GDPR compliance & strategy


Financier Worldwide Magazine

May 2019 Issue

Since it came into force in May 2018, the General Data Protection Regulation (GDPR) has had a significant impact on personal data protection. While many companies within the regulation’s scope are fine-tuning their strategies in order to ensure compliance, others are still playing catch-up. With the GDPR likely to be a hot topic for years to come, companies that lack robust compliance policies may need to allocate more resources to plug gaps to avoid the penalties associated with non-compliance.

Heimes: Based on your experience, how have companies been responding to the requirements of the EU’s General Data Protection Regulation (GDPR) since its introduction in May 2018?

Gu: According to recent TrustArc research, 74 percent of companies expected to be compliant with the General Data Protection Regulation (GDPR) by the end of 2018. In order to be compliant, companies must examine their business processes. The GDPR will have a significant impact on personal data protection, and as such companies must ensure that they handle and store data responsibly from now on.

Garcia-Maurino: Business-to-business (B2B) companies have spent significant time revisiting their standard terms and conditions in order to incorporate the content required by Article 28 of the GDPR and in negotiating them with their customers. Business-to-consumer (B2C) organisations have focused more on ensuring that they obtain and log evidence of consent for data processing and on setting up processes to manage compliance with data subject rights. Both have struggled to identify the IT tools that process personal data and to implement proper governance frameworks, including the appointment of data protection officers (DPOs) where necessary.

Tantleff: I am still amazed by how many companies that do not have a basic awareness of the GDPR. For those aware, we are seeing a modest effort in respect of their investment in GDPR compliance. However, numbers do not lie, and just about every survey indicates that for many companies there is still a long way to go. For those companies with an active GDPR compliance programme, we are seeing a level of effort that generally aligns with the nature of the processing and sensitivity of the data. As to be expected, some organisations become a little overzealous, and others take a much more conservative approach. Clearly, a number of companies have taken a wait and see approach and looking to their peers in order to see how the GDPR is being interpreted, implemented and how it will impact their business.

Patrikios: There are currently two types of companies from a GDPR-readiness point of view: companies that invested time and effort in getting GDPR-ready; and companies that did not. Since the GDPR came into force in May 2018, most companies in the latter group commenced belated efforts to get GDPR compliant, and are currently still working on it. For companies in the former group, ‘GDPR Business As Usual (BAU)’ has been mostly about fine-tuning the compliance solutions that they put in place in the run-up to 25 May 2018, to ensure that they fit the reality of their business operations.

Most of the privacy risks that organisations face are the result of poorly designed systems, from a privacy perspective, and fixing them at the end of the development cycle may be expensive and, in some cases, impossible.
— Carlos Garcia-Mauriño

Heimes: Could you outline the specific challenges that companies have been wrestling with over the past year? To what extent did many underestimate the requirements of GDPR compliance?

Garcia-Maurino: The inventory of IT tools that process personal information has probably become the most challenging GDPR obligation. Also, management of the supply chain has become a much more complex task than many had initially expected. To begin with, it requires companies to identify which of their suppliers process personal data as part of the services they provide. This is often far from evident, and in many cases the determination made by the organisation is challenged by the supplier, which denies being characterised as a ‘data processor’. In other cases, the supplier pushes back on the organisation’s terms and conditions and proposes its own, initiating a protracted, and often frustrating, ‘battle of the forms’.

Tantleff: While challenges have varied, there are a few that seem to be more common, such as understanding the applicability of the GDPR, accounting for third parties, volume of data to be accounted for, and many additional, vague requirements. Some companies have noted that they do not have the resources to either evaluate or track all the processes and systems that are involved in the processing of personal data, from creation through destruction. Some companies have admitted to having difficulty in being able to gain oversight of their data, resulting in difficulty with their compliance efforts. Others have acknowledged the resource-intensive nature of this process and are doing the best they can. While some companies struggle with managing their third parties who may process data on their behalf, not all such vendors agree that the GDPR applies to them or they disagree as to its impact, creating friction between data controllers and processors. This creates a dilemma, especially where the vendor plays a critical role in the processing of data for an organisation.

Patrikios: Depending on their type of business, sector, size and footprint, companies have been dealing with different challenges. It is clear that some companies underestimated the requirements of GDPR compliance. This is not a surprise, given the high standards the GDPR sets and the scarcity of regulatory guidance, enforcement action and court judgements on GDPR matters. Although not every company faces the same challenges, it is fair to say that most face some form of challenge. For example, some data-intensive businesses struggle to find a practical and efficient way of keeping data processing records up-to-date. Some types of businesses struggle with the number of data subject requests that they are receiving. Most companies seem to struggle with the tight personal data breach notification requirements. Others struggle with the impact of the GDPR on marketing rules set out in the Privacy and Electronic Communications (PEC) Directive.

Gu: The biggest challenges for companies attempting to comply with the GDPR is how they actually test their internal applications and systems that store personal identifiable information (PII). Companies must be very clear about this, and must ask a number of questions of their various departments. For example, does the business process contain personal data? Is the data held sensitive? What is the purpose for the collection of the personal data? What is the quantity of personal data stored? Do any employees have access to any personal data on mobile devices? Has any personal data been transferred or shared with a third party? Does the processing include profiling of individuals?

Heimes: How would you characterise the role that technology has to play in achieving GDPR compliance and alleviating data-related concerns?

Tantleff: Technology has helped companies achieve and maintain compliance more efficiently in several key areas. For example, with respect to data mapping, technology has been able to quickly transform a resource-intensive practice that often yielded a static, non-comprehensive map of an organisation’s data into one that can be automated, maintained on a real-time basis and enabled the use of the solution to demonstrate compliance. Privacy impact assessments is another area where technology and automation have taken a once laborious process and streamlined it, enabling companies to have rapid insight into any compliance gaps they may have, which often include remediation actions. Finally, data subject access requests have seen a complete shift in their handling.

Gu: According to the GDPR, data controllers are required to implement organisational and technical controls, taking into consideration the risks involved, and regularly test and evaluate those controls. Some of the risks include the unauthorised disclosure, loss or alternation of personal data. Suggested controls include encryption, pseudonymisation and only allowing controller employees to process personal data. The security measures implemented should consider the cost, technological developments, the “nature, scope, context and purposes of processing”, and the risks to the rights and freedoms of the data subjects. The company’s information security programme should also focus on the confidentiality, integrity, availability and resilience of the systems and services processing the personal data. This also includes the ability to restore access to, and availability of, personal data after a security or other incident. So, technology plays a critical role in achieving GDPR compliance.

Patrikios: Technology is already a part of companies’ GDPR compliance solution and, as technology and artificial intelligence (AI) solutions improve, will become an increasingly bigger part of the overall solution over the next few years. In the longer term, technology and automation will be an essential component of efficiently managing the operational burden of GDPR compliance. From deploying e-discovery solutions for data subject access requests (DSAR) to using technology platforms to efficiently manage contract re-procurement exercises, and from automated processes, such as data subject requests intake portals or privacy preferences dashboards, through to privacy programme management solutions, data mapping solutions or privacy assessment solutions, technology is part of the compliance solution for many companies.

Garcia-Maurino: When prioritising GDPR compliance activities, ‘privacy by design’ is often overlooked. Most of the privacy risks that organisations face are the result of poorly designed systems, from a privacy perspective, and fixing them at the end of the development cycle may be expensive and, in some cases, impossible. Responsible and transparent ‘privacy-friendly’ designs of new applications and systems will facilitate compliance much more effectively than ‘after-the-fact’ compliance procedures which rely on humans to be enforced.

By consolidating the customer data repository into a single, central repository, outside other systems, the ability to manage data becomes much easier.
— Aaron K. Tantleff

Heimes: In your experience, how difficult has it been for companies to align their existing systems with the requirements of the new legislation? What strategies are being deployed in this regard?

Patrikios: Considerable effort is invariably required to ensure existing systems are aligned with the GDPR. How much effort, or even the feasibility of such alignment, depends on the type and size of organisation and the type and number of legacy systems. Multinational organisations with significant numbers of old legacy systems find this exercise more challenging, including in relation to having a single view of all data held about an individual, data minimisation or even data retention and deletion.

Garcia-Maurino: Many companies have taken the view – indirectly supported by the views of some data protection authorities (DPAs) – that legacy systems are subject to a sort of grace period and that they would not be the primary target for enforcement. Rather than investing in bringing them into compliance, they are waiting for their natural replacement by a more advanced solution within the short to mid-term. Although the GDPR does not afford different treatment to legacy and post-GDPR solutions, it is reasonable to expect a more lenient treatment by the authorities in cases of infringement of GDPR obligations. This said, organisations should thoroughly review their pre-GDPR systems and identify and mitigate major non-compliance situations, especially for those that handle sensitive data.

Gu: It is not easy to align all existing systems with the requirements of the GDPR because data is often spread out across many different systems and locations. But companies need to define a good alignment strategy. The first step is to create a checklist for internal systems, including name, location, if the data classes as PII, and the amount of PII in question. Companies must then complete the checklist to proceed to the next step. This process will be much easier if companies already have the checklist in place, as they can then review any detailed compliance requirements.

Tantleff: Aligning existing systems depends upon the organisation, as well as the nature of their infrastructure. Some organisations that previously relied upon cloud-based vendors had difficulty in aligning providers and achieving compliance under the GDPR. At that time, very few cloud providers were compliant with the GDPR. For example, while many providers encrypted their customers’ data, providers generally did not provide their customers with the encryption keys to their data. Some cloud vendors had systems that were not capable of accepting strong passwords, and in some cases, were not capable of accepting a password at all. In other cases, systems were not properly secured or employing an adequate level of security or capable of talking with other third-party systems.

Heimes: How important is it for companies to collect their data into a centralised system, governed by appropriate access controls?

Garcia-Maurino: Data privacy considerations should always be front of mind for IT teams that design and administer the IT infrastructure of any organisation but, at the same time, they should not get in the way of letting organisations design their systems in a way that is more efficient, from both a performance and cost perspective. From a privacy perspective, the centralisation of IT systems does present several significant advantages but, in addition to not being a GDPR requirement, it may not be the best solution for some organisations. No matter how an organisation structures its IT systems, it should always ensure that the key tenets of privacy are respected and that fundamental cyber security principles are built into its systems.

Gu: Companies should ensure that their data is collected in a centralised system and in a compliant manner. A centralised system can store all the required data, and provide insights which will allow legal, compliance and cyber security teams to understand how to implement, review and audit these control measurements in a way which is compliant with the GDPR.

Tantleff: Having a central repository for all data would be a better solution than a decentralised data repository. By consolidating the customer data repository into a single, central repository, outside other systems, the ability to manage data becomes much easier, and, as an added bonus, it is often easier to replace various systems and programmes, as there is no longer a risk of losing customer data. With respect to the GDPR, if one does not have a centralised database, the ability to respond to data subject access requests may be overly burdensome or even impossible, therefore risking the ability to comply with such a request under the GDPR. The centralised repository also enables a company to be able to implement system-wide controls, making it easier to define and enforce rules in compliance with the GDPR.

Patrikios: There is nothing in the GDPR that requires all data to be stored in a centralised system, provided that companies can locate, isolate, extract, deliver and delete all the data they hold about an individual across various systems. I would suggest that putting all your data in one centralised system should be carefully assessed from a cyber security and business continuity point of view. Put simply, a large central database would be a tempting target for malevolent individuals.

The cost of compliance is counterbalanced, and possibly outweighed, not just by financial and reputational damage arising from non-compliance, but also by the fact that GDPR-compliant data is ‘better’ and more valuable data.
— Antonis Patrikios

Heimes: To what extent do the costs associated with GDPR compliance pose a significant challenge for businesses? To what extent are such costs counterbalanced by the potential financial and reputational damage arising from non-compliance?

Patrikios: There is no doubt that GDPR compliance requires significant investment. For some companies, such as big, high-tech data businesses, the required investment is huge. However, there is no doubt that this is an investment worth making – not only because the requirements of the GDPR are mandatory legal requirements with significant sanctions and reputational damage for compliance failures, but also because GDPR compliance and good data privacy hygiene increase the value and reliability of data assets. In other words, the cost of compliance is counterbalanced, and possibly outweighed, not just by financial and reputational damage arising from non-compliance, but also by the fact that GDPR-compliant data is ‘better’ and more valuable data.

Tantleff: Compliance with the GDPR is not cheap. Many companies are spending $1m or more on compliance, with some having costs that exceed $10m. On the other hand, a fine under the GDPR can reach 4 percent of global turnover or €20m, whichever is greater. However, penalties are only part of the equation. In addition, a company may also face losing customers, losing revenue, reputational damage and may be at risk of class action litigation. While penalties, such as a fine, can be paid straight away, others can take years to overcome, such as restoring a battered reputation.

Gu: It is clear that achieving GDPR compliance will be particularly costly for many businesses. Companies will need to invest money into establishing DPOs and cyber security teams who understand the GDPR. DPOs must have significant experience in privacy and security risk assessment and best practice mitigation, including significant hands-on experience in privacy assessments, privacy certifications and seals, and information security standards certifications. And the cost will certainly increase if companies do not have a strong internal support team for cyber security or if they already know they need to fix a lot of gaps.

Garcia-Maurino: Much has been written and spoken about the future enforcement of the GDPR, and, in particular, the magnitude of the potential fines to be levied against companies found to have breached it. Given the significant challenges that the DPAs are experiencing in coping with their new responsibilities, it is unlikely that the number of enforcement actions exceeds more than a nominal number during 2019 – maybe a few dozen out of millions of small, medium and large companies across the European Union (EU). That said, investment in compliance must not be driven only by fear of fines but also by the realisation that citizens in the EU are expecting more from the companies they work in or with. Investment in privacy compliance helps to build reputation and trust and should not be seen as an unproductive expense. In particular, DPAs should not create an environment that makes small and medium enterprises (SMEs) invest unreasonably in privacy protection at the expense of their competitiveness.

Heimes: In your opinion, how much of a concern have the penalties for a GDPR breach been for businesses so far? Is this likely to change?

Tantleff: It would be wrong to believe that just because earlier penalties were smaller than expected under the GDPR, that the impact and enforcement of the regulation will not be significant going forward. In the early days, regulators were more focused on education and offering leniency with regard to implementation of the GDPR, subject to reasonable and demonstrable efforts thereof, as opposed to penalties. But now, as we approach the first anniversary of the GDPR, we are seeing an increase in fines and less tolerance for a lack of compliance. However, if a company is not compliant by now, the best thing to do to minimise the impact of a penalty is to have a plan in place that demonstrates that reasonable compliance efforts have been made.

Gu: The potential fines to be levied for a breach of the GDPR – up to €20m or 4 percent of global turnover, whichever is greater – have created a new sense of urgency governing the way data owners manage the information in their care. According to a report from Information Age regarding GDPR implications for employers when employee data breaches occur, “If proper checks are not done, then they will be negligent and be held responsible for any losses an employee suffers as a result of a breach”.

Garcia-Maurino: The hefty fines applicable under the GDPR have certainly made a difference in terms of how organisations approach GDPR compliance and have elevated GDPR to the C-suite and the boardroom. DPAs are aware of this and also of the risk of losing momentum if, during 2019, they do not enforce GDPR aggressively. News of sanctions will reach the media and make headlines, particularly if the organisations targeted are well known. These sanctions will possibly drive additional waves of compliance effort by organisations, which will likely be more focused on the specific activities or accountability mechanisms identified by the DPAs as the ‘gold standard’ through their enforcement actions.

Patrikios: Everyone has paid attention to the fines imposed by the GDPR, and the words ‘4 percent’ have helped focus the minds of senior executives and board members on investing in GDPR compliance. However, for most companies, it should not be a fear of fines that drives their GDPR compliance efforts. A better approach is to look at GDPR compliance as the road to preserve, and in fact increase, the value of their data assets and strengthen their relationship with data subjects in a way that promotes trust and strengthens a company’s brand. That said, regulators have made it clear that they intend to enforce the GDPR, using their significant fining powers when required, and some companies should be concerned.

The potential fines to be levied for a breach of the GDPR have created a new sense of urgency governing the way data owners manage the information in their care.
— Great Gu

Heimes: Given the growing cyber threats and data security concerns around the world, how important is it for companies to establish effective network defences and systems in order to meet GDPR obligations?

Garcia-Maurino: Personal data is just a subset of the data that any organisation needs to run its business, and cyber security is often listed as one of the key concerns of the C-suite, and rightly so given the threats that many organisations are subject to. Therefore, businesses need to up their game in terms of the protection they offer to their data ‘crown jewels’ – a category which personal data should always be part of. Lack of appropriate security will be perceived as an indication of a more systemic lack of ‘accountability’ in the protection of personal data, and this will be considered by the authorities as an aggravating factor that will influence any enforcement decision.

Patrikios: Effective defences are essential. First, because an effective data security defence is a requirement of the GDPR and, historically at least, data security failures lead to fines and significant reputational damage. Second, and perhaps more importantly, beyond legal obligations, companies have a business interest to protect their systems and data assets. So, cyber security compliance and preparedness is absolutely crucial, and has two broad elements: have in place appropriate technical and organisational security measures to protect systems and data, and be ready to deal with security incidents swiftly and efficiently by having a rehearsed incident response plan in place.

Gu: The growth of cyber threats and data security concerns are pushing companies to establish an effective framework to reflect compliance with the GDPR. Privacy as the default setting should be considered at the earliest stage. ‘Privacy by design’ will enable companies to deliver the maximum degree of privacy by ensuring that personal data is automatically protected in any given IT system or business practice. If an individual does nothing, their privacy will remain intact. Indeed, no action is required on the part of the individual to protect their privacy; it is built into the system, by default.

Tantleff: Notwithstanding penalties, a data breach could spell trouble for an organisation in the form of litigation, not to mention reputational harm that is likely to impact business operations. In many instances, regulatory fines are the least expensive aspect of a breach. Given that Article 5 of the GDPR requires one to ensure the processing of data includes appropriate security of data, it gives rise to the assumption companies should take a risk-based approach to protection. As the threat vector continues to rise, security posture must also rise to meet the evolving threats.

Heimes: How extensive a role do senior management teams need to play in the GDPR compliance process? What steps do companies need to take to ensure that GDPR compliance is comprehensive and wide-ranging, and includes all members of staff?

Gu: According to the GDPR compliance process, not only should senior management be involved, but also all European staff should be engaged in compliance. Any organisation holding personal data on EU and European Economic Area (EEA) citizens and residents needs to have legal grounds to do so, for example have a legal or contractual obligation or the person’s consent, and comply with the six key principles. Along with the significant financial penalties, a breach of the GDPR can potentially cause serious reputational damage. Clearly, senior management teams should lead GDPR compliance, and must create and provide a full breakdown of all the feasible tasks to all business units, for example collecting personal data, creating an inventory of the data held and leading the GDPR training programme.

Patrikios: Senior management has a crucial, albeit not necessarily extensive, role to play in the GDPR compliance process. The extent of the involvement of senior management will depend on the type, size and culture of the organisation. The chief executive of a global bank will obviously not have extensive involvement in GDPR compliance. The chief executive of a growing data business, however, is likely to have much more extensive and hands-on involvement. Invariably, privacy functions within companies need senior management buy-in, as only senior management can provide the necessary backing and funding, and unlock any obstacles to GDPR compliance. In most companies, senior management will also be a ‘privacy’ or ‘GDPR’ champion, helping the privacy function in its efforts. Finally, senior management will often need to be part of the GDPR compliance solution, for instance by providing a reporting line for the company’s DPO and participating in incident response efforts if the company suffers a major data breach.

Tantleff: Having a GDPR champion among senior management is critical to the success of any GDPR implementation programme, including making it clear to the organisation that compliance with the GDPR is important. Given the potential negative consequences stemming from non-compliance, ensuring oversight from the top down is critical. Ultimately, while day-to-day activities may reside with others, senior management needs to ensure there is an established data protection programme in place, that policies and procedures are regularly reviewed and updated, and that individuals are made aware of their rights and freedoms and how their data is processed. Senior management also needs to audit its data privacy and security protections, as well as ensure that training is conducted effectively and that all third parties are compliant with the GDPR.

Garcia-Maurino: Senior management must drive GDPR compliance efforts, not just passively support them. For those organisations that appoint a DPO, the legal obligation is that he or she should be able to report periodically, and whenever necessary, to the highest management level of the controller or the processor. That way, senior management will not be able to argue that it was unaware of the risks if they had been informed by the DPO. Tone must be set from the top and senior management must be perceived as being genuinely interested in getting privacy right, rather than just going through a formal ‘tick box’ exercise. In addition to the creation and implementation of all required privacy policies, employees should be provided with regular training. Furthermore, awareness campaigns, tailored to the company’s specific business activities, should top the list of GDPR compliance activities of any organisation.

Heimes: What essential advice would you offer to companies on continually refining their GDPR strategies to minimise disruption to their operations? What additional benefits might this process yield?

Patrikios: A structured privacy compliance programme that goes above and beyond a one-off GDPR readiness project, approaches privacy holistically within the organisation and approaches privacy compliance as an ongoing effort of constant improvement and alignment of privacy compliance efforts with the organisation’s business strategy, is the best approach. A well-run programme ensures that the approach to privacy compliance is tailored to the organisation, aligns with the business strategy and reduces disruption to the business operations and makes compliance less labour intensive. It also means that an organisation is likely to achieve higher standards of data privacy, including GDPR compliance.

Tantleff: Everyday compliance with the GDPR does not mean updating online privacy policies to demonstrate GDPR compliance, it is more than that. It is critical to conduct a data mapping exercise, and yet it is amazing how often companies ignore this step. By not inventorying your data or knowing where it is or where it flows, how can you properly protect it, comply with obligations under the GDPR or be in a position to provide timely notice? A data map guides much of the compliance process, as it highlights areas that may be more problematic under the GDPR. Communication and training also go a long way to minimising disruption. Another helpful tip is to talk with other organisations and be willing to share best practices.

Garcia-Maurino: It will take a few years before the dust settles and most of the current uncertainty about what is ‘appropriate’ compliance is dispelled. DPAs will continue to issue guidance and the courts – both national ones and the European Court of Justice – will adjudicate on the cases brought before them. As a result, the GDPR compliance plans put hastily in place last year will need to be constantly adjusted and improved. A strong privacy team, led by a pragmatic DPO and supported by privacy champions in different business units, is critical to be able to ingest all these new inputs and turn them into risk-based and actionable operational obligations.

Gu: A company’s GDPR response strategy should be continually refined, in line with the development of new technology and in light of the ongoing digitalisation of business models. The emergence of the Internet of Things (IOT), artificial intelligence (AI) and Big Data have all had an impact, fracturing data stored into smaller volumes. Companies must understand that they must receive people’s consent in order for their personal data to be processed, accessed or modified, either by the company itself or a third party.

Heimes: How do you envisage GDPR compliance evolving in the years ahead? Is failure to comply likely to be an increasingly risky proposition going forward?

Garcia-Maurino: The implementation of the GDPR marks the dawning of a new era for data privacy protection; it is the result not only of some legislators’ bright ideas but also of a heartfelt demand from citizens. Compliance must be effective and demonstrated visibly to all stakeholders. Over time, citizen-customers will make buying decisions based on their perception of how organisations protect their data. Governments have a key role to play, of course, especially with the younger generations, educating them about the responsible use of new technologies. Eventually, a lack of compliance may impact many companies’ bottom lines even before the authorities have had time to consider any sort of enforcement action.

Gu: GDPR compliance will be a hot topic for some years to come. Because not all companies are capable of handling their internal personal data, particularly small to medium-sized enterprises, these companies will still be exposed to significant risks. For companies which lack policies for GDPR compliance, have no DPO and no inventory of personal data, more resources must be allocated to plug these gaps and not run the risk of being punished for noncompliance.

Patrikios: Over the next three to five years, the economy will gradually get to grips with the depth and breadth of the changes that the GDPR has introduced to data privacy and cyber security. During that time, we will see more new data privacy and cyber security laws, such as the e-Privacy Regulation or the regulation on the flow of non-personal data in the EU, or the California Consumer Privacy Act (CCPA), more regulatory guidance, more regulatory investigations and enforcement actions, more high-profile cyber security breaches and more court judgements. So, the law and its application will gradually become clearer and the economy will adjust accordingly. At the same time, evolving technology and ways of working will also mean that the legal framework will need to be applied to new practices, which may be challenging – AI being a good example of a disruptive technology that was not sufficiently understood at the time of drafting the GDPR. However, what this means for organisations in practice is not that dissimilar to what organisations should be doing today: having solid privacy compliance processes in place, ideally in the form of a structured privacy compliance programme.

Tantleff: Compliance will become more streamlined and simplified over time, and automated tools will continue to evolve. Most solutions will be designed to assist companies with their compliance efforts, rather than require them to modify a solution or require compensating controls. While there have been a number of fines to date, they are fewer than expected. Some companies have incorrectly interpreted this to mean they can step back their GDPR programme activity. However, it should be remembered that the GDPR is a new law and therefore without legal precedent, and we expect both the number of fines levied and the size of the fines to increase. With respect to one’s privacy and security programme, one should always consider a global approach, taking into account laws that may apply to their business in other jurisdictions. This will help end this vicious compliance implementation cycle and create better efficiencies and oversight.


Rita Heimes is research director at the International Association of Privacy Professionals (IAPP), where she also serves as the in-house data protection officer. Ms Heimes is an attorney and academic with many years of experience in the fields of privacy, information security and intellectual property law. She remains an active scholar, and still coordinates and teaches in the Information Privacy Summer Institute at Maine Law. She can be contacted on +1 (603) 427 9212 or by email:

Great Gu is a cyber security, risk management and IT governance expert. He won the 2017 Asia-Pacific Information Security Leadership Achievements (ISLA) award, and was the only nominee from China mainland. He is frequently invited to speak on cyber security topics for online seminars and large-scale conferences across Asia-Pacific (APAC), and hosts elite cyber security panels. He can be contacted on +86 189 1652 7303 or by email:

Antonis Patrikios is head of cybersecurity law at Fieldfisher and a partner in its privacy, security and information law group. A leading specialist, Mr Patrikios has over 12 years of experience advising a wide range of clients on all aspects of data privacy and cyber security law, including global compliance programmes, cross-jurisdictional matters, new legal regime readiness, new projects and products, commercial deals, cyber security preparedness, managing incidents and cyber security breaches, and data disputes. He can be contacted on +44 (0)20 7861 4354 or by email:

Aaron Tantleff is a partner in Foley & Lardner LLP’s technology transactions & outsourcing and privacy, security & information management practice groups. He represents companies in various technology, information, privacy, security and intellectual property (IP) related matters, having served as both in-house and outside counsel. He has also served as the global director of IP for a global software company and as acting AGC for a global information technology and management consulting company. He can be contacted on +1 (312) 832 4367 or by email:

Carlos Garcia-Mauriño is the EMEA executive privacy counsel for General Electric Healthcare, a leading provider of medical imaging, monitoring and diagnosis devices and drug discovery and biopharmaceutical manufacturing technologies. In this role he leads and coordinates all major projects to improve data protection compliance in the region and participates in the design of key global and regional projects and systems to ensure compliance with EMEA privacy rules. He can be contacted on +34 609 343 130 or by email:

© Financier Worldwide


Rita Heimes

International Association of Privacy Professionals (IAPP)



Great Gu



Antonis Patrikios



Aaron K. Tantleff

Foley & Lardner LLP


Carlos Garcia-Mauriño

General Electric Healthcare

©2001-2019 Financier Worldwide Ltd. All rights reserved.