CyberInsecurity: There are two areas in the GDPR that seem particularly tricky for companies to navigate. One is how they handle the right to be forgotten. And [Office1] the second is the 72 hours to report a breach. Have these new requirements proved to be difficult for companies to wrap their arms around?
Bart Huffman: I think these are difficult subjects. Let me start with breach response. Certainly 72 hours is not a realistic time frame for even assessing whether there has been a breach, much less coming up with a full response. That said, it seems like the actual expectation is early notification to the regulators, known as supervisory authorities, of significant incidents, which may or may not ripen into an actual breach. So I think these early notifications will be carefully worded. They will be somewhat tentative in nature, and there will be a lot of learning by experience in terms of what the regulators collectively expect to be notified about. The message is that “we the regulators want to be notified right away, even while you’re still figuring it out.” There’s a similar approach in Vermont, which requires notice to the attorney general within 15 days of a breach. That is too short a period of time, for most significant breaches, to come up with a full formal notification. But the idea is that there should be a prompt assurance to the regulator that there has been a potentially significant incident that’s being handled appropriately. One thing that will be important for a practicing attorney is the notion of confidentiality. You worry in the United States about things like the Open Records Act laws, and so Europeans want to work through confidentiality concerns, because obviously you’re much more cautious about disclosures if you’re not able to keep things confidential when you’re reporting about an ongoing investigation.
CI: And the right to be forgotten?
BH: One of the important things to remember about the right to be forgotten, like some of the other data subject rights, is that it’s not an absolute right. Nonetheless, the data controller has to take into account the request of the data subject, and it has to treat it seriously. And that also means that the controller has to have mechanisms in place with its service providers who are data processors. Specifically, the controller has to ensure that in its contracts with processors there is a provision for honoring data subject rights. As we move to GDPR 2.0 here, past the May 25 implementation deadline, the data subject rights are one of the more interesting areas. The companies that have been working on being compliant have been making their beds. And now the public at large gets to peek under the sheets and see what it looks like, and how companies are going to implement the procedures that were put in place to address data subject rights, such as the right to be forgotten.