On May 25, 2018, the European Union will begin enforcement of the General Data Privacy Regulations (GDPR). The GDPR represents an expansive approach to protecting the privacy rights of European citizens, and has the potential impact businesses across the globe, not just in the European Union. The business community needs to understand the GDPR, who it affects, and how to comply with the law, lest they face costly punishment by the EU.
What is the GDPR?
The GDPR is an administrative regulation enacted by the European Parliament to protect the privacy of Europeans as it applies to data collection. The GDPR came about, according to the Commission Implementing Decision (EU) 2016/1250 (comparable to the legislative history that accompanies the US Code), because of the European Union’s belief in “the fundamental right to respect for private life with regard to the processing of personal data, [and] also a high level of protection of those fundamental rights and freedoms.”
As noted by CIO, the GDPR requires that personally identifiable information is collected and processed in a manner that is lawful, fair, and transparent. Relevant to the recent scandal involving Facebook and Cambridge Analytica, the EU permits the collection of EU citizen data only for explicit, legitimate purposes. The GDPR requires that data collection be narrowly tailored to the collecting party’s specific needs. It also codifies a requirement that businesses — the law carves out exceptions for data collection for non-commercial, law enforcement, and intelligence purposes — ensure that personally identifiable information only be kept as long as needed by the businesses that collect it. Related to this point, the EU expands on the notion of the “right to be forgotten” by requiring dataprocessors and collectors to take steps allowing for the deletion of an EU national’s data upon request. The GDPR codifies a requirement that data be processed and stored in a fashion that is secure, and requires processors and collectors to notify EU nationals within 72 hours if there is a data breach. The GDPR requires the appointment of Data Protection Officers responsible for the maintenance of records concerning how personally identifiable information related to EU nationals is collected, processed, secured and used, much like how Sarbanes-Oxley and other US regulations required public companies to develop ethics and compliance programs.
Why Does the GDPR matter to non-European Businesses?
While this seems innocuous, if not an admirable position to take by the EU, the underlying regulations have caused some consternation in the international community. Partly, this is due to the extreme applicability of the GDPR. The EU has expanded previous regulations (namely EU Directive 95/46/EC) the GDPR to apply to all companies worldwide that process or collect data relating to EU nationals. Thus, if a resident of Kewanee, Illinois (or Lima, Peru) has a craft business that collects personally identifiable information related to the mailing addresses of EU residents in order to ship goods to them, it is equally subject to the GDPR as British Airways or Novo Nordisk.
Being subject to the GDPR is no small matter. The second reason the GDPR is causing unrest in the business community is the aggressive penalties included in the regulation by the EU. Non-compliance with the GDPR can lead to penalties of up to 4% of a company’s global turnover or €20 million ($25 million at the time of writing), whichever is greater.
The business community responded to the Commission enacting the GDPR with concerns that the GDPR reached beyond the scope of the US-EU Privacy Shield regulations and imposing the will of the EU on other sovereign nationals. If the US Government permits enforcement of the EU regulations on US companies (a jurisdictional issue more for legal scholars), compliance with the GDPR will be costly, most of all to small to mid-sized companies that do not already have compliance programs commonly seen in Fortune 500 companies. According to international law firm Paul Hastings LLP, compliance costs for a business are estimated to be $1 million, just for technology improvements. Additional expenses would be incurred, such as those associated with retaining counsel to understand how to comply with the GDPR and hiring employees to maintain regulation compliance. Writing in the Harvard Business Review, Larry Downes noted that the GDPR appeared protectionist, as it was cheaper for businesses to comply if they used European data centers rather than ones outside the EU. Similar concerns have been raised in the Asian-Pacific market.
What should US businesses be doing in anticipation of the May enforcement deadline?
First, businesses should be aware that, regardless of the GDPR, there are already US regulations concerning the preservation of the privacy of customer personally identifiable information. The Federal Trade Commission already enforces numerous laws and regulations pertaining to data privacy and online marketing, including (but not limited to):
- The Children’s Online Privacy Protection Act (COPPA);
- The Federal Trade Commission Act (FTC Act);
- The Health Insurance Portability & Accountability Act (HIPAA);
- The American Recovery and Reinvestment Act of 2009;
- The Health Breach Notification Rule, 16 CFR §318 (2009);
- The Fair Credit Reporting Act: Disposal Rule, 16 CFR §682 (2005);
- The Fair Credit Reporting Act: Identity Theft Rule, 16 CFR §681 (2009); and,
- The Red Flags Rule, 12 CFR §41 (2007).
If US businesses do not already have data privacy compliance plans in place, they need to do so, not just to comply with the GDPR, but also with the US privacy regulations.
With the respect to the GDPR, to summarize the hundreds of pages of regulation here would be overwhelming, both to the writer and to readers. There are some core changes businesses can make to ensure compliance when the law is enacted in May 2018.
- Businesses should conduct an audit under the command and control of a CISSP-certified professional (or other properly trained and certified network security professional) to identify what personally identifiable information they are collecting;
- Businesses should consider how they process that personally identifiable information, for what purpose, and for how long do they keep it;
- Businesses should consider whether the way they process and store data would be considered reasonably secure by a professional (or by a jury), and, if not, what steps they should take to make their data secure;
- Businesses should consider the processes they have in place to address requests under the GDPR’s “right to be forgotten” requirements;
- Businesses should consider the processes they have in place to address data breaches, including whether they can notify EU consumers of breaches within 72 hours; and,
- Businesses should be considering whether their outsourced cloud storage providers (if they have any) are in compliance with the GDPR and FTC regulations.
Beginning May 25, 2018, the EU’s implementation of the GDPR will have the potential to affect businesses worldwide. Compliance with the GDPR represents a significant commitment of capital and labor for businesses, triggered if these businesses engage in practices that affect the data privacy of EU nationals. Businesses should anticipate the implementation of the GDPR by conducting security audits and developing plans to ensure compliance and avoid liability.