May 22, 2018
The GDPR goes into effect on May 25th. This unprecedented regulation will unify data privacy regulation within the European Union (EU) and will have a large effect on all corporations who handle the personal identifiable information of over 500 million individuals living in EU member states. This includes any organization (non-profit and for-profit) inside or outside of the EU that processes such data.
What it Does
This new data governance regulation outlines many new standards and rights for individuals within the EU:
The right to object. The right to object allows European consumers to object to “processing for direct marketing purposes,” “processing for scientific/historical research/statistical purposes,” and “processing based on legitimate interests or performance of a task in the public interest/exercise of official authority.”
The right to erasure (or to be forgotten). The right to erasure allows consumers to have their data erased under specified situations, such as when the data no longer is necessary for the purpose for which it was collected or if the individual withdraws consent to processing.
The right to access. The right to access allows consumers to access their data as well as any supplemental information about the processing. All of these rights must be allowed to customers if the data possessor is properly abiding by the GDPR. If any of these rights are infringed upon, the enterprise is answerable to large administrative fines.
Who it Protects
According to the firm Bird & Bird, the GDPR applies to all data “from which a living individual is identified or identifiable (by anyone), whether directly or indirectly.” This includes information such as email addresses, IP addresses, age, birthday, health information, search queries, etc. It introduces several new and significant changes to already existing data policy regulation in Europe and seeks to establish new standards and definitions while allowing EU citizens many new privacy rights. For example, the conditions around obtaining consent from consumers to use their data will become much stricter. European consumers will have the right to withdraw consent at any given time, and consent will not be considered valid if it is seen as “forced.” Therefore, pre-ticked boxes, silence, or any other method of indirectly, assuming consent will no longer be tolerated. The GDPR also includes principles that ensure higher degrees of transparency and protection for children under the age of 13.
The new privacy regime calls for stricter data breach notification mechanisms. The regulation defines a data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.” Data processors are expected to report such breaches to their supervisory authority, and in certain cases, to the affected data subjects. Failure to notify can lead to an administrative fine of €10 million or 2% of global earnings, whichever is higher. If the breach occurred due to a failure to impose proper security measures, the fines can be even higher. The GDPR demands that data controllers notify their supervisory authority without undue delay and, where feasible, no later than 72 hours after the breach is discovered.
The European regulation requires all concerned organizations implement a wide range of accountability procedures to mitigate their risk of violating the GDPR and demonstrate they are taking the data governance issue seriously. Such procedures come in the form of Privacy Impact Assessments, audits, policy reviews, activity records, and potentially appointing a Data Protection Officer (DPO). The GDPR requires data processors to develop Data Protection Impact Assessments (PIAs) in order to measure and identify non-compliance risks. These assessments must be run on any processing activity deemed as “high risk” before the activity begins. A PIA should, at its minimum, include a description of the processing operations and the purpose of the processing, a measure of the need for and proportionality of the processing, the risks to the data subjects, and a list of foreseen measures to mitigate these risks while ensuring compliance with the GDPR.
The Data Protection Officer is a role that the GDPR states is optional for controllers and processors but is mandatory for most public authorities, any company whose core undertakings involve “regular and systematic monitoring” of data subjects “on a large scale” or “large scale” processing of sensitive data or criminal records, and those obligated to do so by law. Essentially, all companies that handle the identifiable information of European citizens must create this role within their organization. The DPO’s primary goals should be ensuring compliance with the GDPR, and they should routinely monitor their organization’s privacy practices and advise colleagues through training and awareness campaigns. The GDPR does not specify a list of credentials or experience that a DPO must have prior to their appointment, however, it does state that a DPO must have “expert knowledge of data protection law and practices.” This new requirement will most likely impose a heavy burden on organizations which have not previously designated a budget, or responsibility, for data protection compliance.
The GDPR also calls for organizations to demonstrate compliance with its new principles and includes processes for such actions to take place. A supervisory authority is to be located in each of the EU member states where an organization has its “main” establishment in order to properly enforce that organization’s compliance with the GDPR. These authorities also have the power to impose the significant fines addressed earlier on both data controllers and processors who violate the GDPR.
Failing to comply with the GDPR’s requirements can result in hefty fines of up to 4% of total world-wide annual earnings or up to €20 million (nearly $24 million), whichever is higher.
According to a survey by Sage conducted between October 2017 and January 2018, 91% of American firms lacked awareness around certain aspects of GDPR. This figure is alarming due to the extreme consequences associated with the European regulation. The GDPR has many enforcement processes. For example, individuals have the right to lodge a complaint with supervisory authorities if they find that their data may have been misused. Individuals also have the right to compensation from the company that misused their data if there was any damage resulting from the infringement of the regulation. According to Bird & Bird, “supervisory authorities are empowered to impose significant administrative fines on both data controllers and data processors.” The fines are broken into two groups. Some infringements will be met with administrative fines up to €10 million or 2% of global earnings during the preceding year, whichever is higher. Other infringements will be met with fines up to €20 million or 4% of global earnings, again, whichever is higher. These fines are “not applicable automatically” as stated by Bird & Bird, but are meant to be imposed on a case by case basis. For example, if these fines would pose a disproportionate burden on a person, “a reprimand may be issued instead of a fine.” More serious infringements of the GDPR, such as failure to comply with an order imposed by supervisory authorities or violating conditions of consent, are subject to the most drastic administrative fines.
The process of becoming compliant is tremendously challenging and complex. In order to fulfill the many requirements of the GDPR, organizations must reassess the way they deal with customer data and make adjustments where necessary. They will have to take an inventory of all the data they have collected and, if necessary, devise new mechanisms for safe-guarding the data. If a corporation serves European customers in any way and stores identifiable information, the GDPR will have jurisdiction over them. A recent survey by Propeller Insights found that 55% of businesses have been forced to hire at least six additional employees to assist them with GDPR compliance. The same survey found that nearly 60% of organizations will have to spend between $50,000 and $1 million to become GDPR compliant, and an additional 10% will need to spend over $1 million. The consequences of the regulation are still not fully understood. The Propeller survey of C-level officers found that around 50% of respondents believed that businesses would be more hesitant to report data breaches do to the high fines, while another 50% also believed that businesses would no longer hide data breaches. While the success or failure of the GDPR is yet to be determined, the immediate job of organizations is to identify ways to become compliant and avoid unnecessary violations.
This regulation redefines the relationship between consumers and businesses. While it offers consumers new tools and rights, it also poses tremendous obstacles for large and small enterprises alike. Since thousands of companies around the world serve customers residing in the EU, it is important to examine the complexities of this regulation and how it will apply to foreign firms.
Webinar Discussing What U.S.-Based Organizations Need to Know about GDPR
USTelecom hosted a webinar on how the EU law will affect U.S.-based organizations that collect or use personal data of individuals in the EU. The webinar is available for on-demand viewing.