Cécile Martin is a Partner of the Paris office of Ogletree Deakins. She has a dual competence in labor law and data privacy law which enables her to stay on the cusp of unfolding developments, and at the forefront of French and international clients needs. Let's find out what she has to say on the subject of GDPR.
What do you think of the GDPR legislation?
The GDPR has the major advantage of being able to harmonize data protection across the EU member states. As opposed to the Directive of 1995, which led to the adoption of different legislations across Europe, the regulation has a direct effect and does not need to be transposed to become applicable throughout the EU member states. Therefore, it is a source of security for businesses based in different jurisdictions in Europe as the data protection legislation is the same regardless of the EU member states where they are located. It is still true that some discrepancies may exist from one Member State to another one, but it is now much more limited given that it is the GDPR itself which provides for the specific points (around 50) where the member states are entitled to complete or derogate to the GDPR principles.
What common mistakes do you see companies making when it comes to GDPR?
Common pitfalls are generally to believe that being accountable “on paper” is going to be sufficient to be GDPR compliant. A lot of companies consider that to be compliant they just need to appoint a Data Protection Officer, to have a list of their data processing and to issue notices of information for their clients, providers, and employees. This process is most of the time necessary, however, the GDPR compliance is much more than that. The accountability principle is a constant process which regularly needs to be reviewed, updated, audited, and corrected to be really efficient. As such companies have to implement internal processes and governance to make sure that the compliance is effective and is a reality.
Who needs to be involved in ensuring GDPR compliance?
Almost everyone in a company. Companies need to make sure that their staff, their senior management, their consultants, their contractors, their sub-contractors… are involved in the GDPR compliance. For instance, they need to implement specific training to raise awareness of their employees, review the contracts with their providers and clients. They also need to ensure that their processors have also a high level of security to protect and process personal data in full compliance with the GDPR requirements.
What are the biggest challenges GDPR poses to companies in the long-term?
Contrary to previous legislation, companies now should ensure that they are regularly in compliance with the GDPR by auditing their systems, testing their processes, and training their employees. Therefore, they cannot consider that the GDPR compliance is a final step or goal, as they constantly need to review their processes in light of new technologies, breaches of security, and the various incidents that may occur.
What future trends do you envisage relating to GDPR?
So far, companies have focused on their core of activities regarding the GDPR i.e. the personal data of their clients. Now, we start to see that they realize that they should extend their processes to their HR data processing. Class actions from employees could become a reality for the years to come if the companies are not in a position to correctly protect their personal data.