On May 25, 2018, an aggressive new regulation, regarding the handling of the personal data of European Union citizens will go into effect. The EU General Data Protection Regulation (GDPR) updates current EU data privacy rules, which were originally implemented in 1995 before the digital revolution truly took hold. The latest regulation recognizes that innovations like cloud technology have not only changed the way that data is stored, transferred and used, but have heightened information security risks as data has increasingly become a valuable commodity.
The new regulation promises to have repercussions for companies around the world. Any company that holds, processes or interacts with personal data on any EU citizen is bound by the rules, even if it has no physical presence in any of the 28 EU member states. The GDPR also expands the scope of existing European data protection laws by broadening the range of companies considered responsible. The former EU Data Protection Directive applied only to data controllers—those who collect and own the data, such as companies retaining customer information, including addresses and credit card details. Now, the GDPR holds data processors, such as third-party vendors, jointly liable too. In practical terms, this means that companies need to have assurances that their suppliers and contractors also have measures in place to comply with the GDPR and know if they personally interact with data on any EU citizen, including expats.
Achieving broad compliance with the regulation has so far proven to be a challenge, however. Surveys by IT vendors, law firms and professional services firms routinely find that, at best, only half of their respondents are even aware of the new rules. Usually, executives admit a lack of knowledge, and most organizations say they are under-prepared.
Janet Peyton, a partner at law firm McGuireWoods, said that one of the key problems for U.S. companies in particular “is that the U.S. concept of ‘privacy’ and definition of ‘sensitive data’ is very different than those that are used in Europe and form the basis of the GDPR.”
According to Peyton, there are three categories of data that are deemed private and protected under U.S. federal law: financial information (including Social Security numbers, bank account details and credit card details); medical records and health-related information; and information related to children under the age of 13.
“Very often U.S. and European companies talk at cross purposes about data privacy,” Peyton said. “When U.S. companies say that they don’t hold sensitive data, what they mean is that they don’t retain credit card details. The fact that Europeans regard all customer data as sensitive is a concept that many U.S. companies can’t really comprehend.”
The European Union and United States have tried to patch up their differences on data protection over the years through a series of cross-border bilateral agreements, starting with the “Safe Harbor” agreement and the current “Privacy Shield” initiative. Yet relatively few U.S. companies have adopted them. This self-certification regime has meant that it is unclear whether companies actually comply with the rules, and to what degree regulatory oversight and enforcement have worked.
Such a lax approach to compliance policing is likely to be inadequate under the GDPR, especially given that the new regulation extends the definition of “personal data” so widely that it now includes genetic and biometric data, as well as basic online identifiers such as IP addresses. It also strengthens and increases the rights of data subjects, and tightens the rules on consent. For example, it introduces the “right to be forgotten,” which means that EU citizens can ask for websites or internet forums to delete their information.
There are also detailed compliance requirements, such as the appointment of designated data protection officers if there is regular or systematic monitoring of data subjects or large-scale processing of special categories of data. The most difficult requirement is perhaps the need to report any breach to the relevant data protection supervisory authority within 72 hours. In certain situations, organizations would also need to notify any individuals affected in the same timeframe.
Failure to comply with the regulation risks substantial penalties. Serious breaches can incur fines of up to €20 million (about $24 million) or up to 4% of global annual revenue—whichever is greater. It is clear, therefore, that compliance is paramount before the new rules come into force this spring.
Assessing the Risk
Sarah Stephens, partner and head of cyber at insurance broker JLT Specialty, said that first and foremost, companies will need to be crystal clear as to the extent to which they fall within the jurisdiction of GDPR, “as even companies which aren’t based within the EU will be subject to the extra-territorial effects of the regulation.” Any contact with entities within the EU, whether they are selling into the EU or using EU data as part of global business operations, will inevitably have GDPR implications. As such, companies will need to be very aware of the myriad ways that this will affect them, she warned.
“Irrespective of where an organization is based, it is important to increase the privacy awareness of your employees to ensure they can recognize and respond appropriately to requests from data subjects seeking to exercise their new rights under GDPR,” Stephens said. “Any process for responding to these rights should be clearly documented and embedded into business practices.”
Boards also need to be clearly accountable for ensuring that data protection risks receive ongoing attention and review from the C-suite, she said. This includes evaluating existing contracts with third-party service providers with which companies share personal data to ensure they include all of the mandatory obligations prescribed by the new regulations.
Organizations must also classify personal information in terms of risk, comply with data retention periods, and establish a procedure to erase data when the retention period is over. “If this is problematic because of scale or complexity, then you should determine whether your organization should have a data protection officer to oversee and drive the process,” Stephens said.
Andrew Beckett, managing director and EMEA practice leader for cybersecurity at forensic investigations firm Kroll, said that many companies struggle with developing a complete picture of their data. “Working with clients on GDPR compliance, the biggest problem we find is that they don’t understand what data they currently have and collect, nor where it is stored on their networks,” he said. “Structured data sets tend to be well-known, but situations such as copies on laptops or teams running unsanctioned cloud storage can come back to bite organizations.”
As such, firms must look to understand the data held within their business, “specifically, where it came from and who it is shared with,” said Robert Rutherford, CEO of business consultancy and information technology firm QuoStar. Firms may also need to alter their current privacy notice practices and ensure records are kept on how the data has been processed within the organization. This is particularly true for any data held about children, as organizations will need to consider how they can verify the ages of the children in question, in addition to gaining parental or guardian consent to hold and process this data.
To be fully compliant with the GDPR, Rutherford said, it is vital for firms to undertake regular privacy impact assessments that look at every service provider and individual responsible for handling data within the business. This, alongside customer privacy notices, will enable a business to have clear records of its data privacy policies and be able to prove their compliance in the event any data is compromised.
Companies that do business with EU citizens must understand whether they are a controller or processor of data. “This impacts the level of responsibility they have under GDPR, with controllers holding most of the liability for data compliance,” said Matt Smith, CEO of compliance technology and data analytics firm SteelEye.
“It’s also imperative for companies to understand that all firms, regardless of size or revenue, are obligated to meet the GDPR requirements,” he said. “While at the outset, regulators may show some leniency towards firms that can show evidence they have taken sufficient steps to meet the new obligation, in the long term, those who have not met the key obligations will not be exempt from prosecution.”
The GDPR’s “opt-in” measures are another key issue for companies. “Ultimately, firms need to redesign what ‘consent’ and ‘disclosure’ look like,” Smith said. “Under GDPR, companies cannot rely on inactivity and pre-ticked boxes as constituting consent—data subjects must now confirm choice via freely given unambiguous statements or clear affirmative actions.”
In terms of preparation, one of the key steps is to undertake a data audit of customers’ personal data, Smith said. This will help firms clarify where information is held, the purpose for retaining it, the length of time it is held, and the processes for updating, archiving or deleting information.
Companies should also work with their legal team to determine the location of their data centers and which EU member state will act as their supervisory authority. Under the terms of the GDPR, multinational companies must designate a lead supervisory authority from one of the EU member states (including the United Kingdom, which is still obliged to implement the regulation despite the Brexit vote) to act as its data protection regulator. They should then appoint a representative based in that country who can act as a point of contact for all communications with the regulator if issues arise.
The Upside of Compliance
There is no doubt that GDPR compliance requires serious preparation, but it may not be the headache that many experts think, especially if the organization already has a good track record for data management. Mark Watts, head of the data protection practice at U.K. law firm Bristows, said that compliance with the GDPR is not as difficult as everyone believes. “It all depends on how well companies manage their data,” he said. “If organizations have good data management systems and security protocols in place already, it should not be a massive leap for them to comply with the new regulation.”
In legal terms, the same rules that apply now will apply in May when the GDPR takes effect, he said. It is just that the onus on compliance has changed: Under current EU rules, organizations just need to be aware of the rules and comply with them. Under the GDPR, they need to provide proof that they are taking active steps to ensure compliance, such as appointing a data protection officer to coordinate the effort. “The most significant change is the requirement to notify authorities about a breach within 72 hours, which does mean that organizations need to review their data management processes,” Watts said.
Other experts believe that the GDPR should not be seen entirely as a compliance burden. Marsh’s recent survey GDPR Preparedness: An Indicator of Cyber Risk Management found that organizations are using the process of ensuring compliance with the new rules as an opportunity to beef up their cyberrisk management and resilience.
Stephen Bonner, partner in cyber risk services at professional services firm Deloitte, also believes that there are a number of “upsides” to complying with the GDPR. First, compliance demonstrates good corporate governance and enhances public trust—an important asset when considering the increasing regularity of potentially crippling data hacks, he said. Managing data and taking steps to update it and review its quality also provides organizations with the opportunity to determine what information should be retained and how customer data may be leveraged for further business opportunities.
Bonner pointed out that reviewing data privacy processes and controls alerts organizations to potential risks before disaster strikes. It also allows them to check how well third-parties protect their data. If data protection processes are weak or flawed, it could be an opportunity for organizations to demand more stringent practices, rewrite contract terms, and negotiate lower fees while ensuring that they honor future privacy obligations.
“Looking at compliance with the GDPR in solely negative, cost terms is no good for any organization,” Bonner said. “Those companies that look at the benefits of complying with the new rules—how they can leverage the preparations to improve data risk management and explore commercial opportunities by reviewing what data is actually being held—will have an advantage over those that just see the whole thing as a ‘box-tick’ exercise.”