R&C: How would you characterise the impact of the General Data Protection Regulation (GDPR) on companies since its introduction in May 2018? How have data controllers and data processors responded?

Morrissey: The impact has varied, being largely dependent upon the sector and size of companies, primarily in Europe, but also further afield. Certain sectors, such as advertising, have been heavily impacted, as the GDPR presents a direct life and death threat to their business models, digital advertising in particular. The response that this sector is undertaking is primarily legal in its focus, based on attempts to get consent or argue legitimate interest in the processing of personal data. As such we have yet to see any particular business change that is implementable in that sector. In fact, we believe that this is a problem in most large-scale privacy programmes. A lot of legal work has been done, but minimal implementation on the ground within the business itself. We would argue that this is where the big impact is yet to be felt.

Wybitul: The GDPR has had a huge impact on certain companies. For affected parties, there are numerous workstreams which need to be dealt with. Among a lot of other things, companies need to be in a position to prove that they have determined the purposes of personal data being processed in sufficient detail, that there is a legal basis for the respective processing and that data subjects are informed in accordance with GDPR requirements. Furthermore, parties must also be aware of the other processes and structures which are required to be put in place by the GDPR. Measures such as data deletion schedules, data protection impact assessments, processor agreements, joint controllership identification and data breach information mechanisms. There are many day-to-day questions which companies are asking themselves. These questions have arisen out of compliance with the new data privacy regime, in particular with regard to the vaguer provisions of the new data privacy requirements. For instance, copies of precisely what documents a controller needs to disclose in the course of a subject access request, or whether the principle of data minimisation requires defendants to produce redacted documents in cross-border discovery proceedings.

Jan-Mar 2019 Issue

GE Healthcare

Latham & Watkins LLP

Sytorus Ltd