Yes, GDPR Really is a Top Priority in the United States
The Global Data Protection Regulation (GDPR) is not only front-of-mind for European Union (EU)-based organizations, but, according to Price Waterhouse Coopers (PWC), over half of United States’ multinationals say GDPR is their top data-protection priority. Of the 200 survey respondents, 54% reported that GDPR readiness is the highest priority on their data-privacy and security agenda. Another 38% said GDPR is one of several top priorities, while only 7% said it isn’t a top priority. What is the GDPR regulation and its territorial reach? What is the financial cost for organizations to obtain GDPR compliance? Are there penalties if organizations violate the regulation? Who is enforcing the regulation, and what type of impact will this have? Most importantly, does your organization have a GDPR action plan?
The Origins of GDPR
The EU General Data Protection Regulation was adopted on April 8, 2016 and will take effect on May 25, 2018. The GDPR replaces the current Data Protection Directive 95/46/EC and will be directly applicable in all EU Member States without the need for implementing national legislation. The first of the Article 29 Working Party (WP29)1 guidelines on Data Protection Officers, one-stop shop, and the new Right to Data Portability were adopted on April 5, 2017, and more guidelines are expected.
Portions of GDPR Rules Are Already a Reality
Part of the proposed GDPR data protection rules are already being implemented by organizations across the EU, including Germany and Italy, to protect personal financial data. German outsourcing companies are already enforcing strict rules for data protection. Data protection rules in Sweden are now based on how the data is used. To understand how GDPR will affect how your organization receives, stores, and uses private data from EU citizens, let’s examine some of the areas that will have the greatest impact.
Role of Data Processors
To comply with GDPR, Data Processors have direct obligations including:
- Maintaining a written record of processing activities carried out on behalf of each controller.
- Designating a data protection officer where required.
- Appointing a representative (when not established in the EU) in certain circumstances.
- Notifying the controller on becoming aware of a personal data breach without undue delay.
Provisions on cross-border data transfers also apply to Data Processors and Binding Corporate Rules (BCR) for Processors are formally recognized. The new status of Data Processors will impact how data protection regulations are addressed in supply and other commercial agreements.
Notice / Consent
Data Controllers must continue to provide transparent information to Data Subjects at the time personal data is obtained. Existing forms of fair processing notices and consents will have to be re-examined as GDPR requirements are more detailed. Data Subjects consent must be freely given, specific, informed, and unambiguous, and must be as easy to withdraw as to give. Consent is not freely given if the data subject has no genuine free choice or is unable to withdraw or refuse consent without detriment. Consent must be “explicit” for using sensitive data. The Data Controller is required to be able to demonstrate that consent was freely given.
Requests for consent should be separate from other terms and be in clear and plain language. Does consent provide a valid legal ground for processing where there is a significant imbalance between the data subject and data controller? For example, determining whether consent has been freely given can depend on whether the performance of a contract is made conditional on the consent to processing data that is not necessary to perform that contract. This consent scenario may affect e-commerce services, among other processes.
Member States may provide more specific rules for use of consent in the context of using and sharing personal data for employment purposes.
Where personal data is to be used for direct marketing, the data subject has a right to object. This right must be explicitly brought to their attention, along with a way to opt-out.
Children / Parents
Member States can lower the age from 16 to 13 years-old of citizens from whom data can be collected, which may result in a lack of data harmonization.
There can exist a situation when data is no longer the Data Subjects’ personal information due to anonymization of the data.
GDPR’s Expanded Territorial Reach
The GDPR Rules will impact organizations in countries outside the EU. The GDPR regulates Data Controllers and Data Processors outside the EU whose processing activities relate to the offering of goods or services (even if for free) to, or monitoring the behavior of, data subjects in the EU. According to Khizar A. Sheikh, Chair, Privacy, Cybersecurity, and Data Law, Mandelbaum Salsburg, United States, firstname.lastname@example.org:
“Offering goods or services” may be more than mere access to a website or email address, and could be triggered by use of language or currency generally used in one or more Member States with the possibility of ordering goods/services there and/or mentioning customers or users who are in EU. “Monitoring of behavior” will occur, for example, where individuals are tracked on the internet by techniques which apply a profile to enable decisions to be made/predict personal preferences, etc. This means that a company outside the EU which is targeting consumers in the EU may be subject to the GDPR.
Spending Millions to Address GDPR
77% of the U.S. based organizations surveyed by PWC plan to spend $1 million or more to meet GDPR regulations. Securing a $1 million budget for data privacy has been more an exception than a rule for many American corporations. However, the GDPR’s potential 4% fine of global revenues for abusing personal information of EU citizens, has changed budget appetites for mitigating GDPR risk. While 24% of respondents plan to spend under $1 million for GDPR preparations, 68% said they will invest between $1 million and $10 million. 9% of responding organizations expect to spend over $10 million to address GDPR obligations.
U.S.-Based Organizations are Re-evaluating Their Presence in Europe
The PWC GDPR Survey found that U.S. organizations that are heavily invested in Europe will probably stay the course in the near term. Indeed, 64% of executives reported that their top strategy for reducing GDPR exposure is centralization of data centers in Europe. Just over half (54%) said they plan to de-identify European personal data to reduce exposure. However, the threats of high fines and impactful injunctions clearly have many non-EU organizations reconsidering the importance of the European market. In fact, 32% of respondents plan to reduce their presence in Europe, while 26% intend to exit the EU market altogether due to uncertainty about penalties and authorities.
The GDPR establishes a tiered approach to penalties. It enables the DPAs (Data Protection Act Office) to impose fines for some breaches of greater of 4% of annual worldwide revenues or up to 20 million euros, such as breach of requirements relating to international data transfers or the basic principles for processing, such as conditions for consent. Other specified breaches would be subject to a fine of the greater of 2% of annual worldwide revenues or 10 million euros. A list of considerations when imposing fines, such as the nature, gravity and duration of the breach, is available through the DPA.
The mechanism for governing authority is complicated as it distinguishes between cross-border and domestic processing. There are complex cooperation and coordination procedures for DPAs. To have their cases dealt with locally, the GDPR contains a detailed regime with a Lead Authority and Concerned Supervisory Authorities working together. The WP29** has provided guidance on how to identify a Lead Supervisory Authority. It remains to be seen how it will work in practice and whether it can work without forum shopping.
GDPR = Enterprise-Wide Trust
The GDPR Rules will have the significant impact in several areas, according to The GDPR Institute* and Ian West, Specialist in GDPR, Data Governance, Data Privacy & Security, United Kingdom:
Do you control or process personal data about ANY EU Citizens? If so, you have to be GDPR compliant by 25th May 2018, or manage the implications of the fines and the reputational damage of any and every Data Breach – including Customers, Employees, and Suppliers.
Opportunity or Challenge?
Fines, Loss of Customers, Reputational Damage, and COST of Compliance are key aspects of GDPR. GDPR involves Enterprise-wide Change Management, Post Room, and Board Room. It involves People, Process, Technology, and Information.
Key Questions for Your Organization
What Personal Data do you hold:
- Customer, Employee, Supplier, Contractor, Sub-Contractor, Citizen, Patient etc.?
- Where is that data located: PC hard drive, Remote Storage or Backup Device, On Premise Database or Content Server, or in the Cloud?
- How are you using Personal Data and do you have Explicit or Implied Permission to use the data in the way you are using it?
Immediate Action Plan
Most importantly—Start Now
- Seek Legal Advice.
- Conduct a Privacy Impact Assessment.
- Complete a Readiness Assessment to address the key questions.
- Secure Executive Sponsorship and a meaningful budget.
- Develop a Consent Management strategy.
- Build a Data Subject Access Request process before you get swamped.
- Ensure you have all your Breach Detection technology in place – Database, Content Repositories, Network Traffic, Dark Web 8.
In other words, prepare for the worst, and breathe a sigh of relief if it doesn’t happen. You can also seek assistance through the GDPR Institute2 which was setup to help you resolve YOUR GDPR Challenge and maximize opportunities presented by the new privacy regulations.
TokenEx is the enterprise leader for data protection, which includes the capability to store all personal data in Secure Cloud Data Vaults and help de-identify all the sensitive data held in your IT systems, alleviating many of the GDPR restrictions. Remember, with TokenEx — No Data, No Theft. Follow us on Twitter and LinkedIn.
2 About The GDPR Institute, www.gdpr.institute . The GDPR Institute is a Member Owned Not-for-Profit Organisation. The Institutes’ Purpose Create a community of Data Privacy, Data Security and Data Governance experts to assist Large, Medium and Small Organisations address the challenge and maximise the opportunity created by the General Data Protection Regulation GDPR Challenge Or GDPR Opportunity.