Ignoring the EU’s GDPR entirely is a perilous risk few non-EU companies can take
October 2018 | SPOTLIGHT | DATA PRIVACY
Financier Worldwide Magazine
October 2018 Issue
On 25 May 2018, one of the most extensive and far-reaching privacy laws became enforceable in the European Union (EU). The same day, a number of large US media outlets blocked European residents from their online content. This article examines what was in Europe’s new data protection law, the General Data Protection Regulation (GDPR), which scared US companies into blocking European customers, its impact on businesses and practical steps to begin compliance.
So, what is the most likely reason companies like the LA Times and Chicago Tribune blocked European readers on day one of the GDPR era? Uncertainty surrounding the law’s applicability, requirements and enforceability, particularly for non-EU entities, puts organisations in a difficult compliance position and, in some cases, scrambling to mitigate what is a significant risk exposure.
The GDPR provides for regulatory fines of up to 4 percent of an organisation’s annual global revenue or €20m, whichever is greater, for a compliance violation. In addition to painful financial penalties, non-compliant organisations could face other harmful consequences, such as regulators’ scrutiny and injunctions, civil or criminal liability for directors and senior management, inefficiency and lost business opportunities.
Organisations are implementing considerable data protection frameworks to mitigate against these risks and gain a competitive edge. Such a framework is necessary for demonstrating legal and operational compliance, as well as notifying customers, regulators and the courts that the organisation takes personal data protection seriously.
The GDPR’s scope is arguably immeasurable. And with the law in its infancy – and a dearth of actionable guidance from regulators – companies and industries must determine themselves whether, how and to what extent they must comply. For a law that is far-reaching, contains prescriptive obligations and threatens consequential ramifications, this is not a light undertaking.
The GDPR governs the processing of ‘personal data’, which entails the use, collection, accessing and sharing of the data, among other operations. Personal data is liberally defined as any information which identifies or can lead to the identification of an individual. The impact on US companies alone is remarkable. According to an independent survey by Vanson Bourne in 2016, 52 percent of US companies have data on EU citizens and could be liable under the GDPR. But what exactly does this all mean?
Every company, worldwide, with customers or employees in the EU, or that offers goods or services to EU residents, must at least consider GDPR applicability and compliance.
Organisations processing personal data in the EU, or the data of individuals residing in the EU, fall under GDPR. If an organisation has an ‘establishment’ in the EU, and personal data is being used in the context of that establishment’s activities, the GDPR applies to that organisation. The GDPR will apply to non-EU organisations’ processing of personal data of individuals in the EU where activities relate to either the offering of goods or services to individuals in the EU, whether or not payment is required, or the monitoring of the behaviour of individuals in the EU, the most common example being online tracking.
Even should an organisation determine that the GDPR is inapplicable directly, it may indirectly impact the organisation if, for example, the organisation wants to position for growth, investment, merger, development or competitive third-party relationships.
The GDPR requires organisations to demonstrate their legal and operational compliance with its seven principles and other requirements, not just to regulators but also business partners and data subjects, upon demand. The principles require that all personal data be: (i) processed fairly, lawfully and in a transparent manner; (ii) obtained only for specified, explicit and legitimate purposes and processed only in a compatible manner; (iii) adequate, relevant and not excessive; (iv) accurate and up-to-date; (v) kept in a form which can identify data subjects for no longer than necessary; (vi) kept secure using appropriate technical or organisational measures; and (vii) used in a way which evidences the organiation’s accountability to compliance with the principles.
The GDPR does not discriminate by sector or information category; it applies to any digital and non-digital personal data, whether used by a corporation, government, nonprofit or small business. Under EU law, the protection of personal data is a fundamental right and such data cannot be processed absent an enumerated lawful basis, for example the data subject’s consent, performance of a contract with the data subject, or the business’ legitimate interest. Individuals never relinquish total control over their information, who is using it and its use. In an age where information (particularly that of consumers) is gold, any law impacting its collection and usage is noteworthy.
The GDPR enumerates certain ‘data subject rights’, seeking to empower consumers and safeguard their data. These include the rights to access and processing information about, their personal data, as well as the erasure, correction, portability, restriction of processing, objection to processing and withdrawal of consent to the processing.
Coupled with these rights are additional policy and operational requirements imposed on organisations. For example, the law sets out specific obligations, including actual clauses, which organisations must include in their privacy notices for the processing to be lawful. It does the same with its requirement for written agreements whenever a company is processing personal data on behalf of another, such as a service provider, or between a parent and subsidiary.
Organisations must also identify how they collect, use and share personal data, whether they can identify the lawful bases for each particular use, and if they can respond in a timely manner to data subject access requests. This is particularly critical where an organisation is relying upon consent.
What constitutes proper consent is now more onerous and, simply put, implied consent no longer exists. That means opt-out offerings, pre-checked boxes and the like are no longer permissible. Nor is prior-consent grandfathered-in. So, if they are not up to scratch with GDPR requirements, companies are back to square one. This was likely a key reason for the US media blackout, outdated privacy notices and an unclear lawful basis for processing.
Further, under the GDPR the data breach reporting time frame accelerated. For breaches resulting “in a risk to the rights and freedoms of individuals”, it is 72 hours upon becoming aware of the breach, regardless if the ‘awareness’ is downstream.
A final example (but, by no means, the final new requirement) is that certain qualifying organisations must designate a data protection officer (DPO) to oversee the GDPR’s governance, maintenance and reporting requirements. Even if a DPO is not required, a privacy manager should be designated, and key stakeholders identified to aid in developing benchmarks, oversight, reporting requirements and statements of compliance. Implementing a coordinated chain of command, written reporting procedures, authority protocols and legal review escalation requirements will help demonstrate a culture of compliance.
To begin assessing GDPR’s applicability and implementing a compliance framework, a complete survey of an organisation’s current personal data processing activities, including its data protection and privacy policies, notices, international data flows, agreements and templates, products and services using personal data, and advertising/marketing activities and operational protocols is critical.
Following the inventory, an analysis should be undertaken to determine which of an organisation’s existing procedures and policies are adequate, and which are either deficient or absent. That should be then reviewed in a risk-weighing exercise to determine the high-risk areas to focus the initial compliance framework. Among other things, considerations should include: (i) the risk of exposure, for example it is easy to see if a public-facing privacy notice is not compliant; (ii) what category of fines noncompliance falls under; (iii) whether there is a nonconformity that was already required under earlier law; (iv) reputational concerns; (v) whether something be made-compliant quickly; (vi) whether agreements with third parties or business-operations are at risk; and (vii) whether regulators have signalled interest in particular areas or issues.
Ultimately, the GDPR has created an ongoing compliance regime that few organisations can risk ignoring, particularly as other countries beyond the EU, as well as some US states, such as California’s recently enacted California Consumer Privacy Act, are beginning to adopt similar requirements and obligations, or third parties and customers with whom organisations seek to do business are also imposing or expecting certain data protection assurances.
It is important to note that, given the nature of the law, it is unlikely that organisations will ever reach and maintain a 100 percent compliant state with every facet of GDPR. Regulators, such as the UK’s information commissioner Elizabeth Denham, acknowledge that so-called “GDPR compliance” will be an “ongoing journey”, and it is not about reaching an end destination because “no business stands still”. Yet, in undertaking a process to define operational and policy reforms, an organisation will be better positioned to demonstrate its commitment to working toward and maintaining overall compliance, as well as public expectations.
Brian A. Tollefson is a partner and Kathryn D. Stone is an associate at Prince Lobel. Mr Tollefson can be contacted on +1 (617) 456 8099 or by email: firstname.lastname@example.org. Ms Stone can be contacted on +1 (617) 456 8091 or by email: email@example.com.
© Financier Worldwide
Brian A. Tollefson and Kathryn D. Stone