On May 25th, in the year 2018, something called the
General Data Protection Regulation (GDPR) will go into effect.
That means your company, and every other company in the world, should already
have a good answer to this question: “How will GDPR affect us?” In fact, I
would argue that you are currently courting danger if your answer is either “I
don’t know” or “it doesn’t affect us because we’re not a European company” or
“GDPR is irrelevant to us because we are located in
America/Australia/India/etc.”
The main danger that you are courting is a big fat
fine for non-compliance with GDPR, a set of rules governing the privacy and
security of personal data that is being implemented by the European Commission,
but which DOES APPLY to some companies located outside the European Union (EU).
In this article I have outlined why GDPR could have
serious implications for your organization, starting with a few words about the
wide net that this law casts, far beyond the borders of the EU. I will end with
links to resources that can help you prepare for GDPR.
Another fine mess
EU’ve landed US in?
I know that I am badly misquoting Laurel and Hardy
there, but hopefully you are now paying attention because this is very serious.
GDPR applies to your organization, regardless of the country in which you are
based or from which you operate, unless you do not collect or process
personal data drawn from the European market.
“If in doubt about GDPR
compliance, ask corporate counsel. If corporate counsel responds by saying
“GDP what now?” consider retaining new counsel.”
In other words, you are only off the hook if you do
not offer goods or services to, nor track or create profiles of, European
citizens.
If you do engage in any of those activities then
you most likely will have to comply with GDPR. If in doubt ask corporate
counsel. If corporate counsel responds by saying “GDP what now?” consider
retaining new counsel.
For the sake of clarity and emphasis, let me
summarize. Your firm probably needs to comply with GDPR if:
·
You monitor
the behavior of data subjects who are located within the EU, or
·
You’re based
outside the EU but provide services or goods to the EU (including free
services), or
·
You have an
“establishment” in the EU, regardless of where you process personal data (e.g.
cloud-based processing performed outside of the EU for an EU-based company is
subject to the GDPR).
Clearly, this is a considerable expansion of the
scope of data protections provided by previous European laws. And it
encompasses all people living in the EU, not just EU citizens. In addition,
GDPR expands liability beyond the current directive to include data
processors as well as data controllers.
(Need a quick refresher on the language of European
data protection? There are three key terms: data subjects, data controllers,
and data processors. For example, a company is a data controller with respect
to the customers or employees about whom it has personal information. The
customers and employees are the data subjects in this context: natural persons
whose personal data is being processed by the data controller. An example of a
data processor would be a company to whom payroll operations are outsourced by
the employer in its capacity as a data controller.)
11 key things
that GDPR does
1.
Increases the
individual’s expectation of data privacy and the organization’s obligation to
follow established cybersecurity practices.
2.
Establishes
hefty fines for non-compliance. An egregious violation of GDPR, such as poor
data security leading to public exposure of sensitive personal information,
could result in a fine in the millions or even billions of dollars (there are
two tiers of violations and the higher tier is subject to fines of over 20
million euros or 4% of the company’s net income).
3.
Imposes
detailed and demanding breach notification requirements. Both the authorities
and affected customers need to be notified “without undue delay and, where
feasible, not later than 72 hours after having become aware of [the breach]”.
Affected companies in America that are accustomed to US state data breach
reporting may need to adjust their breach notification policies and procedures
to avoid violating GDPR.
4.
Requires many
organizations to appoint a data protection officer (DPO). You will need to
designate a DPO if your core activities, as either a data controller or data
processor, involve “regular and systematic monitoring of data subjects on a
large scale.” For firms who already have a chief privacy officer, making that
person DPO would make sense, but if there is no CPO or similar position in the
organization, then a DPO role will need to be created.
5.
Tightens the
definition of consent. Data subjects must confirm their consent to your use of
their personal data through a freely given, specific, informed, and unambiguous
statement or a clear affirmative action. In other words: silence, pre-ticked
boxes, or inactivity no longer constitute consent.
6.
Takes a broad
view of what constitutes personal data, potentially encompassing cookies, IP
addresses, and other tracking data.
7.
Codifies a
right to be forgotten so individuals can ask your organization to delete their
personal data. Organizations that do not yet have a process for accommodating
such requests will need to work on that.
8.
Gives data
subjects the right to receive data in a common format and to ask that their
data be transferred to another controller. Organizations that do not yet have a
process for accommodating such requests will need to work on that.
9.
Makes it
clear that data controllers are liable for the actions of the data processors
they choose. (The controller-processor relationship should be governed by a
contract that details the type of data involved, its purpose, use, retention,
disposal, and protective security measures. For US companies, think Covered
Entities and Business Associates under HIPAA.)
10.
Increases
parental consent requirements for children under 16.
GDPR cost and timing
As you might expect, when it comes to getting ready
for GDPR, some organizations are further along than others. In January of this
year PwC surveyed 200 US companies with more than 500 employees and found that
92% considered compliance with GDPR a top priority on their data-privacy and
security agenda in 2017. More than half said it was the top priority and
38% said it was among their top priorities. Of course, compliance will
not come cheap and 77% of folks in the PwC study said their organization was
planning to spend $1 million or more on GDPR.
“When it comes to getting
ready for GDPR, some organizations are further along than others.”
While you might expect European companies to be on
top of GDPR preparation, a recent IDC Research study conducted on behalf of ESET found that a
quarter (25%) of the 700 European companies surveyed admitted they were not
aware of GDPR. In addition, more than half (52%) of them were unsure what
GDPR’s impact on their organizations would be (see this article on
WeLiveSecurity).
Security and
notification under GDPR
To drill a little further into GDPR’s implications
for the security of personal data that your organization handles, I think it is
worth citing the appropriate sections at length. In effect, these establish a
baseline that companies which handle data about EU persons will need to meet in
order to defend against claims that they are “processing in infringement of
this Regulation” and thus potentially subject to fines.
In section 83 we read that “… the controller or
processor should evaluate the risks inherent in the processing and implement
measures to mitigate those risks, such as encryption. Those measures should
ensure an appropriate level of security, including confidentiality, taking into
account the state of the art and the costs of implementation in relation to the
risks and the nature of the personal data to be protected.”
In other words, there are very few specifics about
how you should approach securing data, aside from the encryption reference; but
there’s a clear assertion that you must perform a risk assessment. (I would
hope that by now every organization has done a cybersecurity risk assessment
and is keeping it current, yet we still see HIPAA fines in the US due to
failure to do so.)
Section 83 elaborates on the risks that need to be
considered: “In assessing data security risk, consideration should be given to
the risks that are presented by personal data processing, such as accidental or
unlawful destruction, loss, alteration, unauthorised disclosure of, or access
to, personal data transmitted, stored or otherwise processed which may in
particular lead to physical, material or non-material damage.”
Section 84 goes on to discuss the security of “high
risk” data, a distinction I will address in a separate article (there is an
ongoing discussion about how that distinction will be made).
“Nothing sheds light on
organizational cybersecurity posture like security breaches.”
Nothing sheds light on organizational cybersecurity
posture like security breaches, and these are addressed in Section 85. This
states that when the data controller “becomes aware that a personal data breach
has occurred, the controller should notify the personal data breach to the
supervisory authority without undue delay and, where feasible, not later than
72 hours after having become aware of it.”
Interestingly, GDPR allows the data controller to
avoid notifying authorities of a breach if it is “able to demonstrate, in
accordance with the accountability principle that the personal data breach is
unlikely to result in a risk to the rights and freedoms of natural persons”.
GDPR specifies the terms of data breach
notification in Section 86 which states that data controllers must “communicate
to the data subject a personal data breach, without undue delay, where that
personal data breach is likely to result in a high risk to the rights and
freedoms of the natural person in order to allow him or her to take the
necessary precautions.”Some of the specifics of the notification are spelled
out, such as “describe the nature of the personal data breach as well as
recommendations for the natural person concerned to mitigate potential adverse
effects.” For a look at some of the implications of these notification rules,
including a possible surge in notifications, read this
Some of the specifics of the notification are
spelled out, such as “describe the nature of the personal data breach as well
as recommendations for the natural person concerned to mitigate potential
adverse effects.” For a look at some of the implications of these notification
rules, including a possible surge in notifications, read this article on the IAPP blog.
More GDPR resources
Clearly, there is a lot to get ready for,
especially if the idea of having to deal with European data protection law is
new to you. Here are some additional resources:
·
For privacy
and security purists who want to read the GDPR for themselves (like I did) here
is a link to the final version as a PDF, all 150 pages of it.
Finally, it should noted that I am not a lawyer and
you should not rely on this or any other internet article for legal advice. You
should consult suitably qualified legal counsel on matters relating to GDPR
interpretation and compliance. However, I do have one pro legal tip: if you
bring up GDPR with your company’s counsel and they respond with something
like “G-D-P-what?” then they are probably not yet suitably qualified (so tell
them you know a good article they can check out to learn more).
