One year on, the true effect of the GDPR is yet to be felt, says Hogan Lovells

Eduardo Ustaran, Co-Director of the practice, says: "It was always going to be this way. The digital economy is constantly growing. Ultimately, the key point to remember is that meeting the GDPR’s requirements is an ongoing endeavor. One could never regard it as a job done. Having adopted a GDPR compliance program, organizations need to keep it alive without ever losing focus of what matters most and how the law is evolving. Complete certainty might be an unachievable goal but being alert to the practical priorities and getting on with the work will go a long way."

An essential GDPR 'To Do’ list for the months ahead looks as follows:

• Get the basics right – As regulatory guidance on some of the essential aspects of the law – from its extra-territorial applicability to the lawful grounds for processing – continues to pour in, determining the appropriate legal basis for the use of personal data has become an absolute priority. Regulators expect nothing less than a solid foundation matched by a wholly transparent approach through a clear and comprehensive privacy notice.
• Meet individuals’ demands – After the initial influx of data subjects’ requests in the early days of the GDPR, the pace of requests seems to have dropped to a ‘business-as-usual’ level. However, since EU data protection law is still primarily about putting people in control of their data, dealing with any requests from individuals seeking to exercise their rights under the law should always be a top priority.
• Adopt a credible Data Protection Impact Assessment (DPIA) strategy – Of all the new accountability requirements in the GDPR – aside from the role of the data protection officer – carrying out DPIAs is likely to be the single most important factor to ensure compliance with the law. For this reason, regulators often seek to understand how organizations are deploying DPIAs.
• Engage with the regulators – One of the most significant features of the GDPR from a practical compliance perspective is its enforcement arrangements. Central to this is the One Stop Shop system of supervision, which gives a single regulator full authority to oversee the pan-European data processing activities of an organization. This approach is still compatible with the data protection authorities. As a result, a well-thought out strategy for regulatory engagement will be essential for many organizations.
• Prepare for data security incidents – 72 hours to decide whether to report a data security incident is a very short timeframe. Experience shows that the most sensible way of dealing with the inevitable incident is to be ready for it and, particularly, to know how to assess the possible risk for individuals in order to determine whether to report it and, if so, how.
• Legitimize global data flows – One of the unintended consequences of Brexit has been to highlight once again the importance of legitimizing international data transfers. This is not a new issue but adopting a workable and future-proof strategy to enable global data flows is a must. For many organizations this may start with intra-group agreements and evolve towards BCR. Whatever the mechanism used, it should be kept under review.