We recently attended the IAPP privacy summit in Washington DC. GDPR was obviously a hot topic and we got some great insight from a number of the DPAs attending, including Isabelle Falque-Pierrotin from France and Helen Dixon from Ireland.

The good news: “Even if you’re not finished [preparing for the GDPR] on the 25th,” Falque-Pierrotin said, “this is not a problem. This is a learning curve, and we will take into account, of course, that this is a learning curve.”

“The role of the regulator,” she said, “is to be very pragmatic and to be proportionate.”

However, it’s important that you “start today, not tomorrow,” she said. “Today.”

In describing how a company should make their first step with Privacy, she said It is a strategy question, “it’s not a technical legal question. It has to rise to all levels of the company and obey a strategic decision from the top.”

Helen Dixon from Ireland struck a similar note, “There’s of uncertainty and lots of angst” Dixon acknowledged, “There will be fines, and they will be significant. But a lot of the conferences I go to, I like to twist it back around to remind everyone what the GDPR is, which is about accountability backed up by ex-post enforcement under Article 83. I think it is quite clear that when we do identify an infringement that’s of the gravity, duration and scope that is serious, then we are obliged considerably to administer an administrative fine.”

Dixon does not think it is necessary to list enforcement priorities, because she’s quite sure data subjects will lead regulators to the most pervasive problems.

“Our first priority will be to be responsive to the risks and trends we identify in relation to complaints lodged,” she said.

Transparency

Dixon said, “We already publicly announced transparency is going to be a key enforcement priority. We’re starting with transparency because we think it’s key. The exercise of rights simply can’t happen if there hasn’t been transparency.”

Transparency is what it says it is. How are you using Personal data – is this transparent to the data subject? Also, is this clear in your Article 30 records – is it clear and transparent? DPAs are looking for clear, simple and specific language in Privacy notices and Article 30 records.

One Stop Shop

Dixon recommends setting up a main establishment so as to take advantage of the one-stop-shop mechanism when the GDPR comes into play. And the main establishment should be selected based on where the decision-making about data processing happens, or if you do not have a base in the EU – then you need to choose a GDPR Representative as your main establishment.

Dixon added, “The bottom line advantage of the one-stop shop is [companies] are subject to one decision, one appeal and one fine, they’re not subject to the jurisdiction of lots of supervisory authorities and therefore fines in the member states.” If you don’t set up that main establishment, you’re opening yourself up to “a much more complex array of enforcement actions.”

If you are looking to designate a GDPR representative before the May 25th deadline, get in touch with us here: