In-house counsel: 100% compliance with GDPR almost impossible

Author: Jimmie Franklin | Published: 5 Feb 2020
Email a friend

Please enter a maximum of 5 recipients. Use ; to separate more than one email address.


In-house lawyers speaking at IFLR’s European In-house Counsel Summit in London yesterday said that GDPR remains a major issue for corporates, with absolute compliance almost impossible.

Almost two years on from its implementation, the EU’s landmark data protection regulation continues to cause stress for in-house legal, compliance, and technology teams.

"Can anyone say they are 100% compliant?" said Neil Paterson, group data protection coordinator at TUI Group. "GDPR encourages a risk-based approach. For example, data protection by design, 'appropriate' security measures. As a business, we make risk-based decisions every day. However, it is important that decisions are informed, documented and made at the right level. 100% compliance isn’t feasible."

GDPR panic is slowing


  • Corporates are recommended to take a risk based approach to GDPR and ensure issues are confronted at the right level;
  • Data privacy experts have warned about the reputational damage that a data breach can carry;
  • The cultural shift from storing large amounts of data to complying with the 'right to be forgotten’ has been highlighted as a significant challenge for organisations.

Another corporate in-house counsel added that the repercussions of a GDPR-related data breach can have a significant impact on how a company is perceived by the public.

"Reputation is the number one issue," they said. "If you can’t get personal data right then people wonder: what’s happening with the rest?"

Cillian Kieran, CEO of US-based software company Ethyca, said that he has noticed both legal and marketing teams being significantly more mindful of the way they use personal data. "The most visible part of GDPR is the enforcement. On that side, fines have been ramping up since the law came into effect. Now they’re reaching levels where the public has to sit up and take notice."

Between implementation and January 2020, 160,000 data breach notifications were reported across the European Economic Area (EEA), with the highest GDPR fine to date being €50 million ($55.11 million) imposed by the French data protection regulator on Google, for alleged infringements of the transparency principle and lack of valid consent, instead of a data breach.

Travers Smith partner Louisa Chambers agreed. "A key concern for corporates is data breaches," she said. "Companies can spend as much as they want to yet still be vulnerable to a data breach. You can never fully anticipate this risk. But there are lots of preventative measures you can take to mitigate it."

A key preventative measure is education: ensuring that all staff are aware of the shift in how data must be treated, with emphasis on the individual’s right to the protection of personal data, whether an employee or a customer.

"For the vast majority of companies, making GDPR compliance a matter of business-as-usual requires nothing less than a wholesale cultural shift regarding attitudes to user data," added Kieran. "It’s not enough to spend money on the processes and infrastructure. It’s about making sure that team members fully understand the new personal data paradigm, and act accordingly."

The shift in attitude had to be swift, with a cultural transition from maintaining large amounts of historical personal data. As the regulation says: 'A data subject should have the right to have personal data concerning him or her rectified, and a 'right to be forgotten’ where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject.’

"For the vast majority of companies, making GDPR compliance a matter of business-as-usual requires nothing less than a wholesale cultural shift"

GDPR’s effects are felt far from Europe

As the GDPR is a vast regulation with many requirements and new concepts, it will continue to drive data governance policies for the foreseeable future.

Regulators step up

Since implementation in 2017, there has been an uptick in companies coming up against national regulators following data breaches.

Subsequent to an investigation, in July 2019, the UK Information Commissioner’s Officer (ICO) announced its intention to fine British Airways (BA) £183.39 million ($247.18 million) for infringements of GDPR.

The fine related to a cyber incident that was notified to the ICO by the airline in 2018. In part, this involved user traffic to the BA website being diverted to a fraudulent site whereby hackers harvested customer details . The personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.

The day after the ICO announced its decision to fine BA, news surfaced that a fine of £99 million was also being levied against Marriott International.

"In light of recent announcements, for example, BA and Marriot, we are seeing an intention to impose big fines and these are getting public attention," said Paterson. 

He continued that a privacy is now high on the agenda for corporates and this is in part fuelled by the threat of fines.

"Fines are just one tool in the enforcement toolkit and data protection authorities need to be reasonable, proportionate and consistent in the action they take," he continued. "For example, the ICO always had a reputation for being pragmatic, and could lose engagement with their stakeholders because of recent announcements."

GDPR is Europe’s pièce de résistance