Q & A with GDPR Expert Adam Finlay from McCann FitzGerald

One of the more significant concerns in 2018 for multinational companies and their counsel is ensuring compliance with the General Data Protection Regulation (GDPR). Affected enterprises are looking to satisfy a host of enhanced data protection requirements before the GDPR’s application date of May 25, 2018. To better ensure compliance, organizations should consider turning to trusted advisors such as Adam Finlay with the international law firm of McCann FitzGerald. Adam, a partner based in the firm’s Dublin, Ireland office, is an experienced lawyer who has advised many clients on data protection matters. I recently had the chance to speak with Adam and discuss his views on a variety of GDPR compliance issues.

    1. Tell us about your background and how you came to be an expert on the GDPR?

I have been advising on EU and Irish data protection law for over 10 years, having joined the Technology & Innovation group in McCann FitzGerald when I qualified as a solicitor in 2007. Apart from advising market leading international and domestic clients on the current data protection law regime for many years, I have been providing strategic advice to clients on the GDPR since it was merely a proposal and we are currently assisting numerous clients with their GDPR preparations.

    2. What is one of the biggest GDPR compliance challenges that companies are facing?

One of the most important new obligations under the GDPR will be the requirement to be able to demonstrate your compliance with data protection obligations. This is a significant change and is necessitating detailed analysis of current practices and the generation and maintenance of new internal records. Creating and maintaining a ‘record of processing activities’ (often referred to as a data inventory or data mapping) will be mandatory for many enterprises. Organizations having fewer than 250 employees might be exempt in certain circumstances. However, even if they are exempt, it will be difficult to identify and implement GDPR compliance steps without a data inventory. Undertaking this step will be best practice for affected enterprises.

For any organization who hasn’t created a data inventory yet, its generation can be a particularly challenging and time consuming exercise. It often necessitates wide-ranging engagement with various business units and functions. For those who have addressed this initial step, further challenges arise when it comes to making key decisions on the how and to what extent to comply with mandatory obligations and best practice under the GDPR.

    3. What are some key measures that affected U.S. companies should take to prepare for the GDPR?

Once a company has determined whether it is in scope of the GDPR (and its extra-territorial effect is a significant change from the current EU data protection law regime), it needs to carry out an initial gap analysis. This will typically identify a range of measures that will need to be adopted to ensure compliance with core obligations under the GDPR, including:

• Generate a record of processing activities/data inventory
• Consider what legal grounds it will rely on for collecting or using ‘personal data’. If a company intends to rely on consent, it should review existing practices for obtaining consent and consider what changes will be required to comply with the new requirements in relation to consent under the GDPR. Alternatively, it might seek to rely on an alternative to consent, such as the ‘legitimate interests’ ground.
• Review and update existing privacy/data protection notices addressed to individuals (e.g. on websites, in forms, etc.)
• Review and update existing contracts with third parties who process personal data on the company’s behalf (e.g. IT service providers) to ensure that they contain the provisions that will be mandatory to include in these circumstances
• Review and update internal policies and procedures that relate to personal data (such as a data protection policy, an information security policy, a record retention policy, a personal data breach policy, etc.)
• Consider whether it must appoint a representative within the EU for the purposes of the GDPR
• Consider whether it must appoint a Data Protection Officer and, if so, ensure that the role and the person performing it meet the mandatory requirements under the GDPR.

For a company operating in the U.S. and any markets other than the EU, in addition to identifying what it needs to do in connection with the GDPR, it also needs to consider how to align these steps with compliance with its obligations under non-EU laws that are applicable to it.

    4. What is the relationship between the GDPR and the EU/U.S. Privacy Shield?

The GDPR provides broadly the same rules regarding transfers of personal data from the EU to ‘third countries’ (such as the U.S.) as apply under the current data protection law regime. There is a grandfathering provision in the GDPR that will enable existing mechanisms for lawfully transferring personal data outside the EU (such as the EU/U.S. Privacy Shield for transfers to the U.S.) to continue to be relied upon, unless or until they are revoked or cease to apply. As a result, the EU/U.S. Privacy Shield will continue to be available once the GDPR becomes applicable on May 25th, 2018 (unless it is struck down in the meantime). However, the Privacy Shield is intended to ensure that personal data that is transferred to participating U.S. companies receives an adequate level of protection, which is essentially equivalent to that provided for by EU law. Since the level of protection provided for by EU law will change with effect from May 25th, there will be a new benchmark for the Privacy Shield to meet beginning on May 25th. The Article 29 Working Party (a body comprised of EU data protection authorities) has stated that the Privacy Shield decision should be reviewed shortly after May 25th to determine whether it achieves its intended purpose when considered in light of the GDPR. U.S. authorities will face challenges in being able to show the Privacy Shield ensures essential equivalency to the GDPR.

    5. What impact could the new Schrems matter challenging the use of Standard Contractual Clauses for cross-border data transfers have on GDPR compliance?

This case will not have an immediate impact on GDPR compliance, since it is not likely to be resolved until some time after the GDPR will become applicable. Its potential impact will depend to a degree on the scope of the questions that are referred by the Irish High Court to the Court of Justice of the European Union. While the judgment of the Irish High Court delivered in October 2017 indicated that questions will be referred, they have not been settled yet (submissions on this topic are due to be heard on January 16, 2018). The validity of the current versions of the Standard Contract Clauses will certainly be queried. There might also be broader questions regarding transfers of personal data to the U.S. based on other mechanisms. Ultimately, this case might result in the Court of Justice of the European Union (CJEU) ruling that the current versions of the Standard Contractual Clauses are invalid, or more broadly that the concept of the Standard Contractual Clauses is fundamentally flawed in certain circumstances. It will need to be monitored closely. Until the CJEU delivers its ruling, the current Standard Contractual Clauses remain legally valid and may be relied upon to legitimize transfers of personal data out of the EU, both under the current data protection law regime and under the GDPR once it becomes applicable.