For any U.S. company that collects and handles data on citizens of the European Union and doesn’t think EU data privacy laws apply to you, think again.
After nearly four years of back-and-forth negotiations, the European Parliament and Council of the European Union last month approved a final draft of the EU General Data Protection Regulation (GDPR), backed by the European Parliament’s Civil Liberties, Justice & Home Affairs Committee. Once it’s officially adopted, which is expected to take place this spring, member states will have two years to implement its provisions.
Designed to bring EU data protection laws into the digital age, the GDPR will replace the current EU Data Protection Directive, enacted in 1995, marking the most sweeping changes to EU data privacy legislation in the last 20 years. “It’s an entire revamping of the data protection legislative framework,” says Neal Cohen, an associate in privacy and security practice at Perkins Coie.
Although the GDPR imposes several new compliance obligations on companies, the overall outcome will be a uniform approach to EU data protection laws, “which could make things logistically easier for companies operating across multiple EU jurisdictions,” says Courtney Bowman, an associate with law firm Proskauer.
One of the most significant changes is the global scope of the GDPR’s application. Under the current Directive, only companies physically located in Europe may be found liable for data privacy violations. The GDPR, in comparison, would make any company—even those outside the European Union—liable so long as it offers goods or services to individuals in the European Union, or that monitors the behavior of EU citizens.
“It’s a game changer, primarily because it sets standards that many companies haven’t had to worry about.”
Hilary Wandall, Chief Privacy Officer, Merck
For U.S. companies that weren’t previously obligated to comply with the EU’s data privacy regime, the GDPR “may come as a bit of a shock,” says Rohan Massey, partner and co-chair of the privacy and data security practice at Ropes & Gray in London. The GDPR broadly defines personal data as employee, customer, and supplier data, “all of which need to be treated with the data protection framework in mind,” he says.
Given that most companies use behavioral advertising as part of their business model, the GDPR would bring just about every company in every industry sector within its scope. “It’s a game changer, primarily because it sets standards that many companies haven’t had to worry about,” Hilary Wandall, associate vice president of compliance and chief privacy officer at global healthcare giant Merck, said during a panel discussion at the EU Data Protection conference in Brussels last month.
The scope of European data protection laws has been expanded in another significant way: whereas the current Directive applies only to data controllers (companies that decide how and why data is being collected), the GDPR will jointly hold liable data processors—essentially service providers—as well.
Penalties for non-compliance are now more severe than ever. Companies that don’t meet the new requirements can face fines up to 4 percent of total annual global revenue or €20 million ($21.5 million), whichever is higher. For corporate giants like Apple, Facebook, and Google, fines can potentially amount to billions of dollars.
Many U.S. companies may have to completely overhaul their data collection and data removal programs to become GDPR-compliant by the 2018 deadline. One requirement posing significant compliance obstacles for companies, for example, is the “right to be forgotten,” which requires companies to scrub personal records from all company systems upon request, and then prove that the information has been deleted permanently.
PREPARING FOR EU DATA PRIVACY LAWS
Below is a blog post by David Smith, deputy commissioner and director of data protection at the Information Commissioner’s Office, the U.K.’s independent body set up to uphold information rights. In the blog, Smith describes what companies should be looking at now to prepare for the General Data Protection Regulation.
Consent and control
How far do you give your customers genuine control over what information you keep about them and how you use it? If you’re relying on their consent, do they know that they are consenting and the implications of this? This is especially pertinent if they are children. Can they easily say no or withdraw their consent later on?
Do you have effective processes in place to ensure that you are data protection compliant? Can you explain what these are and demonstrate that they work in practice? Can individuals easily find out not just what information you hold about them and how you might use it but also more generally about your personal data handling practices?
It may not be clear yet whether you’ll be required to designate a Data Protection Officer but even so, do you have the right people in place to help you understand and meet the requirements of the Regulation? If not, do you at least have some idea where you might get the necessary expertise from? It’s a myth that the Regulation will require every business to recruit a Data Protection Officer, but they will need resources to help them deliver the necessary change, even if these resources come through training and developing existing staff.
Privacy by Design
What steps do you take to make sure that your systems and processes, particularly new ones, deliver data protection compliance as a matter of course? Are you reviewing the personal data you hold and why you hold it to ensure that you can meet the requirement for ‘data minimization’? Do you know what a privacy impact assessment is?
Do you have a breach management process in place? Is it ready to be activated even if you’ve been fortunate enough not to suffer a significant personal data breach so far? Does your process include arrangements to notify affected individuals as well as the ICO? Most importantly, do you have effective technical and organizational security measures to prevent breaches in the first place? Are you sure that these are kept up to date?
Source: Information Commissioner’s Office
Specifically, individuals can request that their personal data be erased “without undue delay” when it’s no longer needed for the purposes for which it was collected or processed, or if individuals withdraw consent or objects to the processing, and there are no legitimate or lawful grounds for retaining the data. “The actual requirement to have to erase data is fundamentally problematic,” said Wandall.
Recent reports indicate that many companies still have a long way to go. According to a survey conducted by Blancco Technology Group, for example, 41 percent of 511 IT professionals polled around the globe said that they don’t maintain documentation of the defined processes used to remove outdated or irrelevant customer data, and 60 percent said it would take one year or longer to develop and implement the necessary IT processes and tools to pass a right to be forgotten audit.
Consent must be “freely given, specific, informed, and unambiguous.” Examples include ticking a box when visiting a website or by another statement or action clearly indicating acceptance of the proposed processing of the personal data. No response, pre-ticked boxes, or inactivity will not constitute consent, the European Parliament said.
The GDPR also establishes a right to data portability, allowing individuals to request, where technically feasible, that the data controller transfer personal data to another service provider.
Both requirements demand that personal data be readily accessible in the event that data users make such requests. “It’s not just sitting all in one location,” Barbara Sondag privacy counsel for North America and global product at eBay, said during the panel discussion.
If you don’t already have one, now is the time to organize an internal taskforce made up of stakeholders from across the business—management, IT, legal, compliance, marketing, HR, finance—and across geographies to figure out how to map all that data.
Pat Clawson, CEO of Blancco Technology Group, a provider of data erasure solutions, recommends that companies create and maintain a detailed register of all physical and virtual places where data is held—whether by the business, customers, employees, and third-party suppliers or vendors. “Distribute and communicate all items in this list with all internal departments and stakeholders,” he says.
The GDPR also introduces the concept of “privacy by design,” requiring that data protection and privacy controls be considered from the outset. From a practical standpoint, complying with the GDPR necessitates far more than a box-ticking exercise on data minimization requirements; it means embracing a whole new mindset. “If you’re not as a company thinking holistically about privacy and data protection—how it’s embedded into the business—then you’re not prepared,” Wandall said.
Data Protection Officer
The GDPR also requires the appointment of a data protection officer among companies whose “core” business activities include large-scale processing of “special categories” of personal data. The GDPR broadly defines “special categories” of data as information that reveals a data subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, or sexual orientation.
“Companies should be aware that even if they do not collect this type of information from their customers, they may collect some of this information from their employees for human resources purposes,” says Bowman.
Companies will need to consider the required skills of the data protection officer role, and then determine whether to recruit someone in-house or if they will need to recruit someone externally. Keep in mind, the data protection officer will serve as the main point of contact for communications with the relevant supervisory authority.
On a positive note, the GDPR introduces a “one-stop shop,” meaning that companies that handle the personal data of EU residents in multiple EU member states will only have to contend with one “lead” data protection authority (generally the authority for the member state in which the company has its EU headquarters).
Until companies have guidance on how the GDPR will be enforced, “it may be prudent to avoid costly external audits and the creation of new policies or data control processes,” says Massey. “It would be foolish to leap forward only to have to re-work later.”