The European Union General Data Protection Regulation (EU GDPR) was adopted on 27 April 2016 and will go into effect on 25 May 2018. Halfway through this “transition period,” few companies are prepared to address the enhanced data protection requirements outlined in the Reg. Confusion about, and interpretation of, any document with legal effect presents challenges to those impacted by it. This is especially true when the stakes are so high.
Therefore, I will address the EU’s newest data protection regulation in a series of posts intended to provide thoughtful consideration and analysis of the various components in order to better position companies that might otherwise run afoul of the Reg. While there will be, by necessity, some overlap in the blog postings on this topic, each one will tackle the Reg from different angles. Therefore, I encourage you to read all of them to gain a better understanding of the overall requirements in order to be in compliance. Upcoming posts will include: the role and responsibilities of a Data Protection Officer (DPO), a definitional guide to specific words, phrases, and content in the Reg, and a more expanded version of my recommendations.
HISTORY
First a bit of history…The EU GDPR replaces Directive 95/46/EC Regulation and seeks to harmonize data security, retention, and governance legislation across all EU Member States, while ensuring the free flow of personal data. While this may sound mutually exclusive, they are, in fact, compatible. The new Reg establishes a higher standard of personal data protections for EU citizens than even existed under the prior Directive. The European Commission (EC) recognized that prior legislation had failed to keep pace with the rapidly-changing tide of technological advancements. As a result, written into the GDPR are provisions requiring that the Reg be periodically reviewed in order to not only perform an assessment on the operation and application of the Reg, but to address new technologies that may have been developed since its enactment.
KEY POINTS
In reviewing the 88-page document (several times), recurring overarching themes emerged, which I have distilled into the key points below. While they are not exhaustive, they provide a “Big Picture” view of the salient points in the Reg, as well as the steps companies should take in order to bring their organizations into compliance ahead of schedule.
• Minimum Requirements: The Reg establishes the baseline for personal data protections. Therefore, keep in mind that individual countries are free to establish even higher standards if they choose. Potential Results: All global entities must determine if their own personal data security policies will operate on disparate levels of personal data protections worldwide, or if they will adopt an “across-the-board” approach by utilizing uniform personal data protection protocols. Furthermore, entities may opt to establish datacenters in locations based on personal data protection regs.
• Applicable To: The Reg applies to all companies worldwide that: offer products and services to EU citizens or collect and process the personal data of EU citizens. Note here that no purchase need be made, nor revenue/profits earned for the Reg to apply, since personal data of EU citizens can be collected and processed without the exchange of money or other business transaction.
• Consent: Explicit consent must be given by the Data Subject for the collection, storage, and use of their Personally Identifiable Information (PII). This is also known as “opting-in.” Consent must be in clear and plain language and can be withdrawn at any time. However, withdrawal does not affect the lawfulness of data processing based on consent before its withdrawal. Furthermore, it must be as easy to withdraw as it is to consent. It is not necessary for the Data Subject to give consent again if the manner in which the consent has already been given is in line with the conditions of this Reg. However, transparency is paramount. The Data Subject must be informed of:
– The purpose of the data collection, storage, and use
– The length of time that the data will be stored and/or used; if the entity cannot provide a specific length of time, then the entity must provide the Data Subject with the criteria used to determine that period
– The recipients of the data
– The logic involved in automated processing of the data
– The consequences of data processing, if based on profiling (such as with application approval/denial for credit)
• Data Processing: The Reg applies to both manually processed and automated processing of data. Personal data is to be processed in a transparent manner in relation to a Data Subject for a specified, explicit, and legitimate purpose, and not processed further in a manner that is incompatible with those purposes. The data may not be kept for longer than necessary (or agreed upon) in a form which identifies the Data Subject. Consideration must always be given to the following concerns of data processing: nature, scope, context, purpose, sources of risk, and severity of consequences, as well as the safeguards and mechanisms to demonstrate compliance with the Reg.
• Contact Info: Data Controller’s/Processor’s/DPO’s (if applicable) contact information must be provided to the Data Subject. Data Controller/Processor/DPO must respond to a Data Subject’s queries within one month, although extensions are possible.
• Identifiable vs. Anonymized Data: The Reg applies to Personally Identifiable Information (PII); it does not apply to anonymized data. This is an important distinction, which may help to salvage the value of Big Data & Analytics. For example, if the Data Subject objects to the collection, storage, or use of their personal data for direct marketing purposes, a firm could still maintain anonymized data relevant to that Data Subject. While this would result in less targeted marketing campaigns (and be, theoretically, less effective), it would at least be more accurate than what vague, generalized customer and market data segmentation efforts would yield.
• Liability: Data Controllers and Data Processors may be employed by the same company or by different companies. However, both are individually and severally liable and entitled to charge-back from each other, if applicable. Data Processors cannot subcontract to a third-party Data Processor without the Data Controller’s agreement. However, it’s very important to take note of the fact that subcontracting does not absolve the Data Controller and Data Processor of potential liability. They both remain fully liable. This helps to ensure that Data Controllers and Data Processors carefully vet sub-contractors. At the same time, it eliminates the Data Controller and Data Processor from avoiding liability by simply outsourcing the processing. This is in line with recent legal cases seeking to hold certain C-Level executives liable for the actions of their employees.
•Data Breaches: Data breaches must be reported to the appropriate EU Supervisory Authority (SA) within 72 hours, UNLESS the Data Controller/Processor can demonstrate that the breach is unlikely to result in a risk to Data Subjects or alternatively, if alerting the authorities to the breach prematurely would hinder the investigation into the breach. The burden of proof always remains with the Data Controller/Processor/DPO, nonetheless. Therefore, Data Subjects only have to be notified if it is determined that an adverse impact to the Data Subject would result from the breach. Note here that this provision of the new Reg relating to data breach notifications is in stark contrast to the prior Directive, which required indiscriminate notification, regardless of ameliorating circumstances and considerations.
•Penalties: Punishments for non-compliance of this Reg include: fines, warnings, reprimands, specific performance, data processing limitations/restrictions/bans/cease-and-desist, criminal penalties, and the deprivation of profits obtained through infringements of this Reg. The punishments must be: effective, proportionate, and dissuasive, which means that they can also be quite expensive. Both material and non-material damage can be compensated. If several infringements occur, the fine will not exceed the amount of the gravest infringement. However, do not be lulled into a false sense of security on this point. The fines can be quite substantial and painful.
• Blanket Authorizations: The EC can provide a blanket authorization to specified third-party countries, territories, or international organizations as having the appropriate levels of data protection without needing further individual authorizations. These blanket authorizations will be reviewed at least every four years. This provision, alone, would help to streamline compliance with the Reg, and foreign entities (particularly conglomerates) should strive to attain this level of confidence from the EC.
• Records Maintenance: All entities impacted by this Reg must maintain records of their data processing activities, regardless of whether the Data Controller and Data Processor are one-and-the-same entity. Information contained therein must include: the purpose of the data collection, storage, and use, the process by which the entity developed the data categories, recipients and their location, time limits for erasure, documentation of suitable safeguards, and a description of security measures.
• Risks and Consequences: Data Controllers and Processors must evaluate and mitigate risks to data security and confidentiality, such as with encryption. However, the Reg allows for the weighing of costs against the likelihood of the risk and the consequences thereof. This provision recognizes that not all risks are worth the costs associated with their avoidance and/or elimination/reduction. This type of balancing of the interests of the Data Subjects and those of the Data Controllers runs throughout the Reg, demonstrating an understanding of fairness, rationality, and the free flow of data required to do business.
• Government Access: It is important to note that government-authorized requests are allowed within the confines of this Reg.
• Data Protection Impact Assessment (DPIA): A Data Protection Impact Assessment must be conducted anytime data processing, especially when using new technology, is likely to result in a high risk to the rights and freedoms of Data Subjects. This provision relating to the use of new technology is an attempt to make the Reg evolve with developments in technology, instead of always playing catch-up. In this way, the Reg has a better chance of remaining relevant and thus, avoiding the need for another major overall in the near future.
RECOMMENDATIONS
• Hire/Assign a Data Protection Officer (DPO) – I will publish a separate post specific to the role and responsibilities of a DPO, so stay tuned.
– DPOs are required if a Data Controller’s core activities consist of data processing, especially when it requires regular and systematic monitoring of Data Subjects’ personal data.
• Conduct an Information Audit and Data Protection Impact Assessment
• Establish a Code of Conduct relating to Data Protection
• Update Explicit Consent Opt-Ins
– Be sure to separately call-out any data collection, storage, and use for direct marketing purposes
• Provide Data Subjects with the contact information of the DPO (or alternatively, the Data Controller/Processor)
• Use this new Reg as your competitive advantage
*Please see my post highlighting some of the key definitions for this Reg.
