Current Filter: Security>>>>>Opinion>

   

Under the current EU privacy laws, controllers are the addressee of the security requirements and any enforcement takes place against controllers, who risk being fined if the security implemented by their service providers is not adequate. Under the new regulations, processors will become directly subject to requirements relating to data transfers, security, appointing a data protection officer and recording their processing activities.

This shift makes processors prime targets for enforcement, given that enforcement against processors (serving many customers) will be more efficient than the current situation where DPAs have to investigate the controller, which, in its turn, would audit the service provider, based on the processor agreement.

How long will it take companies to adjust to this new reality and the extreme punishment they face, if they don't manage to make it happen? Overall, the GDPR will require significant reworking of privacy programs for companies, including for many currently not subject to EU data protection law. The GDPR now also covers service providers established outside the European Economic Area that process personal data of EU individuals when this relates to the offering of goods/services to such individuals or monitors the behavior of individuals in the EU - US websites that offer services to EU individuals will therefore now be subject to the GDPR.

Companies should not wait until the end of the two-year implementation period to focus on these changes, given the additional powers of the DPAs and the potential significant fines up to 4% of global revenues. The changes required by the GDPR are substantial and will, on average, take the whole 2-year implementation period.

The goals of the commission to lower administrative burden for controllers and processors has not been achieved. The GDPR, in many ways, creates additional administrative requirements for controllers and processors, such as keeping detailed records of their processing activities and, in specific cases, appointing data privacy officers and performing extensive impact assessments.

The main goal of the GDPR to achieve one uniform law for all EU Member States has not been achieved. Companies working cross-border will therefore still have to check national laws in many areas. For example, the GDPR defines children as younger than 16, but each member state can lower this age limit (but not below 13 years).

The GDPR promised that multinationals would be supervised by one lead DPA, being the DPA of its main establishment, saving the cost and effort of having to deal with different DPAs for the same cross-border data processing. This 'One-Stop-Shop' has not materialised. The lead DPA has now turned out more like a 'first among equals', coordinating their efforts, rather than being in charge.

Lokke Moerel, one of Europe's best-known privacy lawyers, is with Morrison & Foerster, a law firm that handled five of the largest seven data breaches in the world during 2014-2015 and which regularly counsels the largest multi-nationals in the world.