Thank you for sharing!

Your article was successfully shared with the contacts you provided.

With the European Union’s General Data Protection Regulation (GDPR) set to go into effect in less than a year, companies and in-house counsel have been considering the implications – and the massive potential fines – for some time now.

This premium content is reserved for
Legal Week Subscribers.


  • Trusted insight, news and analysis from the UK and across the globe
  • Connections to senior business lawyers within the leading law firms and legal departments
  • Unique access to ALM's unrivalled, market-leading reporting in the US and Asia and cutting-edge research, including Legal Week's UK Top 50 and Global 100 rankings
  • The Legal Week Daily News Alert, Editor's Highlights, and Breaking News digital newsletters and more, plus a choice of over 70 ALM newsletters
  • Optimized access on all of your devices: desktop, tablet and mobile
  • Complete access to the site's full archive of more than 56,000 articles

Already have an account?

For enterprise-wide or corporate enquiries, please contact Paul Reeves on Preeves@alm.com or call on +44 (0) 203 875 0651

Law Firms Mentioned

<a href="http://www.almcms.com/contrib

    /uploads/sites/378/2017/10/GDPR-Article-201710192150.jpg"><img class="alignleft size-full wp-image-68759" src="http://www.almcms.com/contrib

      /uploads/sites/378/2017/10/GDPR-Article-201710192150.jpg" alt="" width="620" height="372" /></a> With the European Union���s��<a href="http://www.corpcounsel.com/id=1202783764745/The-EUs-General-Data-Protection-Regulation-GDPR">General Data Protection Regulation</a>��(GDPR) set to go into effect in less than a year, companies and in-house counsel have been considering the implications ��� and the��<a href="http://www.corpcounsel.com/id=1202787291207/Answers-to-Critical-Questions-About-Enforcement-of-the-EUs-New-GDPR-Privacy-Law">massive potential fines</a> ��� for some time now. But with the May 2018 date looming, what are legal departments doing to prepare? At the Association of Corporate Counsel���s annual meeting, in-house counsel offered some of their strategies used to get ready for GDPR requirements. Privacy impact assessments (PIAs) are required under the GDPR in certain situations, and this process essentially describes where data is, what it is used for and in what context.��<a href="https://www.mcdowellpurcell.ie/legal-blog/privacy-impact-assessments/" rel="nofollow">PIAs are required</a>��when a processing operation could pose a high risk to individuals, and should identify processing operations, analyse risks, review whether processing is in compliance and outline measures that are thought to address any risks. One resource for in-house counsel when dealing with uncertainties is regulators, who can provide guidance on PIAs and the GDPR, in general, according to panellist Lisa Zolidis, privacy counsel for the Americas region at Dell. ���As you���re coming up with different ways to tackle different parts of the GDPR, one way to test these potential best practices is to get a meeting with the data protection authority and to walk them through [those],��� she said. ���And it might be a situation, [and] there have been situations recently, where the data protection authorities are just now learning the practical effects of some of the overarching directions in the GDPR,��� she added. ���And in talking that through��� they are able to then maybe have a learning opportunity, or maybe give some additional guidance.��� One challenge for in-house counsel when it comes to PIAs is in addressing risks while not slowing down the business, said panelist Whitney McCollum, assistant general counsel of data privacy and technology at global engineering design firm AECOM. It might not be well received, she said, when counsel step in to analyse risks by way of a PIA as the business is looking to launch a new product. ���The advice I���ve seen so far��� is first, as much as you can, get on people���s radar early. Get on the procurement team���s radar, any of your development teams, and say, ���Look, GDPR is coming��� and then scare the pants off them with the fines,��� McCollum said, noting that violating GDPR obligations can result in a fine of up to 4% of a company���s annual global turnover, or ���20m, whichever is greater. <blockquote>The heavy processing requirements on corporations doing business in Europe are tremendous. It really does pose a challenge</blockquote> As far as the PIA itself, McCollum said, to the extent possible, ���make it simple���. Find out what data is being collected, create a simple checklist of all the possible data collected, what���s the data used for, and so on, she elaborated. For some in-house lawyers, the tools to simplify this process may already exist within the company, said panellist Laura Hamady, head of global legal privacy at PayPal. ���When you kind of roll up your sleeves on this project, I think you���re going to find that there are many intake processes that already exist organically throughout the business.��� To simplify the process, Hamady said, ���try to standardise��� and ���try to embed the same set of questions��� across the board, when possible. And in many cases, such as when processing is carried out by a public authority or when a company conducts ���regular and systematic monitoring of data subjects on a large scale���, a data protection officer must be appointed. For some companies, it may be easy to say a data protection officer is required, but for a number of companies, it is fairly ambiguous. What should a company facing uncertainty do? Zolidis echoed her previous comment that regulators can be an excellent sounding board for in-house counsel. ���This is one of those areas that if you do think that you���re in a grey area and you���re not sure��� you may consider talking to your lead regulatory authority, your lead data protection authority, and vet it out,��� she said. ���I say DPO if you can,��� McCollum said. ���Unless you are absolutely certain that you don���t fall into these categories, then I���d assign someone to be your DPO.��� Adding to the complexity of this position is the concern that the DPO may be difficult to terminate because of certain privileges afforded to this role, as well as the question of whether to keep the role in-house or to hire someone from outside the company to fill the spot. ���We don���t have an external DPO��� but if we did appoint one, it would be our privacy counsel, who we���ve been working with for a number of years,��� McCollum said. ���They wouldn���t just be the person you shoot an email off to to get an answer. They���d be an integral part of the team.��� McCollum added: ���Something to keep in mind if you���re using an external firm is that there is a cost aspect of that in paying outside counsel fees, but you also get the expertise with that, and you also get their knowledge of what other companies are doing." <a href="http://www.almcms.com/contrib

        /uploads/sites/378/2017/10/Noreen-Krall-CHIPS-Article-201710192150.jpg"><img class="alignright size-medium wp-image-68758" src="http://www.almcms.com/contrib

          /uploads/sites/378/2017/10/Noreen-Krall-CHIPS-Article-201710192150-300x180.jpg" alt="" width="300" height="180" /></a>Meanwhile, at this weeks ChIPs Women in Tech, Law and Policy Global Summit in Washington DC,��Apple chief litigation counsel��<a href="http://www.therecorder.com/id=1202767542637" target="_blank" rel="nofollow">Noreen Krall</a>��(pictured right) underscored the��<a href="http://at.law.com/ByepKS" target="_blank" rel="nofollow">challenge companies face</a>��as they set up systems to handle consumer requests for the removal of personal data and to obtain consent for the collection of certain information. <p dir="ltr">���Basically it puts heavy, heavy processing obligations on companies,��� to deal with requests concerning the handling of consumer data, Krall said. She added: ���So the heavy processing requirements on corporations doing business in Europe are just tremendous. It really does pose a challenge.���</p> <p dir="ltr">The regulation is sweeping, Krall said during the panel discussion, which was moderated by Caroline Krass, a former general counsel to the CIA��<a href="http://www.nationallawjournal.com/id=1202786072723" target="_blank" rel="nofollow">who now leads</a>��Gibson Dunn &amp; Crutchers new national security team.</p> <p dir="ltr">"The challenge is that it applies to all personal data, meaning any data that can be used, ultimately, to identify who you are. So it���s far beyond your name, your Social Security, your bank account. It���s your IP address, or your device ID, or a reference number to a customer, or a complaint or question that you brought in. For any organisation, beyond tech, it just covers just about anything," she said.</p> <p dir="ltr">In the aftermath��<a href="http://www.nationallawjournal.com/id=1202800153089" target="_blank" rel="nofollow">of the Equifax hack</a>, which compromised the personal information of nearly half the adult US population, corporate lawyers and others in the cybersecurity community have been buzzing over the European regulation���s requirement that companies inform regulators within three days of any reported data breach. That measure goes significantly further than what is required in the US.</p> <p dir="ltr">Krall said the European regulations standards for obtaining consent to collect and use personal information would be felt by consumers, and perhaps not always appreciated.</p> <p dir="ltr">���The customer experience is going to be potentially dramatically changed by these regulations. It���s almost as if governments are dictating the enterprise design or system design or consumer experience,��� she said.</p> <p dir="ltr">Krall said she envisioned consumers signing up for a music service and, ���all of��a sudden you have to give your informed consent on very clear, very visible ��� OK, you can track this, you can���t track that. Don���t track my likes, track my plays.��� There���s all of that information.���</p> <p dir="ltr">���It���ll be interesting to see how it will work when it���s enacted,��� she said.</p> <ul> <li><strong><a href="http://www.almcms.com/contrib

            /uploads/sites/378/2017/09/LegalWeek-CONNECT-1.jpg"><img class="alignright size-full wp-image-68658" src="http://www.almcms.com/contrib

              /uploads/sites/378/2017/09/LegalWeek-CONNECT-1.jpg" alt="" width="150" height="107" /></a><a href="http://legalweekconnect.com/">LegalWeek Connect</a> ��� a��business conference for business people in law firms, featuring a <a href="http://legalweekconnect.com/speakers-full">big-name line-up of speakers</a> ��� is taking place��on 29-30 November at Londons Institution of Engineering and Technology.��<a href="http://legalweekconnect.com">Click here to find out more</a>.</strong></li> </ul> <


                Cyberlaw: Intellectual Property in the Digital MillenniumBook

                For nearly three hundred years, copyright laws have targeted those who illegally copy protected works. Today the legal framework also takes aim at those who defeat pr...

                Get More Information

                Banking Litigation & Regulation Forum 2020Event

                Delivers the key insights and practical solutions to acutely address the complex minefield of UK banking litigation & regulation.

                Get More Information

                SuperConference 2020Event

                SuperConference is the premier forum for informing, advancing and inspiring today s General Counsel from Fortune 1000 Companies.

                Get More Information

                General Counsel Summit (GCS) 2020Event

                General Counsel Summit is the premier event for in-house counsel, hosting esteemed legal minds from all sectors of the economy.

                Get More Information

                Legal Week Newsletters & Alerts

                Sign Up Today and Never Miss Another Story.

                As part of your subscription, you can sign up for an unlimited number of a wide range of complimentary newsletters and alerts. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

                Copyright © 2020 American Lawyer Media International, LLC. All Rights Reserved.