All About GDPR Transcript
This transcript was assembled by hand and may contain some errors.
It has been edited for readability.
Sabrina: Welcome to Frazier and Deeter’s Culture of Compliance podcast series, where we discuss compliance as a competitive advantage in today’s marketplace. I’m Sabrina Serafin, Partner and National Leader of Frazier and Deeter’s Process, Risk & Governance practice, focused on risk and controls in an evolving compliance landscape.
Today we’re talking to Gina Gondron, our partner at Frazier & Deeter who leads the firm’s efforts on the EU’s strict new data privacy regulation, GDPR. Gina, welcome, and please tell us what GDPR stands for.
Gina: Hi Sabrina, thanks for having me. GDPR stands for the General Data Protection Regulation. This is a European regulation with an implementation deadline of May 25th of 2018.
Sabrina: In case we have listeners who are not familiar with GDPR, can you give a brief overview of this regulation that’s already been put into effect?
Gina: Absolutely. GDPR applies to all companies that are collecting personal data of European citizens, regardless of where that company is established and located. It applies to companies whether they are either controlling data or processing data, and it’s applicable throughout the lifecycle of personal data from the collection, processing and output of that data. It has some pretty strict requirements as well as an enhanced global reach and corporate impact. The penalties of non-compliance are up to 4% of global revenues, so it’s definitely a hefty law that has had an impact across the globe.
Sabrina: So, prior to the May 2018 GDPR effective date, there was great concern over possible legal action. Could you give us an update on any actual legal action that has resulted from GDPR?
Gina: Sure. Google and Facebook faced nearly $9 billion in lawsuits immediately after the GDPR deadline. Conversely, we’ve seen U.S. technology giants, as well as some media outlets and online services, manage complaints filed against them for withholding services from European residents and visitors.
Sabrina: Is there speculation that the U.S. might follow the model of GDPR?
Gina: Yeah, this is hard to predict, but we have seen California already passed an act that has similar GDPR implications. The California Consumer Privacy Act has a January 2020 implementation deadline. Again, it’s fairly similar to GDPR in the fact that it has rights of data access for California consumers as well as rights of data to be forgotten for California consumers. It also added a piece of the Act related to the Right to Stop Data Selling and Disclosure.
Sabrina: So here’s a question I think a lot of people have on their minds; are there still companies who haven’t made any changes to accommodate GDPR who should have?
Gina: I certainly think there are some companies who just maybe do not understand the regulation fully and have not started their own efforts to determine where they are related to this regulation. This all starts with understanding where your data is housed, what data you’re collecting and what you’re doing with it. As long as you have strong processes and procedures in place to protect that data, you’ve at least started a good compliance roadmap for GDPR.
Sabrina: So, what advice do you have for US companies doing business in Europe who haven’t given GDPR compliance their attention yet?
Gina: They need to begin understanding what data they have and who’s accessing it, as well as where that data is being stored. Definitely talk to a GDPR expert to understand what makes sense in terms of adapting your existing controls, processes and procedures to ensure you are complying with this act. Like I’ve mentioned, we work with a number of companies who are either in the beginning of this GDPR compliance effort or towards the end of its life cycle. We’ve seen companies that have done this really well and some that probably need to enforce their policies and procedures, but the first step that we tell all of our clients is to just begin looking at the data they’re collecting and determine what they’re doing with it.
Sabrina: Gina Gondron, thank you so much for your time and for your updates to this very important initiative. For our audience, I want to thank you for listening to Frazier and Deeter’s Culture of Compliance podcast, and please join us for our next episode as we continue to discuss transforming various compliance requirements into investments in your business.