In this Podcast, Joel Wuesthoff, Protiviti senior director with Protiviti’s Marketing group, talks about about the new General Data Protection Regulation, which has just gone into effect in the European Union.
Hello, and welcome to a new installment of Powerful Insights. This is Kevin Donahue, a senior director with Protiviti’s Marketing group, and I’m pleased to be talking today with Joel Wuesthoff about the new General Data Protection Regulation, which has gone into effect in the European Union. Joel is a managing director with Robert Half Legal Consulting Services. Joel, thanks for joining me today.
It’s a pleasure to be here, Kevin.
Joel, let me ask you this first. I’ve been talking with some of our other leaders and experts about this as well. Now that the GDPR has gone into effect, what are some of the more common questions and inquiries you’re hearing in the market and receiving from your clients and companies that you’re speaking to right now?
Well, it’s not that much different than the questions that we had in May and, frankly, going back 18 months. We are starting to see inquiries from individual data subjects asking for either a summary of the personal data that a particular company is processing or asking that same company to delete all references to that individual’s name or information that may be spread across an enterprise. That is one of the biggest things that that many of our clients are concerned about – how to respond to those types of inquiries.
But we’re still seeing a number of companies – and I think that this will continue through the fall – simply starting, believe or not, their compliance efforts. I would say that on a given day, I probably get two or three inquiries from new clients saying, “We’re just getting our arms around this, and we feel that we may have some exposure. Where do we start?” We’ve had some early adopters and some mid-range of adopters, and now, the folks that are just catching up to speed.
I also wanted to ask you a little bit about the supervisory authorities in general in the European Union. There is this EU-wide regulation that’s now in effect. How does the jurisdiction of different member states come into play with this as they look to manage data-protection regulations under their specific jurisdictions?
Right. Part of this will likely be fleshed out over the next few months – the next few years, likely – but there are certain factors that determine which supervisor authority is what we call the lead one, the one that takes precedence. That’s typically where our company has their main establishment or where the central administration of their company is in the EU.
There are criteria that have been issued by the regulators in the EU, and typically, that entity is where the primary decisions are taken from a corporate perspective – the power to make and implement processing decisions where the entity might assume liability and where the assets for the entity are most likely to be centralized. When you take a look at which supervisor authority is going to be your supervisor authority, those are some of the criteria that are involved. People have described this as like having various attorney generals in the United States. Each state has an attorney general, and that’s generally where the locus is, where the nexus is that forces these kinds of decisions.
There is a board that’s made up of the various data-protection authorities that’s called the European Data Protection Board, and that’s considered to be the collaborative opinion. When they do issue opinions, they issue opinions as a group that has some significant legal and regulatory weight. There are differences by country, depending on what the historical context and culture has been around privacy, but in general, the European Data Protection Board, which is formally called the Article 29 Working Party, is made up of those regulators, and I think that over the next few months – and likely the next few years – we’ll see additional opinions that will be appreciated and required in terms of understanding some of the more nuanced areas of the GDPR.
Finally, Joel, with regard to the board and what you were explaining before about the home base of a company in terms of the way they’re managing data, does this apply, or are these the guidelines that would apply, in the case of cross-border data transfers between different countries in the EU?
Right. This is a very complicated issue today. There are a couple of different ways in which data can go legitimately or legally from the EU to countries or regions outside the EU. There are certain countries that are deemed adequate, and you don’t need any special mechanisms. There are other countries that are inadequate. The United States, as many people probably know, is considered an inadequate jurisdiction, and several years back, the regulators on both sides of the ocean created something called the Safe Harbor, and that was invalidated as insufficient to protect the rights of data subjects when that information was moved from the EU to the United States.
Subsequent to that, they created the Privacy Shield, and that is currently being challenged as well by various quarters, but in general, there are three different ways that one can transfer data from the EU to outside of the EU. One is the Privacy Shield I mentioned. The second is what they call model contracts or standard contracts, which put in place language to protect data and data-subject rights. The third one is something called the binding corporate rules, and those all have different pros and cons, but those are primarily the three methods. There are a few other ones, but those are the big three that must be in place for data to move from one country to the other, assuming that you have the proper right and legal base for processing when you’re actually collecting that data from the get-go.
Joel, I want to thank you for joining me today to discuss what obviously is a very complicated subject and will continue to be so for companies in the European Union and around the world. I want to invite our audience to visit protiviti.com/gdpr, where you can find much more information on this new regulation.