In-house lawyers speaking at IFLR’s European
In-house Counsel Summit in London yesterday said that GDPR
remains a major issue for corporates, with absolute compliance
Almost two years on from its implementation, the
EU’s landmark data protection regulation
continues to cause stress for in-house legal, compliance, and
"Can anyone say they are 100% compliant?" said Neil
Paterson, group data protection coordinator at TUI Group. "GDPR
encourages a risk-based approach. For example, data protection
by design, 'appropriate' security measures. As a business, we
make risk-based decisions every day. However, it is important
that decisions are informed, documented and made at the right
level. 100% compliance isn’t feasible."
GDPR panic is slowing
- Corporates are recommended to take a risk based
approach to GDPR and ensure issues are confronted at the
- Data privacy experts have warned about the
reputational damage that a data breach can
- The cultural shift from storing large amounts of
data to complying with the 'right to be
forgotten’ has been highlighted as a significant
challenge for organisations.
Another corporate in-house counsel added that the
repercussions of a GDPR-related data breach can have a
significant impact on how a company is perceived by the
"Reputation is the number one issue," they said. "If you
can’t get personal data right then people wonder:
what’s happening with the rest?"
Cillian Kieran, CEO of US-based software company Ethyca,
said that he has noticed both legal and marketing teams being
significantly more mindful of the way they use personal data.
"The most visible part of GDPR is the enforcement. On that
side, fines have been ramping up since the law came into
effect. Now they’re reaching levels where the
public has to sit up and take notice."
Between implementation and January 2020,
160,000 data breach notifications were reported across the
European Economic Area (EEA), with the highest GDPR fine to
date being €50 million ($55.11 million) imposed by the
French data protection regulator on Google, for alleged
infringements of the transparency principle and lack of valid
consent, instead of a data breach.
Travers Smith partner Louisa Chambers agreed. "A key concern
for corporates is data breaches," she said. "Companies can
spend as much as they want to yet still be vulnerable to a data
breach. You can never fully anticipate this risk. But there are
lots of preventative measures you can take to mitigate it."
A key preventative measure is education: ensuring that all
staff are aware of the shift in how data must be treated, with
emphasis on the individual’s right to the
protection of personal data, whether an employee or a
"For the vast majority of companies, making GDPR compliance
a matter of business-as-usual requires nothing less than a
wholesale cultural shift regarding attitudes to user data,"
added Kieran. "It’s not enough to spend money on
the processes and infrastructure. It’s about
making sure that team members fully understand the new personal
data paradigm, and act accordingly."
The shift in attitude had to be swift, with a cultural
transition from maintaining large amounts of historical
personal data. As
the regulation says: 'A data subject should have the right
to have personal data concerning him or her rectified, and a
'right to be forgotten’ where the retention of
such data infringes this Regulation or Union or Member State
law to which the controller is subject.’
"For the vast majority of
companies, making GDPR compliance a matter of
business-as-usual requires nothing less than a
wholesale cultural shift"
GDPR’s effects are felt far from
As the GDPR is a vast regulation with many requirements and
new concepts, it will continue to drive data governance
policies for the foreseeable future.
Regulators step up
Since implementation in 2017, there has been an uptick in
companies coming up against national regulators following data
Subsequent to an investigation,
in July 2019, the UK Information Commissioner’s
Officer (ICO) announced its intention to fine British Airways
(BA) £183.39 million ($247.18 million) for infringements
The fine related to a cyber incident that was notified to
the ICO by the airline in 2018. In part, this involved user
traffic to the BA website being diverted to a fraudulent site
whereby hackers harvested customer details . The personal data
of approximately 500,000 customers were compromised in this
incident, which is believed to have begun in June 2018.
The day after the ICO announced its decision to fine BA,
news surfaced that a fine of £99 million was also being
levied against Marriott International.
"In light of recent announcements, for example, BA and Marriot,
we are seeing an intention to impose big fines and these are
getting public attention," said Paterson.
He continued that a privacy is now high on the agenda for
corporates and this is in part fuelled by the threat of
"Fines are just one tool in the enforcement toolkit and data
protection authorities need to be reasonable, proportionate
and consistent in the action they take," he continued. "For
example, the ICO always had a reputation for being pragmatic,
and could lose engagement with their stakeholders because of
GDPR is Europe’s pièce de