Post GDPR Live Environment: Part 1- Operating Models / Interaction with Other Laws

May 25 2018 has come and gone. The General Data Protection Regulation (“GDPR”) has irretrievably changed the way in which we approach and deal with personal data. At PwC, we have identified some key trends for business to consider in the post GDPR live environment.

Operationalising the GDPR

Up until May 2018, companies had either designed and deployed their Data Protection Operating Models (“DPOMs”), or at the very least, thought about it. Depending on sector, size and jurisdiction, DPOMs may vary significantly from one company to another. For example, a financial services company will be more acquainted with well-established governance structures and daily compliance operations than companies from other economic sectors (e.g. retail). For less regulated businesses, the transition from a GDPR change programme to BAU daily Data Protection compliance operations may prove more challenging.

Having conducted both initial stages of the GDPR transformation, design and deployment, companies should now enter the third stage of the change process – validation. We believe that as a matter of fact, GDPR transformation processes and their outcomes will inevitably come under “Adverse Scrutiny” from a wide range of actors, whether due to the exercising of data subject rights, breach notification, vendor risk management, regulatory investigations or litigation. They will test the validity of the choices and assumptions made during the first stage of transformation, as well as the overall readiness to handle subsequent daily operations. This is why, at PwC, we have designed a way to get ready to manage such challenges and assess the effectiveness of GDPR programme outcomes.

Interaction with other areas of the law

If the past year was all about personal data, next year will be all about electronic communications data. The GDPR is not a standalone, self-contained legislation, and it will certainly interact with the forthcoming ePrivacy Regulation just as it is already interacting with many other areas of the law (e.g. competition, finance and banking). Indeed, anyone who has read through the different versions of the proposed ePrivacy Regulation can appreciate how much the GDPR has shaped (and is still shaping) the contours of the forthcoming legislation. Just consider concepts such as consent, Communications Data Impact Assessment (“CDIA”), and transparency, to name a few.

Similar to what happened before the GDPR came into force, we are noticing a rise in awareness by many businesses who are trying to capture the nuances and developments in some of the key areas of the proposed legislation. In particular, companies are trying to assess the potential impacts on their business, especially across aspects such as marketing and machine-to-machine communications.

However, it is not just about e-Privacy. As mentioned, the GDPR impacts many other areas of the law, such as competition. In fact, Data Protection plays an important role in most M&A transactions and it is imperative that companies consider the Data Protection implications throughout M&A life cycles, from targeting, negotiations and due diligence, through to signing, completion and integration.

While these two areas require significant amounts of effort for companies, they are not the only issues to be considered in a post-GDPR environment. Part 2 of this series of blog posts will explore two additional key trends that businesses must consider in the new and dynamic Data Protection reality.