EU Data Protection and Privacy Regulations
to Take Effect May 25, 2018
Will Alter the Global Business Landscape -- Who's Ready?
In less than four short months, a new set of data governance regulations become effective that, arguably, impact any business interacting in the global digital economy. The failure to familiarize oneself with these regulations, and where appropriate to take immediate action to meet these regulations, may be a bet-the-company risk for many U.S. companies.
The GDPR, shorthand for the General Data Protection Regulation, is an outgrowth of European Union member-states' representatives' efforts in 2012 to enact a comprehensive overhaul of the EU's privacy and data protection rules. While the GDPR may sound like a relatively benign administrative framework, it is anything but. Depending on the size of the company and the nature and scope of the infraction, the GDPR provides for penalties up to 20 million Euro or 4% of "global turnover [total revenue]" . . . whichever is greater. After three years of negotiations and tinkering, the GDPR was agreed upon by the EU members and institutions in April 2016 and after a two-year transition period becomes effective May 25, 2018.
The GDPR springs from a growing concern, particularly prevalent among the EU bloc countries, that the advent and rapid expansion of the global digital marketplace has had a further compromising effect on personal privacy (a "right" held dear among many Europeans since adoption of the European Declaration of Human Rights in 1948) as well as an individual's ability to protect and secure how their data is used. As a consequence, the EU committed to creating a much more toothy enforcement tool -- the GDPR -- as a means of enforcing how businesses and corporations, institutions and governments secure and process personal data information that comes within their control.
As reported recently by Reuters, one high-ranking EU official, Vera Jourova, European Justice, Consumers and Gender Equality Commissioner, characterized implementation of the GDPR as "the biggest shake-up of personal data privacy rules since the birth of the Internet." Got your attention yet?
For U.S. businesses, the importance of understanding and the need to undertake immediate steps to comply with the GDPR may seem somewhat attenuated. However, this enforcement tool coming on-line across the pond has application not just for EU businesses, but also for any entity processing the personal data of EU citizens. Put differently,
"[t]he GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of EU data subjects. It applies to all companies processing and holding the personal data of data subjects [persons] residing in the European Union, regardless of the company's location."
FAQs, http://www.eugdpr.org/, reviewed 25 January 2018 (emphasis added).
While the GDPR mandates aren't sneaking up on very large companies, there is broad recognition among privacy and data protection professionals and commentators that smaller and medium-sized businesses are not readying for the new enforcement scheme. Indeed most remain blissfully ignorant and woefully unprepared. Much has been written of late of the substantial investment of time, people, energy and, yes, money, that large consumer-facing data businesses (think Facebook, Amazon, the credit reporting industry giants, etc.) are undertaking to meet GDPR requirements. Those efforts involve many layers of revamping business processes to assure compliance. While Fortune 500 companies may be well along the path to GDPR readiness, smaller companies (with smaller budgets) may not yet have GDPR compliance on their radar, much less a line-item in the budget or readiness efforts underway.
The GDPR has six core elements that must be met to be in compliance:
How seriously should non-EU businesses take the requirements of the GDPR? Undoubtedly, some U.S. businesses with relatively small EU data footprints may choose to compartmentalize their EU data handling from their treatment of data in the U.S. or other non-EU foreign markets. But given the ever-increasing globalization of commerce, and the probability that the EU's pioneering of data protection obligations will be adopted elsewhere, it may be prudent to work towards the GDPR model now. Indeed, despite England's "Brexit" from the EU, England has announced that it will adopt and abide by the GDPR standards, so intertwined is England with EU data and commerce.
For those companies that are offering goods or services to EU citizens and monitoring EU consumer behavior, or processing personal data of EU citizens, the rapidly-approaching May 25, 2018 effective date for the GDPR should be an immediate call to action.
Of course, many U.S. businesses have long been aware of the EU's data protection standards, but nodding recognition or minimal efforts to protect EU citizen data won't pass muster under the GDPR, which has a big monetary enforcement hammer sized to motivate any business subject to its mandates:
Under GDPR, organizations in breach of GDPR can be fined up to 4% of annual global turnover or 20 million euro (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements, e.g., not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines, e.g., a company can be fined 2% for not having their records in order . . . , not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement."
Of course, with any law or regulatory framework, the devil is in the details, but procrastination in assessing compliance obligations and resisting appropriate responsive actions carries considerable risk. One privacy and data security attorney, Seth Berman, recently published "A 10-Step Guide for US Companies Pondering GDPR Compliance" (https://www.law360.com/financial-services-uk/articles/1003888), which provides a quick reference checklist of initial steps to take towards GDPR compliance. At a minimum, companies doing business in the EU member-states should conduct a risk assessment data audit to understand risks and potential liabilities, and where necessary commence work to get in sync with the GDPR. Because many EU member-states are themselves still readying their country-specific requirements within the GDPR, this audit exercise is not likely to be a one-time, static exercise, but rather an iterative process.
Resources are available to help -- the International Association of Privacy Professionals ("IAPP") has nearly 35,000 members around the world, a stunning number considering that few privacy and data protection laws existed in the pre-internet era. Likewise, many law firms have Certified Information Privacy Professionals ("CIPP") among their attorney ranks as well as many experienced lawyers who have been dealing with data governance, protection and privacy issues for many years.
In a global marketplace driven by data, the price of admission to compete in the international economy is understanding the data that you have, how you use it, and most importantly, how you protect it. The imminent arrival of the GDPR significantly amplifies the ticket price -- are you ready?
 "EU calls on firms, governments to speed up privacy law preparation," J. Fioretti, S. Koester; Reuters Technology News, Jan. 24, 2018.
 "Key Changes,"www.EUGDPR.org, reviewed 25 January 2018.
 Id. (emphasis added).
 Id. (Emphasis added.)
 "A 10-Step Guide for US Companies Pondering GDPR Compliance," S. Berman; Law360, Jan. 23, 2018.