The GDPR, which comes into force in May 2018, strengthens data protection regulations for all individuals within the EU and aims to give control of personal data back to consumers.
The new rules identify personal data as any information relating to an individual, whether it relates to private, professional or public life.
It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.
Difficult elements include the ability of consumers to challenge automated individual decision-making, including profiling and algorithm-based assessments.
Ashley Winton, a partner at Paul Hastings (Europe), said that the complexity and scale of the new rules meant it was unlikely companies could be fully compliant in time.
He added that in preparing, a particular area of focus needs to be audit trails to respond to challenges from consumers.
He said: “In the small print of the GDPR, there is a reversal of the burden of proof, so if someone makes a claim against you, you will lose unless you can show you have processed the data correctly.
“I think what you need is an audit trail around the notices and consents that you might be asking. So, if someone is going to complain, you can say when they pressed accept to a specific privacy notice.
“Otherwise people’s claims against you will be really difficult. The audit trail will be really important and that functionality will be needed in online systems.”
Companies will also have to look at ways to automate requests for data held on individuals, as it is likely there will be more under the new regulations, particularly relating to areas such as connected cars.
Winton, who was speaking at the British Vehicle Rental and Leasing Association Fleet Technology Congress, said: “You will get these requests from people wanting to have all the data about them, travel history, telematics and that will need to be handed over to drivers, and passengers arguably.
“I don’t think you can do that unless there is a technological system to enable it, so absolutely there is some development required there.
A significant area where companies may struggle is when it comes to cyber-security, as the language used in the new regulation is much broader.
He added: “The data definition is much broader than you might think and the language used is about denial of service attacks and breaches of security. So, if something is not working [after a denial of service attack], that is a breach of cyber security.”
While regulators can raise fines of 4% of a company’s worldwide turnover, the real risk will come from smaller claims taken on a ‘no win no fee basis’.
Winton said: “There is no longer a requirement for monetary loss before you can bring a claim. If you suffer distress you can bring a claim.
“Imagine you have thousands of fleet drivers suddenly distressed about their information being disclosed to a third-party. That will be quite an interesting case and that is where the risk will lie.”