E.U. To Executives: Relax On GDPR
The European Union’s tough, new General Data Protection Regulations (GDPR) have caused much hand-wringing and teeth-gnashing among executives in Europe and here in the United States. Failing to comply with the rules carries the possibility of enormous fines: Up to about US$26.6 million.
As a GDPR attorney and software lawyer with American clients who either sell software to European customers or maintain data here on customers in the E.U., I’ve been advising them that GDPR is a serious management issue that too few have been paying close attention to. Moreover, a number of misconceptions have popped up surrounding GDPR and about what American companies must do, or don’t have to worry about.
Apparently, the concerns being voiced by executives have been heard in Brussels because just before the Easter break E.U. officials have been busy trying to reassure businesses. European Data Protection Supervisor Giovanni Buttarelli told U.S. media that “having a long-term plan will go a long way” in avoiding the massive GDPR fines. He further stated, “Regulators will be flexible and understand what is going on at each company. If they get the basics right, they are off to a good start.”
And Irish Data Protection Commissioner Helen Dixon added that it would be hard to bring an enforcement action against a company that is making a “best effort to comply.”
These comments should go a long way to reassure companies as long as they are following the basic parameters of GDPR and adjusting their software and systems to meet the requirements. Meanwhile, regulators are still sorting out the essential elements of some of GDPR’s provisions such as data portability, the pseudonymization of data and privacy-by-design.
This doesn’t mean U.S. companies are off the hook. Software providers and integrators need to keep working at implementing software that enables end users to meet the essential requirements of the GDPR even if regulators are still grappling with a handful of thorny issues and are willing to give a pass to businesses trying to comply.
If you have concerns or questions, contact a GDPR lawyer who is familiar with the rules and can advise on whether you would be seen as making “a best effort to comply.” After all, the Data Protection Officers are saying relax – but they aren’t saying to just let the requirements slide and hope for the best.
By Marcus Harris