The global regulatory landscape for data protection lurched into new territory on May 25, 2018: the day the European Union's General Data Protection Regulation ("GDPR" or "Regulation") came into force. Much has been said about the GDPR's paradigmatic shift in data protection rules, including how the Regulation will impact data-driven innovations such as machine learning, Big Data, or artificial intelligence. Some commentators assert that the GDPR prohibits such analysis; others argue they will flourish with renewed vigor. These debates are indicative of the uncertainty surrounding the GDPR regime. How strictly will the Regulation be enforced? Which interpretations of the many provisions and exceptions will come to predominate regulatory enforcement? Even still, what derogations will implicate these technologies? Indeed, the regulatory waters ahead are murky.
Yet the GDPR commands immediate obedience; malfeasance will be met with stiff penalties. Thus, the challenge facing those employing data-driven analytics becomes obvious. What it means for them to “obey” the GDPR is far from clear. One reading of the GDPR outlaws these technologies; the other promotes them. For better or worse, the regulatory landscape will continue to shift under their feet as enforcement and judicial review refines, limits, and makes sense of the behemoth Regulation. At the same time, these companies must continue to collect, analyze, and act on data. Failing to do so is a threat to their very survival and to the technological capacity of Europe. Simply put, how do data-driven companies continue to innovate while facing the threat of exorbitant fines?
This Note offers a simple answer: an effective compliance program. As explained below, the GDPR calls for mitigating damages against companies who undertake good-faith efforts to adhere to the law. Such efforts will invariably entail the design, implementation, and enforcement of strong corporate policies and procedures—internal controls—to comply with the Regulation. To guide the development of these internal controls, companies and their counsel should look to existing guidelines on effective compliance programs, such as those promulgated by the United States Federal Sentencing Guidelines for Corporations (“Sentencing Guidelines”).
This Note begins by briefly summarizing the literature about the GDPR and data-driven analytics in Part II, with a focus on specific GDPR provisions. Drawing on the Regulation’s text and commentary from leading officials, Part III argues the GDPR embraces effective compliance programs as a significant mitigating factor in levying penalties. To provide more clarity to what constitutes an “effective” program, this Part looks to the Sentencing Guidelines. Lastly, Part IV assesses, in broad strokes, what the seven elements of the Sentencing Guidelines might demand of a controller employing advanced data analytics under the GDPR...continue...
Filippo A. Raso, Note, Innovating in Uncertainty: Effective Compliance and the GDPR, Harv. J.L. & Tech. Dig. (2018), https://jolt.law.harvard.edu/digest/innovating-in-uncertainty-effective- compliance-and-the-gdpr.
 Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. L 119/1 [hereinafter GDPR].
 See, e.g., Tal Z. Zarsky, Incompatible: The GDPR in the Age of Big Data, 47 Seton Hall L. Rev. 995 (2017).
 See, e.g., Viktor Mayer-Schonberger & Yann Padova, Regime Change? Enabling Big Data Through Europe's Data Protection Regulation, 17 Colum. Sci. & Tech. L. Rev. 315 (2016).