In a recent article in Compliance Week, Intellectual Property senior associate Sarah Simpson discussed what companies will need to consider over the next year when complying with the General Data Protect Regulation (GDPR).
Sarah predicted three trends that companies will need to consider, including: 1) cleaning up "data graveyards" or old and unused personal data that is stored on company servers, as regulators increase scrutiny of data retention practices; 2) appointing representatives in the European Union and/or United Kingdom if processing citizens' data in either market when the company does not have a physical presence there; and 3) sharing data roles and responsibility.
"Given the GDPR purposely gives EU countries a fairly broad discretion in many areas of the law — including penalties — we will certainly observe a growing disagreement," Sarah said. "Since May 2018, it has become apparent the role of a single data protection officer (DPO) can be a mammoth task and responsibility needs to be shared." Sarah added this responsibility should be shared across assurance functions such as human resources, legal, compliance and marketing, and that organizations may need to create new roles.
While experts are concerned about how the European Commission will align the GDPR with emerging legal technologies and how personal data could be exploited in the future, neither the European Data Protection Board or the national Data Protection Authorities have issued practical guidance on how the GDPR can accommodate such technologies.
European Data Protection Authorities expect that the GDPR will be flexible enough so that changes can be made to keep it current while working with other complementary legislation to address specific privacy or technological issues. Another issue will be the differences in enforcement approaches between national Data Protection Authorities.