Joel Wuesthoff is a former practicing attorney, Certified Information Systems Security Professional (CISSP), and a managing director for Robert...
Samantha Kim is a director with Robert Half Legal’s consulting solutions practice, based in New York City. She served...
Charles Volkert is senior district president of Robert Half Legal, a premier legal staffing service specializing in the placement...
While the European Union’s General Data Protection Regulation (GDPR) became effective in May 2018, many corporate legal departments and law firms across the country remain focused on conforming to its far-reaching data protection and privacy mandates. In this episode of The Robert Half Legal Report, host Charles Volkert, senior district president at Robert Half Legal, is joined by two members of the company’s consulting solutions practice – managing director Joel Wuesthoff and director Samantha Kim. They outline critical requirements of the GDPR and discuss the challenges that many organizations face in their compliance efforts. They also offer helpful insights for global firms and discuss essential strategies to help them achieve compliance with the provisions of the GDPR.
Robert Half Legal Report
GDPR is now in effect What are the next steps for legal teams?
Intro: Welcome to the Robert Half Legal Report, where we discuss current issues impacting the legal profession, related to hiring, staff management and more, with leading experts in the field. Robert Half Legal provides lawyers, paralegals and support staff to law firms and corporate legal departments on a project and full-time basis. The Robert Half Legal Report is here on the Legal Talk Network.
Charles Volkert: Hello everyone and welcome. I’m Charles Volkert; Senior District President of Robert Half Legal and the host of our program. Our guests today are Joel Wuesthoff and Samantha Kim. Two subject matter experts from Robert Half Legal’s consulting solutions practice.
As managing director, Joel is a former practicing attorney, Certified Information Systems Security Professional, and has more than 15 years of legal practice and consulting work in high-stakes litigation and government investigations.
Samantha is a director with Robert Half Legal’s consulting solutions practice based in New York City. She served as a deputy district attorney in the San Francisco Bay Area in both Alameda and Contra Costa counties, prior to joining Robert Half. She earned a law degree from the University of Santa Clara School of Law.
Joel and Samantha counsel our law firm and legal department clients on a broad range of risk management, information governance, e-discovery, data security, and privacy matters.
Welcome to you both.
Joel Wuesthoff: Thank you.
Samantha Kim: Thank you.
Charles Volkert: Samantha and Joel, thanks so much for joining me today to discuss the ongoing role that legal teams have now that the European Union is very complex and far-reaching data protection and privacy legislation is in effect.
Many companies have spent significant resources both financial and personal on developing and implementing policies and programs to ensure GDPR compliance. Today, Joel, Samantha and I will outline important next steps now that the GDPR is enforceable. We will explore critical obligations outlined in the law, discuss challenges that many organizations are facing in their compliance efforts and offer strategies to meet the regulation’s ongoing requirements.
Before I turn to Joel and Samantha, I’d like to offer our listeners a brief background on the General Data Protection Regulation, commonly referred to as GDPR, that became effective on May 25, 2018.
The regulation was designed to provide enhanced data protection and privacy for all individuals living within the European Union, and also to unify legacy legislation among EU countries.
Essentially, GDPR is intended to provide individuals with greater control over their private information amid the increasing risks, the personal data exposure in today’s digital world.
Although the GDPR was enacted by the European Parliament and the Council of the European Union, it is enforceable worldwide.
Joel, to start us off, can you explain its implications and requirements on US-based companies?
Joel Wuesthoff: Of course, Chad. The GDPR was designed to impose specific obligations on companies worldwide to as you said protect personal information. I think it’s important to note that the language the statute uses is data subjects in the EU and that’s to impress upon the reader the fact that the definition is as broad as possible.
It may be interesting to note that the GDPR specifically does not include deceased individuals only the living individual. It applies to US companies with EU-based presence, what is called a stable arrangement and implies to customers, clients or employees. It surprisingly or maybe not surprisingly includes both electronic and paper data so long as it’s stored in a filing system.
There are some certain triggers that will loop in companies that do not have a stable arrangement in the EU and the test for that is whether or not the company offers goods and services to data subjects or monitors those data subjects.
Some of the examples of some general GDPR requirements or what is commonly known as principles include the concept of transparency essentially to be open about how a company collects, uses and shares personal data.
The idea of personal data it’s generally called a purpose limitation, you can only collect the information for a specific and legitimate purpose. You cannot use or share the personal data beyond those purposes without consent.
There’s another concept called storage limitation, and that generally applies to how long you can keep personal data. In other words the retention schedule for which the data may be kept. But there’s the concept of right to erasure or right to be forgotten. This is a fairly well-known principle where the individual can actually request that a company delete all information relating to their interaction with the company.
There is a second related element to the concept of right to be forgotten it’s called the concept of security, integrity and confidentiality of personal data. This includes a 72-hour notice obligation when a data breach occurs and that breach notification has to send in certain circumstances to both to regulate on the data subjects.
The final two elements that I’ll mention is the idea of the data protection that certain companies are required to have a specific position within the company called a DPO or Data Protection Officer. And finally, there’s a fairly rigorous requirement to have third-party compliance requirements that are fairly extension and obligatory on third parties and those have to be memorialized on a written form, Chad.
Charles Volkert: That’s great, Joel, obviously a lot of key elements go into this and companies need to be very mindful of all of those.
Samantha, what are the risks if a company is found to be non-compliant with GDPR?
Samantha Kim: That’s a great question. So, Chad, the GDPR outlines a series of potential penalties that they could face, and really it’s about exposing to the public whether there would be any type of data breaches, and so the way the GDPR outlines it is there could be potential fines and penalties but those are varied depending on factors.
So those factors are the nature of the violation. It could be the number of people impacted, the number of data subjects in this case. It’s going to be factor on the type of damages they are suffered and whether this infringement was intentional. So they’re going to look a lot at whether these organizations are starting off by being compliant or non-compliant with the GDPR and how much of a loss of personal data actually is incurred, and then from there they will assess those penalties.
But, ultimately, the big risk that companies face is that they could be fined up to a maximum of 20 million Euros or 4% of the company’s annual revenue, and the European Commission decided to look at whichever value is greater in that case.
So, here, companies need to be very aware that there are serious risks and penalties for any kind of non-compliance where the GDPR has been moved forward.
Charles Volkert: Absolutely, very serious risks. Samantha, let me just stay with you, what are the most common areas of compliance that an organization may have overlooked as they’re prepared to meet GDPR requirements?
Samantha Kim: Sure, I guess the simplest thing that most companies overlook at the start is looking internally. I would say that most companies are more concerned initially with a public facing; however, a lot of companies if they were to do an assessment and look at for example, internal Human Resources, that is an area that most people don’t think to look at first, but if we look at the inception of when an employee for example starts with a company that company begins to collect personal data.
So, a great example here would be if you are collecting résumés, for example, or in Europe as we refer to them as CVs, and on that particular CV you would have a lot of different personal data points, starting obviously with the name, date of birth, etc.
So, that’s a common place where companies aren’t necessarily thinking that we may start collecting information right away before someone even becomes an employee. So that’s one big area.
The second one I think that becomes overlooked is when companies don’t look outside of their systems and think about third-party vendors and/or contractors. So I think an area that companies should be focused on is the type of relationship that they have with different contractors.
For example, are they collecting information and passing it on to a third-party vendor or chapter? And if so, what are the ramifications of that?
So, I think, it’s really important when we’re examining the GDPR for companies to evaluate internally as well as externally, what type of information is being passed.
Charles Volkert: Interesting, so Samantha maybe along those lines what are the biggest challenges faced by legal departments and law firms in order to conform to GDPR requirements?
Samantha Kim: Yes, so I think there are some big challenges, Chad, and I think the challenge essentially starts with the actual collection of the data.
And what I mean by that is the GDPR does outline in the regulation itself how to do a proper data collection. So essentially what I would call a discovery, where all that data is living within a company, and I think most companies have started looking at that initial first step which is for the collection but then they need to proceed and take that discovery to the next phase and look at how that data is being processed, how it’s being stored and how it’s being shared.
So to face all of that I think is one big challenge, and I think some companies have taken it head-on while other companies have taken the slower route if you will, and the nice thing is that the GDPR does outline for you after the initial discovery and collection of the data what else must be done.
And another area that’s a big challenge I would say is how does that data get transferred. So sitting here in the US we need to have some type of mechanism and/or contract with companies in Europe in order to transfer the data.
So some of the examples I would use are that they would have to have a addendum or a model contract or what’s referred to as binding corporate rules in place, in order for there to be a safeguard for the amount of information that’s being crossed the pond as I say. And so we need to make sure that these transfer mechanisms are in place before large amounts of information is transferred back and forth.
I would say another big hurdle or challenge is companies that may have EU-based employees. So let’s say they’re US company but they have employees overseas. We need to again look at the information and where it’s sitting. And as Joel mentioned earlier the GDPR is going to provide this new right to the data subject themselves.
So what I mean by that is an employee that is residing in Europe can say to a company I would like to access my data as far as what you have, I would also like to have it removed, which is the right to be forgotten. And they have that right to give the consent in the first place but also to take it away if you will.
So there are several challenges that companies will face and those are just to name a few.
Charles Volkert: Excellent. Thank you Samantha and thank you Joel.
We will return to our discussion about maintaining ongoing compliance with the GDPR after a quick break.
Advertiser: To find, hire, and retain the best legal professionals, it’s critical to have a sound hiring strategy in place. Robert Half Legal works with law firms and corporate legal departments to create effective staffing plans that can adapt to changing workload levels, realize significant cost savings, and improve the overall management of human resources.
We offer a wide range of resources to assist hiring managers and job candidates, including our annual salary guide, industry-leading workplace research and valuable interactive tools. For more information, call us at 1-800-870-8367 or visit roberthalflegal.com.
Charles Volkert: Welcome back to the Robert Half Legal Report. I’m Chad Volkert and joining me today are Joel Wuesthoff and Samantha Kim, both from the Robert Half Legal Consulting Solutions Practice.
We’ve been talking today about the impact of the European Union’s General Data Protection Regulation and important next steps that legal team should be focusing on now that the regulation is in effect.
Joel and Samantha, before the break you outlined how legal professionals are tackling some of the more challenging obligations set forth by the GDPR, I’d like to expand on our discussion now about legal’s overall responsibilities with regards to the regulation.
Earlier this year we saw teams comprised of multifunctional specialists including security, privacy, IT, HR, legal professionals and others working to prepare organizations for GDPR readiness. With the law now in effect, Joel, what are your thoughts on what specific role legal plays with regards to GDPR compliance?
Joel Wuesthoff: It’s a great question, because I think a lot of people assume that this is a static law and things won’t change or things won’t be interpreted, but the fact is that while it is binding legislation there are a wide variety of interpretive guidance that will come either from regulators in their opinions or their sanctions, but will also come from private or civil litigation that will give us more context.
The unique thing about the GDPR that’s similar to in the United States, the Federal Rules of Civil Procedure for instance is that there is both the text of the rules and then there is our interpretive guidance or Advisory Committee notes that inform the scope of the particular regulation. So one needs to look at both the articles and what is known as recitals and then opinions from the regulators. And I think the role with a lawyer comes into play to your question is serving that advisory role as keeping track of how these opinions, how this ongoing guidance from regulators and from civil litigation impact the operationalizing of the law within their clients.
So I think from — in terms of role legal has to take a leading role if not an ownership role to ensure compliance with the law. Certainly they have to identify the risk to the organization if it’s found non-compliant and Samantha discussed some of those that exposure, this isn’t just with respect to privacy, but it’s also security, records retention, e-discovery and litigation. There’s a number of different risk minefields that lawyers can help navigate.
Certainly from with respect to impacted law firms with either EU-based clients or employees or customers, the corporation must develop with a guidance of counsel and monitor the developmental policies, procedures, practices and controls to ensure compliance and to make sure that when a regulator knocks on their door that they will be able to showcase and demonstrate that not only do they have these policies in place but they are functional.
And so as again, Samantha mentioned earlier during discovery one must ensure that there’s proper collection, processing storage and sharing of the data, both consistent with legal requirements, but also with respect to the rights and freedoms of individuals and be able to balance those interests across the various stakeholders.
A few final notes downstream as we’ve alluded to there’s this idea of ongoing responsibility for data or data discovery and implications between conflict of laws, EU regulators, US regulators, EU courts, United States courts, so there must be overall management and guidance by outside counsel, a critical role.
And I think in some there are multiple other areas not least of which is how other countries such as Brazil, China, Japan etc. how those integrate, align or conflict with the EU’s version? So these are critical places for the lawyer to provide substantive advisory services, Chad.
Charles Volkert: Great points, Joel, thank you.
Samantha can you suggest strategies to help organizations manage and sustained compliance with GDPR mandates?
Samantha Kim: Absolutely. I would say the best strategy right now is to begin the actual collection and organization of all this data within the company and I would say ongoing governance is the next strategy I would advise most companies and what I mean by that is after beginning to organize the collection of all of the data, it’s important to have key figures within a company to have oversight to keep the sustained momentum of data privacy within an organization.
So how that would work is to have regular review of the current policies in place. A lot of companies as most people are aware even in their own regular day-to-day usage have published updated privacy policies and/or things such as cookies policies. And I think it’s important for companies to keep checking the law and make sure that they’re up to date as far as what those policies need to entail and include. Also I think it’s important to do periodic stress tests to identify if there is any gaps in compliance. I think that’s important to do every probably six months to a year. And once those gaps are identified to immediately take action. And as I mentioned if you were to have a point person it would make that much smoother process.
Also as I stated earlier, when we do that collection I think it’s important to maintain accurate records of that collection and what we call a data inventory of all the personal data. So I would definitely recommend having a record in place in a central location that everyone in the organization can access. And that means having all departments such as Marketing, Sales, HR, Legal, IT, all able to go in and access where all of this information is or is not sitting.
I also think it’s important to have necessary protocol for any information that might be paper-based. As Joel mentioned earlier, it does applied not only to digital information but also to paper that is in a filing system.
So I know a lot of companies have things that may have been retained much longer than the retention schedule of the standard five to seven years.
Samantha Kim: So I think it’s important to go through and figure out what is necessary to keep and what’s not.
Along those lines, another key strategy I would suggest is just having ongoing training for in-house employees and making sure that they’re aware of the different policies are ever-changing and to ensure that people are also given a lot of notice and that within the company that they know how this law is impacting them and their client base.
Also to continue to have regular internal audits I think it’s very important, and with that there should be systems in place to deal with any type of data breaches. And I think those are good ways for companies to ensure that they’re keeping up with the latest laws within the privacy realm.
Charles Volkert: Great suggestions. I appreciate that Samantha. Well, unfortunately it looks like we’ve reached the end of our program for today. We covered a lot of information and I’d like to thank both of you Joel and Samantha for joining us and providing very helpful insights.
Before we close I’d like to let the audience know how they can contact you and where they can obtain more information. Joel, Samantha, if you could share your contact information.
Joel Wuesthoff: Of course. So this is Joel, my email is [email protected].
Samantha Kim: And to reach me, my email is [email protected], and thank you Chad, it was a pleasure.
Charles Volkert: Thank you Joel, thank you Samantha. Our listeners can of course reach me at [email protected]. And you can also visit the Robert Half Legal website for additional information on legal career and management resources, including our latest salary guide for legal professionals, at roberthalflegal.com.
Thanks again, Joel and Samantha and to our entire audience for listening today.
Join us next time on the Robert Half Legal Report as we discuss important trends impacting the legal field and legal careers.
Outro: The views expressed by the participants of this program are their own and do not represent the views of, nor are they endorsed by Robert Half Legal, Legal Talk Network, or their respective officers, directors, employees, agents, representatives, shareholders, or subsidiaries. None of the content should be considered legal advice; as always consult a lawyer.
Thanks for listening to this podcast. Robert Half Legal connects highly-skilled candidates with the best positions in the legal profession.
If you liked what you heard today, please remember to rate us in Apple Podcasts; also, follow Robert Half Legal and Legal Talk Network on Twitter or Facebook.
Join us again for the latest information in the next edition of the Robert Half Legal Report, here on the Legal Talk Network.
Robert Half is an equal opportunity employer including minorities, females, people with disabilities and veterans.
The Robert Half Legal Report covers the latest trends affecting the legal profession.
Jamy Sullivan, executive director of Robert Half Legal, explores the latest hiring and compensation trends expected to shape the legal profession in 2019.
Joel Wuesthoff and Samantha Kim discuss the new California data privacy mandate and explore specific rights that the law grants to California consumers regarding...
Joel Wuesthoff and Samantha Kim talk about critical requirements of the GDPR and discuss the challenges that many organizations face in their compliance efforts....
Joy Dingle talks about how the legal community partnerships are being used to expose youth in underrepresented groups and gives tips to students who...
Billie Moliere discusses the latest hiring trends and the hottest practice areas driving demand for attorneys, paralegals and legal support professionals.
Scott Giordano examines why law firms are among the most vulnerable for cyberattacks.