At this year’s UCL course on IP Transactions, many of the speakers commented to IP Draughts about how busy they were, advising clients on the EU General Data Protection Regulation (GDPR), which is due to come into force later this month. Except for one lucky speaker who said that her firm had a separate department dealing with such matters.
For many IP lawyers, it seems to go with the territory to advise on data protection issues. Perhaps it is because they are really IT and IP lawyers, and GDPR is part of the regulatory regime that protects the “I” part of IT. Or perhaps because they are EU laws, and who better than an IP lawyer to advise on EU laws, when most of the IP laws in the UK are at least tinged with EU influence, even if they are not directly derived from EU legislation.
IP Draughts is not immune from this trend, and has recently been the partner-in-charge of several GDPR projects, advising clients on compliance with the new regime, or revising contracts to take account of the new law. Fortunately we have some GDPR gurus within the firm, so that IP Draughts can be “young Mr Grace”, wheeled out as a figurehead, but sometimes a bit redundant when the detailed discussion starts.
He has picked up enough on the subject to recognise the issues that seem to come up time and again. This is fortunate, as he has agreed to be the moderator of a panel discussion on data protection at an American Bar Association conference in Copenhagen in June.
IP Draughts would appreciate your help, dear reader, in putting together a list of incisive questions (or themes) to ask the panellists, who are a mixture of US and European lawyers and data protection managers. Here are some crude, general questions to get us going. Under the new regime:
- Is the definition of personal data broader than at present?
- Should organisations rely on consent, or another lawful basis for processing? Is consent less likely to be used under the new regime than it is at present?
- Are existing consents going to be sufficient to comply with the new law, or will we need to get fresh consents?
- Can you rely on more than one lawful basis of processing? Eg if you start off with consents, but the consents are not compliant, can you switch to another basis of lawful processing as a back-up?
- Is it realistic to suggest that employees can give consent freely to their employer? Won’t they feel pressurised to give consent and won’t this make the consent invalid under GDPR?
- Do we need to rewrite our privacy statements? Can we rely on small print on website terms and conditions, and if not how “in your face” do we need to be?
- If you make the right noises, and try to institute new processes to comply with GDPR, will that get you off the hook if the regulator knocks on your door, even if your processes are not, in fact, compliant? Is the sensible course to treat GDPR a bit like many companies treat health and safety issues – going through the motions, without conviction – until you see some case law that shows you exactly what you need to do?
Are these questions on the right lines for a panel discussion? Or should IP Draughts take a different approach? Assume that 60% of the people attending the conference are US lawyers and 40% European, and that some, perhaps many, of them will not have much clue about the subject.