GoBuyside Reveals Ambiguities in the GDPR


As the deadline for General Data Protections Regulation (GDPR) compliance quickly approaches it is important to determine what the ramifications the GDPR will have. While the GDPR was the EU’s address ambiguities within the Data Protection Directive, some aspects of the GDPR remain unclear. Only time will tell how these GDPR ambiguities will be resolved but GoBuyside thought it prudent to flag these uncertainties to ensure understanding of the regulations. GoBuyside is a 21st century recruitment platform that connects private equity firms, hedge funds, alternative investment managers, advisory platforms, and Fortune 500 companies with top talent from around the world.

Perhaps the biggest question about the GDPR that has yet to answered and one that cannot be answered until the regulations take effect on May 25, 2018 is, how will the GDPR be enforced? The Information Commissioner’s Office will be primarily responsible for enforcing the GDPR and has historically preferred encouragement and education as means of implementing data protection requirements. In fact, the ICO’s total fines issued in 2017 only reached a meagre £3.1 million. This contrast starkly with the potential £20 million fines or or 4% of annual global turnover for non-compliant GDPR organizations.

The mere threat of such hefty fines should be enough to motivate compliance. But it is hard to believe that the ICO would render companies bankrupt. The penalty provision of the GDPR states that fees will be effective, proportionate and dissuasive. Only time will tell how supervising authorities will administer such penalties. No matter how hard the compliance hammer strikes, GoBuyside is committed to filling all your human capitol needs while navigating the uncharted GDPR waters.

Also Read: Business Time Machine: Placing Bets, Investing in UTC, Befriending Howard Hughes

Brexit has thrown another curve into determining the scope of the GDPR. While organizations located outside of the EU that offer goods or services or monitor the behavior of EU citizens will be subject to GDPR, it is unclear whether companies doing business in and with Britain are bound by GDPR. Surely, British companies that offer goods or services or monitor the behavior of EU citizens will be subject to the GDPR. But what about companies that exclusively use the data of British citizens, will they be subject to the GDPR? The answer to this question partly depends on whether Britain successfully leaves the union in March 2019.

Controversies over data portability, one-stop shop, and required data protection officers can be seen throughout the trilogue meeting process. For those of you unfamiliar with the European Union’s legislative process, trilogue negotiations are a mechanism used when the Council of the European Union cannot agree on the amendments offered by the European Parliament during the second reading of a proposed law. At such a point the European Commission will act as a mediator for the Council of the European Union and the European Parliament to resolve any discrepancies within the proposed law. The GDPR was not without such controversies.

With regards to data portability, it seems that the commission, council and parliament had a hard time reconciling their differences as result of the varying draft proposals. All of the draft text applied portability to data given up by the data subject. But the language coming from parliament only required direct transfer when it was technically feasible and available. Some say this will burden effectiveness if companies will not improve their technological efforts when attempting to become GDPR compliant. Critics on the other side of the coin say forcing such a broad data portability scope will lead to higher costs and efforts in industries with no customer lock in.

Further dissention can be seen between the three EU bodies with regards to the one-stop-shop feature of the GDPR. One of the primary purposes of the GDPR was to synthesize the data protection laws amongst the EU member nations but this is easier said than done. The debate throughout the varying adoptions of the GDPR revolved around a data subject’s ability to seek redress for any data protection rights that may have been trampled. The Commission proposed that multi-nation controllers and processors were subject to the supervisory authority of the “main establishment”. The Parliament adopted a version that not only have authority to a lead DPA for multi-nation controllers and processors but also required co-operation of all concerned DPAs. The Council’s general version of a one-stop-shop provided that any DPA with the competence to enforce the GDPR within their state will do and will also share all information with every concerned DPA.

No matter how such controversies and ambiguities are resolved, GoBuyside is ready to provide qualified talented individuals to your organization to ensure that you are ahead of the curve when making GDPR related policy decision.

The most up to date informtaion can be found by following GoBuyside on Facebook.


Please enter your comment!
Please enter your name here