In the second of this series of pieces, ExchangeWire explores the new EU General Data Protection Regulation (GDPR). With contributions from leading industry experts, to understand the details of this new regulation, this series investigates what it means for businesses in the advertising industry. In the second instalment, ExchangeWire speaks with Eduardo Ustaran (pictured below), partner, Hogan Lovells, who provides detailed insight into who the GDPR applies to, what it means, and how businesses can be prepared. Ustaran is an internationally recognised expert in privacy and data protection law, advising leading companies on the adoption of global privacy strategies and he is closely involved in the development of the new EU data protection framework. 

To say that the EU General Data Protection Regulation (GDPR) will change the existing data protection framework in Europe is an understatement. After an intense legislative process of more than four years, the European Parliament, the Council of the EU, and the European Commission have created an ambitious, complex, and strict law that is set to transform the way in which personal information is collected, shared, and used globally. Therefore, it is essential that we appreciate what is significant about the GDPR.

Geographical applicability

A very carefully thought-out aspect of the GDPR is its geographical applicability – both within and outside the EU. For starters, the GDPR will be directly applicable across all Member States of the EU without any further intervention from the national parliaments.

In terms of the GDPR's applicability beyond Europe, the legislators decided to do away with the old-fashioned references to EU-based data processing 'equipment'. Instead, the applicability of the GDPR to organisations without an establishment in the EU will be determined by the location of the data subjects. To this effect, the GDPR will apply whenever the use of personal data by an organisation relates to:

- The offering of goods or services to individuals in the EU, irrespective of whether a payment is required

- The monitoring of those individuals' behaviour in the EU.

In this respect, the GDPR clarifies that tracking individuals on the internet to analyse or predict their personal preferences – as many websites and apps do – will trigger the application of the EU law. This measure makes almost every website that drops tracking cookies, or app that retrieves usage information, subject to the GDPR.

Putting people in control

Something important to understand at the outset is the overall aim underpinning the GDPR: Putting people in control of their data. This is a theme that is present throughout the text and is emphasised by the strengthening of 'consent' in relation to the use of data.  When relied upon as a justification for the use of data, consent will need to meet very high standards and overcome certain conditions including:

- Consent cannot be bundled with T&Cs without clearly distinguishing between the uses of personal data and the other matters governed by the T&Cs.

- Consent can be withdrawn at any time and in an easy way that should be explained to the individuals before it is obtained.

- If consent is presented as 'take it or leave it', it will not be regarded as freely given.

Individuals' control over their data will be even more visible through significantly reinforced rights, including:

- Information to be provided to individuals at the point of data collection, or within a reasonable period afterwards.

- Right of access for the data subject

- Right to rectification

- Right to erasure (also known as 'right to be forgotten')

- Right to restriction of processing

- Right to data portability

- Right to object to the processing altogether

- Right not to be subject to a decision based solely on automated processing

Transparency, erasure, and portability, in particular, are likely to emerge as crucial tools for individuals to use in the face of an ever growing hunger for our digital data.

The big novelty: Accountability obligations

From a practical perspective, one of the most notable novelties of the GDPR is the various requirements to make businesses more accountable for their data practices. Brand new responsibilities include:

- Implementation of data protection policies

- Data protection by design and data protection by default

- Record keeping obligations by controllers and processors

- Co-operation with supervisory authorities by controllers and processors

- Data protection impact assessments

- Prior consultation with data protection authorities in high-risk cases

- Mandatory data protection officers for controllers and processors for the public sector and Big Data processing activities

On the data security front, highlights include:

- Extremely detailed requirements for controllers to impose contractually onto vendors acting as processors. From a day-to-day compliance perspective, this will be one of the toughest challenges, particularly when engaging cloud services or any of the off-the-shelf solutions on which every business relies to communicate and store data.

- Data breach notification to data protection authorities within 72 hours of spotting an incident. This obligation does not apply if there is no risk for individuals; but if the risk is high, controllers and processors will need to notify the individuals as well.

Still restrictions on international data transfers

As counter-intuitive as it may seem to regulate cross-border data flows in the 21^st century, the GDPR carries on with the traditional approach to restrict data transfers to non-EU jurisdictions. At least the GDPR has helpfully expanded the range of measures that may be used to legitimise such transfers, which now include:

- Binding corporate rules (BCR)

- Standard contractual clauses (SCC) adopted by the European Commission

- Standard contractual clauses adopted by a data protection authority and approved the European Commission

- An approved code of conduct

- An approved certification mechanism

- Other contractual clauses authorised by a data protection authority in accordance with the so-called 'consistency mechanism'.

Some of these, such as the standard contractual clauses, have been tested over the years, so their benefits and limitations are well known. Others will need some time to show their value and effectiveness. For example, ad-hoc contractual clauses may become a more realistic solution than SCC; but they are likely to require a greater amount of effort in terms of drafting and interaction with regulators. What is patently clear is the growing support for BCR by law makers and regulators; but BCR should be seen as a framework for global privacy compliance more than a simple mechanism to overcome transfers restrictions.

Action plan

The GDPR will come into force in mid-2018. That may sound like far away in the future, but considering the substantial changes being introduced by the new framework, delaying taking action would be unwise. What are the steps that organisations should be taking right now? Our suggested action plan is as follows:

Step 1: Do not panic – When faced with such a complex and strict framework, uncertainty about what to do next is inevitable. The potential for huge fines for non-compliance – up to €20m or up to 4% of the total worldwide annual turnover, whichever is higher – is not very comforting either. However, practical compliance with the GDPR should not be seen as 'mission impossible' but as a modern business necessity that can be effectively managed.

Step 2: Assess the true impact – The first practical action to undertake is to determine the extent to which the GDPR will affect business activities and compliance practices. Some aspects of the GDPR will be more critical than others, depending on the nature of the business, so it is essential to understand where the priorities lie. Businesses should methodically consider the various novelties in the GDPR and determine the necessary compliance measures as a starting point.

Step 3: Prioritise accountability – The bulk of the immediate compliance priorities are likely to fall within the 'accountability' element of the GDPR, so special attention should be paid to the practical measures that will need to be put in place to satisfy those requirements.

Step 4: Think strategically about dataflows – Always a top priority, legitimising international data transfers should be regarded as a strategic compliance aspect. For any organisation operating across borders, or engaging global service providers, it will be essential to determine the most appropriate mechanism and implement it in a way that fits the corporate culture.

Step 5: See it as an opportunity – Ultimately, preparing for the GDPR should be seen as more than a compliance exercise. The GDPR is an opportunity to embed good privacy practices into the way a business operates, so that the trust and loyalty that comes with that adds value to the business.

The next two years will be critical to prepare for compliance with what promises to be a game-changing piece of legislation. Whatever its imperfections, the GDPR is here to stay and the time for action is now.