On Thursday 11th of April, we hosted GDPR, Are You Ready? This event, sponsored by BABC premier members Penningtons Manches LLP and NCC Group, saw an expert panel discuss the various aspects of the upcoming GDPR regime. GDPR stands for General Data Protection Regulation and refers to the incoming set of rules in the European Union, which imposes stricter controls on the use of data belonging to EU citizens.

The evening kicked off with an hour of networking, with drinks and hors d’ouevres in the setting of DocuSign’s impressive headquarters, with a spectacular view of the bay bridge providing the backdrop.

Hamish Corner, Partner at Penningtons Manches LLP, moderated a panel of John Rostern;VP, Risk Management & Governance at NCC Group; Reggie Davis, in-house counsel at Docusign; Batya Forsyth, Partner at Hanson Bridgett; and Jenai Marinkovic Chief Information Officer at Beyond.

The discussion covered various aspects of the GDPR issue, with Hamish asking the panel for their views on topics ranging from the readiness of US companies for compliance, to the effects GDPR might have on marketing and IT departments. The panel then engaged in a Q&A with the audience.

To kick the discussion off, Hamish asked the panel to discuss the current state of US businesses, and how ready they are to become GDPR compliant in time for the May 25
^th deadline. Batya noted that her experience is that companies that are used to having more stringent controls on the data they hold, for example medical companies, are generally ahead of the game on GDPR compliance, but many industries have been relatively unaware of their need to comply until recently. John agreed, going as far as to say that ‘if ignorance is bliss, most companies are in a state of ecstasy’.

Hamish then moved the discussion to the factors that are driving companies to comply. He noted that the most obvious reasons are the heavy fines that companies found to be non-compliant will incur, but asked the panel what are the other factors they saw that are making companies seek to comply. Reggie, speaking to his experience with DocuSign, noted that because many of their clients are banks, who are some of the companies who are under more pressure to be compliant, it makes sense for them to get ahead of GDPR. To do this DocuSign decided to get themselves ‘Binding Corporate Rules certified’.

Moving on to marketing practices, Hamish directed his next question towards Jenai, asking how GDPR is affecting the way business will have to approach their marketing strategies. Jenai argued that GDPR might not necessarily affect the strategies businesses are using, it will affect the ways they collect and use data. For example she noted that new marketing tools now need to be built with security systems as the standard from now on, to ensure that they comply with GDPR moving forward.

Hamish noted the fact that the EU will soon be developing new ePrivacy legislation, which will operate in the same way as GDPR, as a piece of extraterritorial legislation. With this in mind he asked, how did the panel rate the potential for the EU to enforce GDPR over US companies, given the challenges of international jurisdiction. Batya pointed out that some companies she has dealt with wonder about the EU’s feasible ability to enforce fines and punishments incurred by GDPR breaches, but as she pointed out, the EU doesn’t need to enforce fines to dramatically change your business, as they can simply cut businesses off from EU data.

The panel was in general agreement that there wasn’t necessarily such a thing as 100% compliance, and the reality was that what is more important for businesses is for them to have a defensible position of having made their very best efforts to become compliant, rather than perfect GDPR compliance.

Shifting to IT, Hamish asked John how he saw the technological challenges of becoming GDPR compliant, and how they can address these. John noted that GDPR compliance was not about buying a service or IT product off a shelf which will somehow make a company GDPR compliant, the reality is that GDPR is about putting systems in place that make sure data is handled properly at every stage. ‘there is no technological silver bullet for GDPR compliance’.

Referring to the recent developments regarding Facebook and Cambridge Analytica, and the fact that Facebook took 27 months to report the data breach, Hamish noted that GDPR now requires companies to report a data breach within 72 hours. He asked the panel if they thought that there was enough understanding over what constitutes a data breach given this incredibly short time frame.

Batya commented that although a lot of companies are getting systems in place for detecting data breaches, 72 hours is an incredibly short amount of time for companies to determine if an incident constitutes a data breach.

John noted that some companies have self-disclosed about non-GDPR compliant practices in an effort to avoid the heavier fines that come in when GDPR has been rolled out.

Reggie argued that companies should be more focused on their customers needs, saying that companies ‘have to take what’s in the best interest of the customer as the standard for decision making’.

The audience then sought to take advantage of access to the experts on the panel, as Hamish asked for questions from the floor, with topics including what constitutes personally identifiable information (PII) to the role of non-profit organizations in helping small and medium sized businesses to understand GDPR. The discussion was rounded out with a question about what some of the positives are that can come from GDPR. Reggie argued that legislation like GPDR can make you more efficient and secure, and can help address issues in your company that you didn’t know you had. Relating to his own experience he stated ‘DocuSign is undoubtedly a better company as a result of GDPR’

With that the discussion was concluded, and BABC executive director Jo Healey thanked the panelists and audience for coming, and the evening concluded with more food and wine, with some audience members taking the opportunity to speak more directly to the panelists about their own questions.

Thanks as always go to our sponsors Penningtons Manches, and NCC Group, to our excellent panel for their insight, to DocuSign for hosting us in their impressive headquarters, and of course to our guests. If you have any further questions about the event or our sponsors, please contact Maya Mancuso from Penningtons at Maya.Mancuso@Penningtons.co.uk, or Nick Rowe from NCC group Nick.Rowe@nccgroup.trust

Check out some of the photos here: