The new General Data Protection Regulation (GDPR) goes into effect on May 25, 2018 and most US companies risk fines for non-compliance that apply to all organizations processing any personal data of EU citizens.
Personal data is being collected at an ultrafast pace, and beginning on May 25th, a new regulation will go into effect that will impact businesses that don’t protect their data according to GDPR rules. Dell and Dimension Research found that 80% of businesses do next to nothing about GDPR. And, despite being a European Union legislation, GDPR has major implications for US-based businesses. The following is designed to provide US companies with the key aspects that will impact you so you can put the appropriate safeguards in place before the compliance deadline.
How did it come about?
In January 2012, the European Commission established plans for data protection reform across the European Union in order to make Europe “fit for the digital age”. Within four years, an agreement was reached on what that involved and how it will be enforced.
One of the key components of the reforms was the introduction of the General Data Protection Regulation (GDPR). This applies to organizations in all member-states and has implications for businesses and individuals across Europe and beyond.
What is GDPR?
At its core, GDPR is a new set of rules designed to give EU citizens more control over their personal data such as their name, photos, email addresses, credit card number, bank details, updates on social networking websites, location details, medical information or a computer IP address and more, all collected, analyzed and stored by organizations. The intent is to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy.
The reforms are designed to reflect the digital world we’re living in now and brings laws and obligations – including those around personal data, privacy and consent.
What is GDPR compliance?
Data breaches inevitably happen. Information gets lost, stolen or otherwise released into the hands of people who were never intended to see it — and those people often have malicious intent.
Under the terms of GDPR, not only will organizations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it will be obliged to protect it from misuse and exploitation. They will also need to respect the rights of data owners – or face penalties for not doing so.
Who does GDPR apply to?
GDPR applies to any companies operating within the EU, as well as outside of the EU which offer goods or services to customers or businesses in the EU. That means that almost every major corporation in the world will need to be ready when GDPR comes into effect and have a GDPR compliance strategy.
There are two different types of data-handlers the legislation applies to: “processors” and “controllers”. The definitions of each are provided in Article 4 of the General Data Protection Regulation and summarized as follows.
A controller is a “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data”. The processor is a “person, public authority, agency or other body which processes personal data on behalf of the controller”.
GDPR places legal obligations on a processor to maintain records of personal data and how it is processed, providing a much higher level of legal liability should the processor be breached. Controllers will also be forced to ensure that all contracts with processors are in compliance with GDPR.
What does GDPR mean for businesses?
GDPR establishes one law across the continent and a single set of rules which apply to companies doing business within EU member-states. This means the reach of the legislation extends further than the borders of Europe itself. It includes international businesses based outside the region that have activity on “European soil”.
This regulation is designed to guarantee data protection safeguards are built into products and services from the earliest stage of development, providing “data protection by design” in new products and technologies.
Businesses will also be encouraged to adopt techniques like ‘pseudonymization’ in order to benefit from collecting and analyzing personal data, while the privacy of their customers is protected at the same time.
What does GDPR mean for consumers/citizens?
Because of the significant and growing number of data breaches and hacks which have occurred in recent years, the unfortunate reality for many is that some of their data — be it an email address, password, social security number or confidential health records — has been exposed on the internet.
A major change that GDPR brings is providing consumers with a right to know when their data has been hacked. Companies will be required to notify the appropriate national bodies as soon as possible in order to ensure EU citizens can take appropriate measures to prevent their data from being abused.
Consumers are also promised easier access to their own personal data in terms of how it is processed. This means that businesses need to detail how they use customer information in a clear and understandable way.
Some businesses already comply with this aspect, even if it is as basic as sending customers emails with information on how their data is used and providing them with an opt-out if they don’t provide their consent to be a part of it. Many companies, such as those in the retail and marketing sectors, have contacted customers to ask if they want to be a part of their database.
In these circumstances, the customer should have an easy way of opting out of their details being on a mailing list. Meanwhile, some other sectors have been warned that they have a lot more to do in order to ensure GDPR compliance – especially when consent is involved.
GDPR also brings clarification to the “right to be forgotten” process, which provides additional rights to people who no longer want their personal data processed and want to have it deleted as long as there are no grounds for retaining it.
In a subsequent article, we’ll cover the marketing requirements for US companies including that fact that individuals may view the data a company holds and download that data in a format that they can move to competitors.
What is a GDPR breach notification?
GDPR requires companies to report certain types of data breaches which involve unauthorized access to or loss of personal data to the relevant supervisory authority. In some cases, businesses must also inform individuals affected by the breach.
They will be required to report any breaches which are likely to result in a risk to the rights and freedoms of individuals and lead to discrimination, damage to reputation, financial loss, loss of confidentiality or any other economic or social disadvantage. That means that if the name, address, data of birth, health records, bank details or any private or personal data about customers is breached, the business needs to tell those affected without “undue delay” as well as the relevant regulatory body within 72 hours so everything possible can be done to restrict the damage.
This will need to be done via a breach notification, which must be delivered directly to the victims. This information may not be communicated only in a press release, on social media or on company website. It must be a one-to-one correspondence with those affected.
Are there steep fines and penalties for non-compliance?
Yes. Failure to comply with GDPR can result in businesses receiving fines up to €20 million or 4 percent of global revenues, whichever is higher. Fines will depend on the severity of the breach and on whether the company is deemed to have taken compliance and regulations around security in a serious enough manner.
What’s in a GDPR-compliant breach notification?
In the event of a company losing data, as a result of a cyberattack, human error or anything else, the company will be obliged to deliver a breach notification.
This must include approximate data about the breach, including the categories and approximate numbers of personal data records concerned. The latter takes into account how there can be multiple sets of data relating to just a single individual.
Companies will also need to provide a description of the potential consequences of the data breach, such as theft of money, or identity fraud and a description of the measures which are being taken to deal with the data breach and to counter any negative impacts which might be faced by individuals.
The contact details of the Data Protection Officer (DPO), or main point of contact dealing with the breach will also need to be provided.
When will you need to appoint a Data Protection Officer?
Under the terms of GDPR, a business must appoint a Data Protection Officer (DPO) if it carries out large-scale processing of special categories of data and carries out large scale monitoring of individuals such as behavior tracking or is a public authority.
In the case of public authorities, a single DPO can be appointed across a group of organizations. While it isn’t mandatory for organizations outside of those above to appoint a DPO, all organizations will need to ensure they have the skills and staff necessary to be compliant with GDPR legislation.
There’s no set criteria on who should be a DPO or what qualifications they should have, but according to the Information Commissioner’s Office, they should have professional experience and data protection law proportionate to what the organization carries out. Failure to appoint a data protection officer, if required to so by GDPR, could count as non-compliance and result in a fine. Guard Street’s team of GDPR experts are available to service as our client’s Data Protection Officer.
What does GDPR compliance look like?
GDPR might seem complex and it can be. There are elements of GDPR such as breach notification and ensuring that someone is responsible for data protection which businesses need to address, or run the risk of a fine.
The approach for being ready for GDPR will be unique for each business. You will need to examine what exactly needs to be achieved to comply and who will be the data controller who is responsible for ensuring it happens. Guard Street can assist you in this.
Under the GDPR provisions that promote accountability and governance, companies need to implement appropriate technical and organizational measures. These could include data protection provisions (staff training, internal audits of processing activities, and reviews of HR policies), as well as keeping documentation on processing activities. Other tactics that organizations can look at include data minimization and pseudonymization or allowing individuals to monitor processing.
Guard Street can help you get ready for GDPR
GDPR does address where the digital world has taken us and is intended to protect consumers and their freedoms and privacy. The bottom line is, the EU regulators can fine U.S. companies for violating GDPR and they can do it with the help of U.S. authorities. Fines can be avoided through preparation and diligence. Our experienced and proven team is available to assist you in preparing your organization for compliance. As appropriate, we can also serve as your designated Data Protection Officer to help ensure your ongoing compliance for this important and far reaching regulation. Call us to discuss the GDPR requirements for your organization.