The 25th of May has come and gone and the one thing that stands out the most as a result of the effective date of the GDPR is the requirement to have a “registry”, or records of what data you process. This idea of inventorying and analyzing what data is processed, for what purpose, and who gets to use it has long been a central feature of intellectual property protection programs (pardon the alliteration). However, it is now the front and center “tent pole” which leads all other privacy controls to the result known as accountability.
This is obvious, in hindsight. It is hard to build a compliance program without knowing what you have to comply with. However, many organizations have never looked at data from this perspective. To continue the metaphor the esteemed prior author (Ms. O’Connor) presented in her article Tech Trends of 2018: Managing Privacy Risks - data is a capital asset. Businesses that start to consider this concept are the ones who were able to quickly respond to the changes in the law in the EU… and in Asia… and in Latin America. This is because, after the GDPR’s effective date, almost every major data protection régime follows a risk-based approach. It is very difficult to determine what the risk is to your asset if you don’t know where it is, or who is using it.
So, one of the core trends for 2018 and beyond is the idea that data can no longer just be “out there”. Businesses need to understand exactly what they have, what they are doing with it, and who they are sharing it with. Failure to do so will cause businesses to be held accountable - by regulators, consumers, and other businesses. This isn’t just a legal issue, it is an ecosystem issue.
John Tomaszewski is a partner in the International Data Protection Practice Group of Seyfarth Shaw LLP, and the Co-Lead of the Firm’s Global Privacy & Security (GPS) Special Team. He has significant experience counseling companies regarding data protection and information security throughout the Americas, Europe and Asia. His clients have included a myriad of technology companies as well as financial services, pharmaceuticals, and e-commerce companies of all sizes. Mr. Tomaszewski has prepared privacy compliance programs for HR departments, cloud service providers, social media companies, and a host of both traditional “brick-and-mortar” and emerging technology clients. He has also developed fair information practice statements, certification practice statements, PKI policies, non-disclosure agreements, and similar information security and confidentiality instruments. For more information >