A Q&A with Ian Birdsey of Pinsent Masons
The European Union’s General Data Protection Regulation (GDPR) has been implemented for over a year, and we can now start to understand just how this sweeping law is being enforced and the ways it has positively impacted data security. We posed these questions to Ian Birdsey, data protection specialist and partner of Pinsent Masons, LLP.
In your estimation, how many organizations are still not GDPR prepared or compliant?
If we look at European companies, we see many that have put some sort of compliance program in place in the lead up to the regulation but while it might be appropriate for pure compliance they are unlikely to have an incident response plan or to have their data mapped or to have internal responsibilities allocated for a crisis situation. All of the good work that should have been done in advance has not been done yet so when it comes to managing a security breach, they are simply not ready. In the United States, on the other hand, my sense is that companies are aware of GDPR but it doesn’t mean that the right steps have been taken. Typically, U.S. companies will have made written reference to GDPR in their policy and yet they will have not taken the view that it actually applies to them which ends up being the worst approach because from a regulator’s perspective it’s much worse to have referenced it but have only taken limited steps to be in compliance. There is, however, a good minority who have taken the proper steps to avoid being caught up in GDP, who have turned on geoblocking, who have turned off all but American currency on their sites.
What has enforcement of the regulation looked like to date?
We are still waiting to get a deeper understanding of it. In Europe we’ve seen about 95 GDPR actions, about 60 of which came from Germany. The biggest fines came from Google—privacy and consent issues and not security breaches. So far, the GDPR compliance fines have been relatively modest, with the highest one being $240,000.
What has been most surprising about the enforcement so far?
I’d say it’s that so much has come from Germany. Germany has a very different system than elsewhere. It’s structured as a regional regulatory system, much like the U.S. state system, and not as a centrally regulated country like the U.K. Overall, I don’t think we’ve been surprised at the median amount of the actual fines, but maybe by how few actions have been taken. It seems that it has taken a long time to get to the enforcement stage. We do expect that over time regulators will build up their capacity and start to move more swiftly.
Is there a resource where you can review enforcement actions across all countries?
No, unfortunately. We have to work hard to look at published decisions and links to previous decisions. It can be difficult to track down breach reporting statistics. Without a central repository, it seems like a big opportunity lost. The whole idea of having the regulation is to have some consistency create a deterrent effect but without sharing the decisions and the basis upon which they are made, you are not achieving that objective.
What are some other challenges you’ve encountered with regard to staying compliant with the regulation?
The examples the regulators have given are often not helpful. They are very stark and obvious and beyond that there is not much guidance so when we go to the regulator to ask about whether we should report something they tell us it’s a gray area and we should report. Then we hear complaints that there is overreporting. That’s the game we’re playing now.
Is data being better protected in your opinion?
I think it is. The regulation has driven up standards for security and organizations have improved their posture in the lead up to GDPR implementation either because they had to due to an event in their past or simply because they want to prove compliance. My sense is that it varies across Europe but in the U.K. we have a very proactive regulator who has been sophisticated about pushing out compliance messages and getting people to think proactively.
What are some considerations for organizations to better improve their regulatory and legal posture?
One of the key things for us when dealing with breaches is that our firm has relationships with the local regulators in every region because there is no consistent approach across Europe. The same breach may actually require very different responses in different countries so knowing and having local counsel and teams in every jurisdiction is critical. Another thing to be aware of is that litigation in the UK is on the rise and the litigation risk has to be built into the breach response process from day one. It used to be the case that could disclose more information when communicating with those affected by the breach but now you have to be more cautious and guarded. Finally, the cross-border nature of breaches is very complicated and brings on a heap of new challenges. When it comes to GDPR, there is supposed to be this concept of a one-stop shop with a home territory but rarely are multinational organizations so clearly delineated and it can be very tricky to work out where the data actually lives when so many divisions around the world are sharing it. We’re just starting to encounter these issues but we expect to see more of them.
We want to thank Ian for his thoughtful observations. GDPR is on the minds of many companies we assist and their cyber risk insurers are especially paying attention to the direction of both compliance efforts and regulatory enforcement severity. Ian’s comments underscore the value of having an actionable data breach response plan in place before the event occurs. I have personally known Ian and his work in the cyber insurance community for over a decade, and we appreciate his guidance with this evolving risk management issue.