Getting to Grips with Data Privacy

The arrival of the EU General Data Protection Regulation (GDPR), which becomes law in Europe on May 25, will have profound implications for almost all companies.

In Session CUS20 – More or Less Secure: Are International Data Privacy Regulations Helping You Protect Your Brand? yesterday, panelists discussed the changes, and gave practical tips for companies looking to stay compliant with their various legal and regulatory responsibilities for data.

The GDPR “could really affect your ability to police your trademarks,” said Randi Singer, Partner at Weil, Gotshal & Manges, LLP (USA), as she introduced the most important changes resulting from the new regulation and busted some of the most common myths about it.

Most of the important changes affect how companies need to manage and process the data they hold, but she cautioned that for brand owners, there may be other problems: “When you are out there policing your brand, people have been used to having certain resources to help them do that,” Ms. Singer said, including, for example, the WHOIS system, which is maintained by the Internet Corporation for Assigned Names and Numbers and which companies use to help track infringement online.

Some of these kinds of resources are full of “personal information” as defined in the GDPR, so many of them may become unavailable to brand owners beginning May 25 or available in a different form.

As session moderator Christopher Kenneally, Director, Relationship Marketing at Copyright Clearance Center, Inc. (USA) pointed out, “the lives we lead online have utterly changed the other lives we lead,” and GDPR will change them again. This perhaps explains why a recent PWC survey found that 75 percent of companies plan to invest at least US $1 million in preparing for the GDPR.

Ms. Singer explained that the GDPR is designed to give EU citizens more control over how their personal data is used, saying that “privacy is a fundamental right in Europe” analogous to free speech in the United States. She cautioned that, while the GDPR is European, its effects are much farther reaching. “If your website is accessible in the European Union, this applies to you,” she said.

Indeed, there are several common misconceptions about the GDPR, including companies that think they can avoid it because they “don’t share data” or because they “don’t collect personal information.” Anne Kelley, Adviser to the Center for Responsible Enterprise And Trade (CREATe.org) (USA) explained that if you hold data in the cloud, that constitutes sharing data, as does using third party analytics for your website.

Ms. Singer underlined that the GDPR’s definition of personal information “could not be more broad,” so that if a company collects any information at all about people, it is likely that they would be caught by the scope of the regulation.

Iris Geik, Associate General Counsel and Privacy Officer, Copyright Clearance Center, Inc. (USA), spoke about the practical steps companies should take to make sure they are ready for the GDPR, including asking basic questions such as “What controls do we have on transferring information?” and “Where is our data held, and what do we do with it?”

The answers to these questions should inform your strategy for dealing with data protection, said Ms. Geik, and whatever you do, it’s vital to “document, document, document” in order to ensure you can demonstrate your compliance with the GDPR and other regulations.

She urged IP attorneys to act as advocates in their organizations for planning how to deal with “subject access requests,” when someone asks for a record of the personal information a company holds on them. She also noted that it needs to be very clear who is responsible for data collected in the company and how it is stored, or else there is a risk of “joint and several liability” for breaches.

Ms. Kelley detailed how cybersecurity interacts with data protection, noting that, while good cybersecurity is important, it does not prevent you needing to fulfill your obligations over data. “If you think cybersecurity is going to solve your problems, you’ve got another think coming," she said.

It’s important to remember that, should you suffer a data breach, it may have implications well beyond customer data. Trade secrets and IP information, business-to-business data, technical information, and data you hold in the cloud all require protection too, and “GDPR does not stand alone in an analysis of cyber-readiness," she said.

Perhaps the “single biggest risk” to companies in this area is that “nobody wants to be in charge of these issues” within an organization, she added. Still, they need to be addressed.