And the regulation is sweeping, Krall said during the Washington panel discussion, moderated by Caroline Krass, a former general counsel to the CIA who now leads Gibson, Dunn & Crutcher's new national security team.
"The challenge is that it applies to all personal data, meaning any data that can be used, ultimately, to identify who you are. So it’s far beyond your name, your Social Security, your bank account. It’s your IP address, or your device ID, or a reference number to a customer, or a complaint or question that you brought in. For any organization, beyond tech, it just covers just about anything," she said.
In the aftermath of the Equifax hack, which compromised the personal information of nearly half the adult U.S. population, corporate lawyers and others in the cybersecurity community have been buzzing over the European regulation’s requirement that companies inform regulators within three days of any reported data breach. That measure goes significantly further than what is required in the United States.
In her remarks Thursday, Krall said the European regulation's standards for obtaining consent to collect and use personal information would be felt by consumers, and perhaps not always appreciated.
“The customer experience is going to be potentially dramatically changed by these regulations. It’s almost as if governments are dictating the enterprise design or system design or consumer experience,” she said.
Krall said she envisioned consumers signing up for a music service and, “all of the sudden you have to give your informed consent on very clear, very visible—'OK, you can track this, you can’t track that. Don’t track my likes, track my plays.’ There’s all of that information.”
“It’ll be interesting to see how it will work when it’s enacted,” she said.
An expert panel at the Association of Corporate Counsel's annual meeting in Washington this week looked at what companies are doing to prepare for the new rules. One takeaway: get in touch with the regulators.
“As you’re coming up with different ways to tackle different parts of the GDPR, one way to test these potential best practices is to get a meeting with the data protection authority and to walk them through [those],” Lisa Zolidis, privacy counsel for the Americas region at Dell Inc., said on one panel.