notices and policies; rather, it has necessitated deep structural and functional change within organisations.

New privacy function

Data-centric businesses have undoubtedly undergone an important transformation, but the GDPR's impact has also been felt strongly among non-consumer businesses traditionally less affected by data protection law. Personal data is now at the core of business processes, even if it is only a matter of processing employee data. In order to achieve this change, many organisations have had to dedicate resources to create a privacy function that never previously existed, and to establish a data governance structure aligned with the GDPR.

A large number of organisations have now had to appoint a data protection officer, and have been through the complex process of deciding how to create and resource that function. Some businesses have split their existing privacy functions into two separate divisions: compliance and legal. Others have created global networks of privacy 'champions' across their organisation in order to support their existing privacy functions.

Moreover, many policies, standards, procedures and notices have been amended or created from scratch. User experiences and sign-up flows have been updated. Vendors' management processes have been revised or implemented, and most contractual arrangements have undergone a thorough due diligence process.

It is evident that many of these actions have been executed with a risk-based approach. However, regardless of the risk appetite of the organisation in question, almost all of them have had to go through similar complex processes in order to ensure that they had at least a "decent" level of GDPR compliance by the 25 May 2018 deadline.

Post-implementation landscape

But what comes next? What should we do now and what should our priorities be? In the past two years, I have experienced the implementation of the GDPR from two viewpoints; as in-house counsel during the early stages of the draft legislation and as an outside counsel at a later, more advanced stage. From my perspective, 25 May represents the end of a complicated implementation process and the beginning of an altogether more complex period. Now is the time to test, rethink and update.

Organisations that still have unfinished workstreams that need to be completed in order to deliver the GDPR will have to focus on concluding these within the next few months. But it is almost certain that, at the same time, users, employees, works councils and regulators will start to test the waters to see if organisations have been able to properly comply with the GDPR.

As a result, user/employee procedures should be a priority. Organisations need to be ready to revisit the processes they implemented months ago to make sure that they work in practice. And, unfortunately, bearing in mind the potentially substantial financial penalties envisaged by the GDPR (see panel), compliance cannot be left to trial and error.

Policy and consent updates

Organisations should have already carried out the work of updating existing privacy notices, policies and consents before the deadline, and by extension they should have ensured that all existing websites, apps, contracts, terms of service, consent forms etc. have also been properly updated. If this is not the case, then this should be done as soon as possible. It will be very easy to assess if a company has correctly complied with the GDPR by reviewing online whether these types of documents have been updated recently. In addition, records of processing, privacy impact assessments, legitimate interest and lawful basis schedules need to be regularly updated and reviewed every time a new processing activity takes place. The initial ‘right to be forgotten’ or ‘portability right’ requests will be highly scrutinised by the individuals demanding them, but they should also be subject to a very thorough internal inspection within the organisation.

“Personal data is now at the core of business processes”

The experience gained with these preliminary requests will help to improve the efficiency of existing processes, as well as ensure that it is indeed possible to rely on them.

The same applies to all the other actions that have been implemented within an organisation: Have policies been properly implemented? Have principles been effectively cascaded down to the business? Is our privacy function sufficiently resourced? Have we tested our security incident response programme? This post-implementation review process is crucial to ensure that the privacy programme created around the GDPR is working in an efficient and compliant manner.

However, in the same way that the privacy programmes need to be tested, now is also the time to test the GDPR. In the coming months, we will start seeing the first enforcement actions from data protection agencies, as well as the first court rulings. This will allow organisations to revisit their risk assessments and to correct processes in light of enforcement actions and judicial decisions.

Moreover, most organisations have opted to implement the GDPR in a consistent manner across all of their European operations. Now is also the moment to progress the project to a second stage and assess whether the actions implemented are also compliant with any additional local requirements, as well as with new guidance issued by local regulators.

Future proofing

If the above isn't enough to deal with, organisations should also keep an eye on the new EU ePrivacy Regulation2, as this new piece of legislation, when finally approved, will create the need for additional changes.

In conclusion, we can see that there is still much work to do ahead to make sure, on the one hand, that the GDPR has been properly applied within organisations, and on the other, that it is appropriately updated. To a great extent, the success of a GDPR privacy programme will depend on a company's ability to survive future organisational changes. Indeed, a reliable and robust programme should be treated and respected like any other core organisational function, and should ideally remain in place for years to come.

Guadalupe Sampedro is a partner in the International Privacy & Data Protection Practice at the international law firm Bird & Bird

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)

  • Enforcement date: 25 May 2018
  • Approved by EU Parliament on 14 April 2016 (directly applicable to all EU Member States)
  • Regulates the processing by an individual, company or organisation of personal data relating to individuals in the EU. It also applies to entities established outside of the EU that target their products or services at and/or monitor the behaviour of individuals in the EU
  • Enforced by Data Protection Authorities (there is one in each EU member country)
  • Opt-in is the new rule for consent
  • Increased information has to be provided to the individual on data destination
  • Companies need to implement sophisticated processes to be able to grant individuals rights to portability and rights to be forgotten – i.e. delete all records
  • Organisations must implement data retention policies and procedures, especially when they have global operations
  • Most data breaches now need to be notified to Data Protection Authorities within 72 hoursBreaches of the GDPR can be punished with monetary penalties up to €20m or 4% of the global turnover of the entity


Regulation (EU) 2016/679



1 See http://bit.ly/2nTZWUz at ec.europa.eu
See http://bit.ly/2j4AwzT at ec.europa.eu

Guadalupe Sampedro

Partner, International Privacy & Data Protection Practice | Bird & Bird

Guadalupe Sampedro

You might be interested in

This website uses cookies in order to improve user experience. If you close this box or continue browsing, we will assume you agree with this. For more information about the cookies we use or to find out how you can disable cookies, click here.