The Global Counsel's Guide to GDPR

08.05.2018

The way global companies handle data is set to change dramatically on 25 May 2018, when the European Union’s (EU) General Data Protection Regulation (GDPR) comes into force. Designed to address concerns over the security and use of personal data, GDPR will apply to data processing activities regarding personal data within Europe as well as data transfers within the EU and between the EU and non-EU countries, and it looks likely to become the global benchmark for protecting personal data.
 
Legal teams are front and center as companies get ready to comply with GDPR, and the stakes are high. Companies that do not get compliance right risk fines of 4% of global turnover or €20m, whichever is greater. Regulators have made it clear that they intend to fully flex their powers to enforce the regulation. 
 
Compliance with GDPR aside, no business wants to face the reputational fall-out of failing to protect their customers’ personal information – as the WannaCry, Cambridge Analytica and far too many other breaches show.
 
How are legal teams working with businesses to prepare for the new regime, and are they confident they will be ready? KPMG International sponsored The Legal 500 to find out. 
 
The results of The Legal 500 survey reveal that legal teams face significant hurdles as they seek to implement a data protection management system that allows them to continue operations and capitalise on the valuable data they hold. Among the biggest challenges respondents faced:
 
  • GDPR affects all parts of the organisation, which can frustrate efforts to determine responsibility and accountability. Implementing policies across the organisation was named as the top challenge.
  • While the legal team is central to preparation efforts, success depends on its ability to work with other departments to map issues and develop solutions.
  • The GDPR regime is based on principles rather than prescriptive rules, and interpretation of legal requirements and obligations can be difficult in the absence of precedents or additional guidance.
  • GDPR compliance requires understanding and control over all of the IT systems and processes for handling personal data collection – including data that may be hidden in legacy architecture and systems.
  • Few organisations have sought to understand the risks arising from the actions of third-party suppliers and other commercial partners.
  • Finally, most organisations have struggled to identify all data processing activities or gain a broad internal overview of their processes. For GCs, this has made compliance a continually moving target.

This report offers a view of how legal teams are addressing the challenges of GDPR and identifies a number of leading practices for getting organisations systems and processes onside. As legal counsel reported in interviews, the best solution to these challenges may be to focus on the opportunities. For example:
 
  • Demonstrating GDPR compliance can be a good opportunity to differentiate your business by winning more consumer trust and thus competitive advantage.
  • GDPR compliance can benefit the organisation’s culture, as stronger governance structures for handling data help mitigate other risks (e.g. security, bribery, corruption).
  • More disciplined management of customer data can produce opportunities to build connections with customers and produce better products.

By approaching GDPR as a chance to invest in a leading-edge global data protection management system, KPMG member firm legal teams can help their clients get more control over data and leverage that data to gain more strategic value.

 
Find the full report here: