An expert opinion on GDPR – MMV talked to Monika Kuschewsky.
Monika Kuschewsky is partner in the global Data Privacy and Cybersecurity practice at Squire Patton Boggs. With over 15 years of experience in data protection, she now concentrates on GDPR with a special focus on topics like IoT, “Bring Your Own Device”-policies, international data transfers as well as customer and employee data protection. We had the pleasure to talk to her about her views on GDPR readiness of companies around the globe and why GDPR is not the end of data monetization.
From your perspective as partner in a global law firm, what will be the implications of GDPR beyond the EU? Will other countries adopt similar regulations?
Already the EU Data Protection Directive, the predecessor of the GDPR, has been used as a standard in other regions of the world like Latin America or Asia, so I think there will be the same trend when it comes to the GDPR. Even more so, because of the higher sanctions and stricter enforcement under the GDPR ̶ there are also a number of countries that want to enable their companies to still do business with Europe and will, therefore, follow the EU data protection framework.
Are the big multinationals from the US worried about GDPR at all?
They for sure are closely monitoring and following this process. They have already started to adjust their internal compliance frameworks to the GDPR, because they know they have to comply with the GDPR if they want to continue to offer their goods and services in the EU. In my experience, many big multinationals are already well advanced and have built internal teams dealing with the GDPR. By contrast, especially SMEs are still in the process of figuring out if they are even subject to the GDPR.
A survey conducted by Dell about a year ago found out that most companies are not ready when it comes to GDPR. In your experience, are companies more prepared today?
I think that a lot more companies are more advanced in their preparation today, but I would be surprised if there are any that are fully compliant, since there are a lot of issues in flux. Some aspects of the GDPR may be further regulated by national law, like data processing in the employment context, so companies are still waiting for national laws to be implemented on those topics. And the data protection authorities are expected to issue guidance. A lot of companies have started with auditing their current level of compliance and building a roadmap on how to become GDPR compliant by May 2018 and most companies have advanced on that work plan, but they are far from being ready. There are certainly more organizations that have taken steps than a year ago.
Nevertheless, we are still talking to businesses today that haven’t done anything regarding GDPR. This is not only the case for SMEs – also some larger companies are waiting for budget approval or are still trying to understand to what extent they will be subject to the GDPR and who should be responsible internally. Of course, today data protection has become an issue which is discussed at board level, but often there are no actions matching these discussions. Mostly the budgets are still the same as pre GDPR, even though the complexity of the changes that need to be made would require higher budgetary commitments. Additionally, complicating the issue is the fact that the task of making an organization GDPR compliant is often given to a person that has other day-to-day activities, leaving them with little time for this complex matter.
In light of BYOD, shadow IT, or the rise of IoT devices – isn’t GDPR readiness of an organization more about education and less about strict processes?
In my view, it is a combination of both, as one does not work without the other. If you look at the statistics, a major reason for data getting lost, or being leaked, is employees not being familiar with rules or making mistakes. By training and increasing awareness you are reducing the risk, but you will never get rid of it entirely by just educating staff. The best training needs to be supplemented by processes and technical as well as organisational controls.
Just to give an example: You can allow your employees to bring their own device, but you will need to have a proper policy framework around it. Moreover, you need to ensure that company data is secured and, for example, only accessed through encrypted VPN channels or by using sandboxing technology.
How big of an impact do you think the stricter rules for consent generation have on new business, like data monetization?
These stricter consent rules are certainly posing a challenge for many new sectors and ideas such as data monetization. To the extent that companies depend on consent, certainly business will not get easier in that regard.
However, the first step should be to ask whether an organization can process personal data without consent; in other words, if there is another legal basis for data processing – because it is so difficult to obtain consent. However, there are a number of business models where consent is unavoidable. Then, it is a matter of coming up with creative consent mechanisms and tools, to make the consent experience as smooth and easy for the individuals as possible. But it certainly will not be easy.
Anyways, I would not want to say that this is the end of new business and data monetization. If I look at the consent rules, they are to some extent very similar to existing rules in Germany, and businesses in Germany have coped with those rules in the past. Overall, (new) business is all about inventing and creating new things and ideas, so I am confident that companies will come up with innovative ways to deal with it.