EU Data Protection and Privacy Regulations
to Take Effect May 25, 2018
Will Alter the Global Business Landscape -- Who's Ready?
In less than four short months, a new set of data governance regulations become effective that, arguably, impact any business interacting in the global digital economy. The failure to familiarize oneself with these regulations, and where appropriate to take immediate action to meet these regulations, may be a bet-the-company risk for many U.S. companies.
The GDPR, shorthand for the General Data Protection Regulation, is an outgrowth of European Union member-states' representatives' efforts in 2012 to enact a comprehensive overhaul of the EU's privacy and data protection rules. While the GDPR may sound like a relatively benign administrative framework, it is anything but. Depending on the size of the company and the nature and scope of the infraction, the GDPR provides for penalties up to 20 million Euro or 4% of "global turnover [total revenue]" . . . whichever is greater. After three years of negotiations and tinkering, the GDPR was agreed upon by the EU members and institutions in April 2016 and after a two-year transition period becomes effective May 25, 2018.
The GDPR springs from a growing concern, particularly prevalent among the EU bloc countries, that the advent and rapid expansion of the global digital marketplace has had a further compromising effect on personal privacy (a "right" held dear among many Europeans since adoption of the European Declaration of Human Rights in 1948) as well as an individual's ability to protect and secure how their data is used. As a consequence, the EU committed to creating a much more toothy enforcement tool -- the GDPR -- as a means of enforcing how businesses and corporations, institutions and governments secure and process personal data information that comes within their control.
As reported recently by Reuters, one high-ranking EU official, Vera Jourova, European Justice, Consumers and Gender Equality Commissioner, characterized implementation of the GDPR as "the biggest shake-up of personal data privacy rules since the birth of the Internet."[1] Got your attention yet?
For U.S. businesses, the importance of understanding and the need to undertake immediate steps to comply with the GDPR may seem somewhat attenuated. However, this enforcement tool coming on-line across the pond has application not just for EU businesses, but also for any entity processing the personal data of EU citizens. Put differently,
"[t]he GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of EU data subjects. It applies to all companies processing and holding the personal data of data subjects [persons] residing in the European Union, regardless of the company's location."
FAQs, http://www.eugdpr.org/, reviewed 25 January 2018 (emphasis added).
While the GDPR mandates aren't sneaking up on very large companies, there is broad recognition among privacy and data protection professionals and commentators that smaller and medium-sized businesses are not readying for the new enforcement scheme. Indeed most remain blissfully ignorant and woefully unprepared. Much has been written of late of the substantial investment of time, people, energy and, yes, money, that large consumer-facing data businesses (think Facebook, Amazon, the credit reporting industry giants, etc.) are undertaking to meet GDPR requirements.[2] Those efforts involve many layers of revamping business processes to assure compliance. While Fortune 500 companies may be well along the path to GDPR readiness, smaller companies (with smaller budgets) may not yet have GDPR compliance on their radar, much less a line-item in the budget or readiness efforts underway.
The GDPR has six core elements that must be met to be in compliance:
- Breach Notification
The GDPR requires mandatory breach notification "in all member states where a data breach is likely to 'result in a risk for the rights and freedoms of individuals.'"[3] Importantly, this mandatory notification must occur no later than 72 hours following first becoming aware of a data breach. In comparison, many states in the U.S. provide a 45-day or 60-day window for notification. Of course, a company's obligations in the event of a breach don't end with giving prompt notice of a breach -- much work and expense remain. The GDPR makes plain -- time is of the essence. - Right to Access
EU data subjects have the right "to obtain from the data controller confirmation as to whether or not personal data concerning them are being processed, where and for what purpose."[4] This personal data information must be provided to the data subject in electronic format, free of charge and without unnecessary delay. - Right to be Forgotten
A much more advanced concept in EU member states as compared to the U.S., under the GDPR, the data subject may demand the data controller "erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data."[5] If the company (the data controller, or any data processor working with or for the data controller) can no longer demonstrate relevance to the original purposes for processing the subject's data, or the data subject withdraws consent, then the data must be erased. - Data Portability
The GDPR provides the right to a data subject to obtain their personal data from data controller A in a "commonly used and machine-readable format" and to transmit it to another data controller, B. The notion here is that control of personal data and who has it resides with the individual whose data it is, not with the entity that collected, processed, used or controlled the data. Consistent with the two prior core elements (the rights of access and to be forgotten), data portability -- the right to control one's own personal information -- is an underlying theme prominent throughout the GDPR framework. - Privacy By Design
The concept of Privacy by Design -- building data protection into system designs at the outset rather than an afterthought -- has been around for some time, but the GDPR makes this concept a legal requirement (and potentially, a significant change to a company's data management processes). The GDPR requires data controllers "to hold and process only the data absolutely necessary for the completion of its duties (data minimization), as well as limiting the access to personal data to those needing to act out the processing."[6] Data controllers also must document what types of data are collected and the purpose for the collection. - Data Protection Officers
The EU has a system that addresses notification and registration requirements for data processing activities, the specific requirements of which, until the GDPR, varied from one member-state to the next. The GDPR does away with all of these varying notice and registration requirements, and instead brings these record-keeping requirements in-house with the data controller. Depending on the nature and frequency of the use of personal data or the monitoring of data subjects, as spelled out in the GDPR, companies may be required to either recruit and retain or appoint an existing in-house professional to serve as a Data Protection Officer ("DPO"). Given the consequent penalties for non-compliance with the GDPR mandates, the appointment of a DPO must not be taken lightly. The GDPR requires that the DPO:- "must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices;
- may be a staff member or an external service provider;
- contact details must be provided to the relevant [member-state data protection agency];
- must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge;
- must report directly to the highest level of management;
- must not carry out any other tasks that could result in a conflict of interest."[7]
How seriously should non-EU businesses take the requirements of the GDPR? Undoubtedly, some U.S. businesses with relatively small EU data footprints may choose to compartmentalize their EU data handling from their treatment of data in the U.S. or other non-EU foreign markets. But given the ever-increasing globalization of commerce, and the probability that the EU's pioneering of data protection obligations will be adopted elsewhere, it may be prudent to work towards the GDPR model now. Indeed, despite England's "Brexit" from the EU, England has announced that it will adopt and abide by the GDPR standards, so intertwined is England with EU data and commerce.
For those companies that are offering goods or services to EU citizens and monitoring EU consumer behavior, or processing personal data of EU citizens, the rapidly-approaching May 25, 2018 effective date for the GDPR should be an immediate call to action.
Of course, many U.S. businesses have long been aware of the EU's data protection standards, but nodding recognition or minimal efforts to protect EU citizen data won't pass muster under the GDPR, which has a big monetary enforcement hammer sized to motivate any business subject to its mandates:
"Penalties
Under GDPR, organizations in breach of GDPR can be fined up to 4% of annual global turnover or 20 million euro (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements, e.g., not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines, e.g., a company can be fined 2% for not having their records in order . . . , not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement."[8]
Of course, with any law or regulatory framework, the devil is in the details, but procrastination in assessing compliance obligations and resisting appropriate responsive actions carries considerable risk. One privacy and data security attorney, Seth Berman, recently published "A 10-Step Guide for US Companies Pondering GDPR Compliance" (https://www.law360.com/financial-services-uk/articles/1003888), which provides a quick reference checklist of initial steps to take towards GDPR compliance.[9] At a minimum, companies doing business in the EU member-states should conduct a risk assessment data audit to understand risks and potential liabilities, and where necessary commence work to get in sync with the GDPR. Because many EU member-states are themselves still readying their country-specific requirements within the GDPR, this audit exercise is not likely to be a one-time, static exercise, but rather an iterative process.
Resources are available to help -- the International Association of Privacy Professionals ("IAPP") has nearly 35,000 members around the world, a stunning number considering that few privacy and data protection laws existed in the pre-internet era. Likewise, many law firms have Certified Information Privacy Professionals ("CIPP") among their attorney ranks as well as many experienced lawyers who have been dealing with data governance, protection and privacy issues for many years.
In a global marketplace driven by data, the price of admission to compete in the international economy is understanding the data that you have, how you use it, and most importantly, how you protect it. The imminent arrival of the GDPR significantly amplifies the ticket price -- are you ready?
[1] "EU calls on firms, governments to speed up privacy law preparation," J. Fioretti, S. Koester; Reuters Technology News, Jan. 24, 2018.
[2] See, for example, https://www.law360.com/articles/1006807/facebook-rolls-out-privacy-tools-as-new-EU-law-looms.
[3] "Key Changes,"www.EUGDPR.org, reviewed 25 January 2018.
[4] Id.
[5] Id.
[6] Id. (emphasis added).
[7] Id.
[8] Id. (Emphasis added.)
[9] "A 10-Step Guide for US Companies Pondering GDPR Compliance," S. Berman; Law360, Jan. 23, 2018.
