The inaugural year of the European Union’s General Data Protection Regulation, or GDPR, is in the books as of May 25, 2019. And based on feedback from legal and risk management experts, U.S.-based companies operating in the EU pretty much took care of business in year one. Challenges await, however, as GDPR matures and morphs into year two and beyond.

According to Matthew McCabe, a senior vice president and assistant general counsel for cyber policy at Marsh, as the operations of companies operating in the EU continue to develop, meeting GDPR’s upcoming challenges is basically about keeping vigilant about the way they collect data, the type of data collected and how sensitive that data may be in identifying individuals.

“We had a long lead up to the GDPR, and companies went through great efforts to make sure they were in compliance. And that’s helpful,” said McCabe, who issued a client advisory on the issue for Marsh.

“We’re not at an endpoint; you almost do not ever reach compliance, because as your business continues to change, these pitfalls are going to continue to arise. It’s constant pursuit,” he said.

Marcel Duhamel, partner with Vorys, Sater, Seymour and Pease, a Columbus, Ohio, law firm, said GDPR enforcement against U.S. companies, at least as far as has been made public, has focused on high-profile targets.

In fact, the only American company to have been fined to date is Google, but it was a whopper. A French regulator whacked Google to the tune of $56.8 million for allegedly failing to disclose accurately how it collects and uses data for personalized advertising.

Duhamel said investigations also have been announced against Twitter, Facebook, Amazon, Apple and Spotify, for various alleged breaches of GDPR.

“This probably isn’t surprising; these large, well-known companies are a kind of low-hanging fruit, and privacy activists in Europe have focused quite a bit of attention on them,” Duhamel said.

Matthew McCabe, SVP and assistant general counsel, cyber policy, Marsh

However, he added, “Smaller or less well-known companies should be very careful about finding too much comfort in this.”

Based on professional observations and conversations with clients, Duhamel said he expects there will be more difficult hurdles in the year ahead. In agreement is Odia Kagan, partner and chair of GDPR Compliance and International Privacy at Fox Rothschild, a Philadelphia law firm. Kagan explained that GDPR enforcement action is still just getting started.

Partly, that might be because some of the EU regulators were instituting a self-imposed “grace period,” Kagan said, and partly because the enforcement actions involving multinationals or big tech companies require time to review, investigate and coordinate among a number of data protection authorities.

Also mentioning the Google case, which she said will be appealed, Kagan said “regulators are also saying that they are investigating and will be issuing enforcement actions against other big tech companies in the summer.”

“We’re only in year one and a lot of investigations have begun that will begin to manifest themselves, so I think we’re still yet to get a flavor of what fines and penalties will be like under the GDPR,” McCabe said.

“I imagine there will be a broad range; there will be minor violations for inadvertent activity, and those would be small fines. And then there will be some really big ones coming down the pike as well.”

Coming to Terms With the Data

Duhamel outlined a few GDPR compliance strategies.

One consideration is whether to comply at all. He explained that some companies, particularly smaller retailers that aren’t physically located within the EU, have simply chosen to wall off their websites so that they cannot be accessed from within the EU and have adopted policies against shipping goods to any address within the EU.

For those not inclined to take such steps, he suggests companies get a complete understanding of precisely what personal data they have, what they do with it, where they got it, with whom they share it and for how long they keep it.

“Sometimes this is referred to as a data map or a data inventory,” he said. “GDPR requires much more than a privacy statement on the homepage of a website. It is simply impossible to comply with the regulation without a thorough understanding of the company’s use of data.”

“It is important to do something, be on the path, rather than be daunted into inaction. This will be taken into consideration by regulators if it ever comes up.” — Odia Kagan, partner and chair of GDPR Compliance and International Privacy, Fox Rothschild

He said it often turns out that there is no single person, or department in a larger company, who will understand this, noting that companies are often surprised to learn how complex this can be, how long it can take and how much it can cost.

Another upcoming challenge is handling “onward transfers,” or transfers from one company to another if the receiving company is in the United States. Transfers to the U.S. are subject to very strict requirements, and these apply even if the transferring company and the receiving company are corporate affiliates, Duhamel explained.

He added this can be difficult to implement, particularly with respect to vendors whose services the company relies on but whose contracts have already been written.

“GDPR reflects a very different mindset about personal data than the one usually seen in the U.S.,” Duhamel said.

“American businesses often think of the data they collect as their property, and they seek ways to monetize it. The GDPR, by contrast, sees privacy as a fundamental human right and strictly limits what a business can do with the data it collects.”

A Shift in Thinking

According to Fox Rothschild’s Kagan, U.S. businesses operating in the EU have much work to do in the year ahead.

“GDPR compliance isn’t something that is a snapshot in time, it’s an ongoing process, a ‘chronic condition’ for the skeptics or a ‘healthy routine’ for the advocates,” she said. “Companies need to complete setting up their key compliance mechanisms and then reassess and tweak and implement each time a new process, new product or new service provider starts up.”

Kagan said the toughest compliance issue is to accomplish the shift in thinking with respect to how one needs to handle the information, explaining that understanding the information beyond SSN and driver’s license or bank account information not only is important, but it’s also important where you get your information, what people think you will do with it, etc.

“Once companies are able to shift their thinking and get corporate ‘buy in,’ the rest is just doing the hard work necessary to comply,” she said, adding that it’s entirely possible with the proper time, budget and effort invested.

“In any event, it is important to do something, be on the path, rather than be daunted into inaction,” she said. For example, do a risk assessment, then devise and plan and start executing on it.

“This will be taken into consideration by regulators if it ever comes up,” Kagan said.

“It’s talked about how cyber security is a team sport. Keeping up with data privacy has now become a team sport as well. It’s beholden to risk managers to understand technology in a way they never have before.” — Matthew McCabe, SVP and assistant general counsel for cyber policy, Marsh

GDPR isn’t the only regulatory environment U.S. businesses face. Other regions also could create similar regulations. For instance, the California Consumer Protection Act (CCPA) becomes effective early next year.

Duhamel said generally, GDPR is more restrictive than California’s law, though one area of concern both share is the sale of personal data to third parties.

Under GDPR, that can be difficult to justify without the express, informed consent of the data subject. Under CCPA, he said, the business must include a “Do Not Sell My Personal Information” button on its website and must disclose whether it has sold personal information in the preceding 12 months.

Another key difference is that GDPR applies to any controller or processor of information, regardless of its size and regardless of the type of organization, Duhamel explained.

CCPA, on the other hand, applies only to for-profit businesses that do business in California and meet one of three requirements: (1) it has annual gross revenue of more than $25 million; (2) it annually buys, receives or shares, for commercial purposes, personal information of 50,000 or more people, households or devices; or (3) it derives 50% or more if its annual revenue from selling consumer’s personal information.

“A different question is whether the U.S. will eventually adopt a federal privacy regulation that crosses industry sectors,” Duhamel said. “It is hard to imagine, in the current political environment, anything like that getting traction in both houses of Congress and getting a presidential signature.”

At the same time, even some large U.S. businesses have begun to call for some kind of across-the-board privacy regulation.

Duhamel said skeptics would argue that when businesses take this position they are hoping merely to see some kind of federal preemption that frees them from state regulations like CCPA, but the converse is that a robust federal law could provide consistent consumer protections regardless of the state in which the consumer lives and will provide businesses a single set of rules to follow.

Heading into year two of GDPR, Marsh’s McCabe said the primary challenge for risk managers is to up their game in terms of learning what these data privacy issues are all about.

“It’s talked about how cyber security is a team sport,” he said. “Keeping up with data privacy has now become a team sport as well. It’s beholden to risk managers to understand technology in a way they never have before.”

What that requires is learning how technology is going to be incorporated into their companies’ processes and how it is going to capture data, then how to be able to coordinate that with not only their technical and operations teams, but also ensure that it’s a discussion they are having with their privacy counsel on potential impact.

“Then you have to tie it back to your risk mitigation and insurance programs,” McCabe said. “Assessing ‘How could we run into a violation? And, if we do, how are we going to contend with the financial impact of the violation?’

“At the end of the day, it gets down to the same question risk managers typically ask, ‘Am I ready for a large loss resulting from this specific peril?’ ” &