December 13, 2018
Kellie Johnson is Compliance Counsel for Ceridian with a focus on privacy. She has been instrumental in evaluating the impact of GDPR requirements on Ceridian and its customers.
The General Data Protection Regulation (GDPR) regulates the collection, use, and sharing of European Union (EU) personal data. “Personal data” has a broad definition, covering any information relating to an identified or identifiable individual.
The regulation affects any organization that processes European personal data, regardless of whether the organization maintains a presence in the EU, and it had companies around the globe scrambling to make practical sense of the requirements in an attempt to comply with the May 25, 2018 deadline, in an absence of clear direction from regulators. With a few months under our belt, regulators are beginning to shed light on various aspects of enforcement.
It’s been just over six months since the GDPR went into effect, and while we haven’t seen any fines in the neighborhood of the maximum €20 million or 4% of a company’s worldwide annual revenue, enforcement of the GDPR is in full swing. Here are some observations on GDPR enforcement so far:
GDPR compliance is an ongoing process. While many organizations focused on complying with one law in the months leading up to May 25, compliance is broader than one law – think privacy compliance – and organizations should take the approach of operationalizing the GDPR into their existing privacy programs.
Organizations will have to continue building on their privacy programs as more countries (and even U.S. states like California) upgrade their existing privacy laws or introduce them for the first time.
Several EU regulators attended the IAPP Europe Data Protection Congress in Belgium at the end of November, and indicated that organizations should not expect any big fines in 2018, but they will come in 2019. Some of the cases they are working on are cross-border cases that will take several months to resolve.
We’re also expecting the European Data Protection Board (EDPB) and the individual Member State DPAs to issue more guidance to help organizations comply with the GDPR.
Disclaimer: The information provided in this post is provided for informational purposes only and should not be relied upon or construed as legal advice and does not create an attorney-client relationship. You should review with your legal advisors how the laws identified in this post may apply to your specific situation.