On May 25, 2018, the General Data Protection Regulation (GDPR) will take effect in the EU. This important but somewhat vague rule will require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. Moreover, it will regulate the exportation of personal data outside the EU, and any firm that does not meet its requirements could not only suffer reputational damage but also potentially be fined tens of millions of dollars.
The GDPR takes a wide view of what constitutes personal identification information: companies will need the same level of protection for things like an individual’s IP address or cookie data as they do for names, addresses and Social Security numbers.
Once the GDPR is in effect, the current Data Protection Directive (“95/46/EC”) will be repealed. Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU.
In short, the GDPR applies to all businesses and organizations established in the EU, regardless of whether the data processing takes place in the EU. Even non-EU established organizations will be subject to the GDPR. If your business offers goods and/ or services to citizens in the EU, then it’s subject to the GDPR.
The GDPR will protect the following privacy data: (1) basic identity information, such as name, address and ID numbers; (2) web data, such as location, IP address, cookie data and RFID tags; (3) health and genetic data; (4) biometric data; (5) racial or ethnic data; (6) political opinions; and (7) sexual orientation data.
Under the GDPR, individuals will have the following rights:
- The right to access. This means that individuals have the right to request access to their personal data and to ask how their data is used by the company after it has been gathered. The company must provide a copy of the personal data, free of charge and in an electronic format, if requested.
- The right to be forgotten. If consumers are no longer customers, or if they withdraw their consent from a company to use their personal data, then they have the right to have their data deleted.
- The right to data portability. Individuals have a right to transfer their data from one service provider to another – and this must happen in a commonly used and machine-readable format.
- The right to be informed. This covers any gathering of data by companies, and individuals must be informed before data is gathered. Consumers must opt in for their data to be gathered, and consent must be freely given rather than implied.
- The right to have information corrected. This ensures that individuals can have their data updated if it is out of date or incomplete or incorrect.
- The right to restrict processing. Individuals can request that their data is not used for processing.
- The right to object. This includes the right of individuals to stop the processing of their data for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received. In addition, this right must be made clear to individuals at the very start of any communication.
- The right to be notified. If there has been a data breach that compromises an individual’s personal data, the individual has a right to be informed within 72 hours of the breach first being detected.
Non-Compliance Factors and Penalties
Failure to comply with the GDPR may be disastrous in terms of reputational and financial risk. Penalties can be imposed based on certain factors, including: (1) the nature, gravity and duration of the infringement (e.g., how many people were affected and how much damage was suffered by them); (2) whether the infringement was intentional or negligent; (3) whether the controller or processor took any steps to mitigate the damage; (4) technical and organizational measures that had been implemented by the controller or processor; (5) prior infringements by the controller or processor; (6) the degree of cooperation with the regulator; (7) the types of personal data involved; and (8) the way the regulator found out about the infringement.
The following sanctions can be imposed for non-compliance:
- A written warning in cases of first and non-intentional non-compliance;
- Regular (periodic) data protection audits;
- A fine of up to €10 million or up to 2% of the annual worldwide revenue of the preceding financial year (whichever is greater), if it is determined that non-compliance was related to technical measures (e.g., impact assessments, breach notifications and certifications); or
- A fine of up to €20 million or up to 4% of the total worldwide annual revenue of the preceding financial year (whichever is greater), if it is determined that non-compliance was connected to key provisions (e.g., non-adherence to core principles or infringement of the rights of data subjects) to GDPR.
The GDPR requirements will force US companies that handle personal data on EU citizens to change the way they process, store and protect customers’ personal data. For example, companies will be allowed to store and process personal data only when the individual consents – and for “no longer than is necessary for the purposes for which the personal data are processed.” Personal data must also be portable from one company to another, and companies will also be required to erase personal data upon request.
GDPR, however, cannot supersede any legal requirement for an organization to maintain certain data – e.g., it does not apply to HIPAA health record requirements.
How to Build an Effective Framework
Let’s now discuss 12 steps your organization can take to implement and maintain an effective GDPR risk management program:
- Establish a strong governance structure, with clear roles and responsibilities that involve all stakeholders from all parts of the organization. The GDPR defines several roles that are responsible for ensuring compliance: data controller, data processor and the data protection officer (DPO).
The data controller defines how personal data is processed and the purposes for which it is processed. The controller is also responsible for making sure that outside contractors comply. Data processors, meanwhile, maintain and process personal data records, and can be internally or externally sourced.
The GDPR holds processors liable for breaches or non-compliance. Even if the processing partner is entirely at fault for non-compliance, it’s possible that both your company and the processing partner – such as a cloud provider – will be held liable for penalties.
- Ensure that you have clear policies in place to prove that you meet the required global data hygiene standards. Establish a culture of monitoring, reviewing and assessing your data processing procedures, aiming to minimize data processing and retention of data, and building in safeguards.
Risk privacy impact assessments will also need to be conducted to review any risky processing activities and steps taken to address specific concerns.
- Conduct a risk assessment. It’s important to understand not only what data your company stores and processes on EU citizens but also the risks that surround that data. Remember, the risk assessment must outline measures taken to mitigate that risk, and a key element of this assessment will be to uncover all shadow IT that might be collecting and storing PII. (John, what does “PII” stand for?)
- Implement measures to mitigate risk. Once you’ve identified the risks and how to mitigate them, you must put those practices into place – i.e., you may need to upgrade existing risk mitigation measures.
- Test incident response plans. The GDPR requires that companies report breaches within 72 hours. How well the response teams minimize the damage will directly affect the company’s risk of fines for the breach. Make sure you can adequately report and respond to breaches within the 72-hour window.
- Prepare for data security breaches. Put in place clear policies and well-practiced procedures (playbooks) to ensure that you can react quickly to any data breach and notify regulators on time.
- Write privacy risk into the risk taxonomy. This will ensure that privacy is embedded into any new processing or product that is deployed.
- Analyze the legal basis on which you use personal data. Consider what data processing you undertake. If you do rely on obtaining consent, review whether your documents and forms of consent are adequate – and check that consents are freely given, specific and informed.
- Check your privacy notices and policies.
- Bear in mind the rights of data subjects, such as the right to data portability and the right to erasure. If you store personal data, consider the legitimate grounds for its retention.
- If you are a data supplier to others, consider whether you have new obligations as a processor. GDPR imposes some direct obligations on processors, which you will need to understand and build into your policies, procedures and contracts.
Consider whether your contractual documentation is adequate and, for existing contracts, check who bears the cost of making changes to the services because of the changes in laws or regulations. If you obtain data processing services from a third party, it is very important to determine and document your respective responsibilities.
- Ensure that you have a legitimate basis for transferring personal data to jurisdictions that are not recognized as having adequate data protection regulation. It will be particularly important to keep track of cross-border data transfers with any international data transfers, including intra-group transfers.