Many life science firms spent much time and money preparing for the enforcement of the European Union’s General Data Protection Regulation (GDPR). Now that the May 25 launch date has come and gone, just about everyone is wondering what enforcement will look like.
As legal professionals, we have immersed ourselves in this latest data privacy legislation in the EU. With our experience to guide us, we sought to shed light on what life science companies can expect at the “May 25th Has Come and Gone, GDPR Is in Force – What Now?” webinar on July 17.
Clamor for Information
There is demand for information about how European regulators will implement the legislation. The extraordinary administrative fines – up to 4 percent of the company’s total annual revenue or 20 million euro for serious infringements – have made the stakes high.
In addition, the law makes a large group of people responsible for complying. It applies to all 28 EU member countries, and organizations within and outside the EU that offer goods or services to EU subjects or monitor the behavior of those in the EU. Clearly, this has serious implications for most life science companies.
As a result, there is great hunger for foresight about how this law will be applied, who will be most affected, and what to expect moving forward. In fact, participants in a relevant forum ask 15 to 20 questions per day about GDPR.
To begin, you must understand the cultural significance of data privacy in the EU. It is, after all, considered a fundamental right set forth in Articles Seven and Eight of the Charter of Fundamental Rights of the European Union. Article Seven describes the right to respect of privacy, and Article Eight explains the right to the protection of your privacy. Indeed, this idea of “privacy as a right” is the driving force behind the creation and enforcement of the new legislation.
Companies have had since 2016 to prepare for the GDPR. Preparations should have included understanding the coming changes, such as who would be held accountable (data processors and controllers), how far and wide the reach would be, international data transfers, and specifics on data breach notifications. Another major change for which companies had to brace was the many rights of data subjects, including the rights of rectification and erasure.
What We Believe about GDPR
With all those requirements, the particulars of the law can be overwhelming. It’s natural to feel concerned about how this will actually translate into enforcement. Discover some of our thoughts, based on our experience and what we have recently observed:
- EU regulators mean business. They have been explicit in their intentions. There will be scrutiny, so companies should take this seriously. “The aim of our office is to prevent harm, and we place support and compliance at the heart of our regulatory action,” says U.K. Information Commissioner Elizabeth Denham. “Voluntary compliance is still the preferred route, but we will back that up with tough action when it’s necessary.”
- You still have some time to fall in line. Experts say companies that are working toward compliance and show they are taking responsibility may be given leniency for errors, especially during this initial stage. Anyone completely overlooking or ignoring the law will, however, face the consequences.
- Regulators want to see companies succeed in complying. Ultimately, the goal of the law is to protect the data privacy of individuals in the EU. The regulators are not out to get anyone and will be supportive of companies taking the right steps toward compliance. This law’s enactment is a positive because compliance makes good business sense. The public appreciates companies that are thoughtful and respectful of their privacy.
What the Future May Hold
Some expect NGOs to be aggressive about using GDPR as a means to take action against perceived historical data abuses. For instance, noyb.eu and La Quadrature du Net have filed formal complaints against tech giants. But it’s still quite early in the law’s life. Even though there was much hype in the lead up to the date GDPR took effect, it is here for the long term.
Many saw GDPR as a sprint and rushed to get ahead of it before May 25. However, it’s an endurance race. People are going to have to keep looking at their policies and practices to comply and protect the data of individuals.