On this day, May 25, in the year 2018, the General Data Protection Regulation will go into effect. Commonly referred to as GDPR or the Regulation, this set of rules governing the privacy and security of personal data is being laid down by the European Commission, but it has serious implications for companies in countries outside the European Union (EU).
Those serious implications include data breach notification requirements and fines for non-compliance. Yes, fines! Fines that could be as high as 4% of “total worldwide annual turnover of the preceding financial year.” So, a large US retailer with global revenues of $75 billion in 2018 could be looking at … that’s right: $3 billion! Even if your company has no revenues, the fine could be up to 20 million Euros, which is currently $22 million US.
Hopefully I now have your attention. And fortunately, there are plenty of resources available for anyone who needs to learn more about the GDPR (and a lot of organizations do need to know this stuff). Many of the large law firms have put out information and analysis. For example, these bullet points from Mintz Levin explain the Regulation relative to the current EU Data Protection Directive 95/46/ec. I have paraphrased three of these points that complete this sentence: Your firm is covered by the GDPR if…
- You monitor the behavior of data subjects who are located within the EU, or
- You’re based outside the EU but provide services or goods to the EU (including free services), or
- You have an “establishment” in the EU, regardless of where you process personal data (e.g. cloud-based processing performed outside of the EU for an EU-based company is subject to the GDPR).
This is a considerable expansion of the scope of data protections provided by European law. And it encompasses all people living in the EU, not just EU citizens. In addition, the GDPR expands liability beyond the current Directive to include data processors as well as data controllers. For help with these two key terms — data controller and data processor — there is a good clarification here. Basically the latter is someone who processes data for the former and is a separate legal entity from them. For example, an employer is a data controller with respect to employees (data subjects) about whom it keeps records. A company to whom payroll operations are outsourced is a data processor with respect to its clients’ employees (but a data controller with respect to its own employees).
Analysis of the implications of the GDPR for companies that collect personal data as part of their business model can be found in the additional resources I have cited below. As I see it, the biggest change is from the current consent provisions to a stricter definition of “consent” and the conditions under which consent is obtained, maintained, and terminated.
Of course, it should noted that I am not a lawyer and you should not rely on this or any other blog post for legal advice. You should consult suitably qualified legal counsel on matters relating to GDPR interpretation and compliance. However, I do have one pro tip: if you call up your company’s legal counsel and they respond with something like “G-D-P-what?” then they are probably not suitably qualified, at least not yet.
When it comes to the security of the personal data your organization handles, I think it is worth citing the appropriate sections of the GDPR at length. In effect, these establish a baseline that US companies handling data about EU persons will need to meet in order to defend against claims that they are “processing in infringement of this Regulation” and thus potentially subject to fines.
In section 83 we read that “…the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected.”
In other words, there are very few specifics about how you should go about securing data, aside from the encryption reference; but there’s a clear assertion that you must perform a risk assessment. One would hope that by now every organization has done a cybersecurity risk assessment and is keeping it current, yet we still see HIPAA fines in the US due to failure to perform a risk analysis.
Section 83 elaborates on the risks that need to be considered: “In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.” Section 84 goes on to discuss the security of “high risk” data, a distinction I will address in a separate article (there is ongoing discussion about how that distinction will be made).
Nothing sheds light on organizational cybersecurity posture like security breaches, and these are addressed in Section 85. This states that when the data controller “becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it.” However, the Regulation does allow the data controller not to notify authorities of a breach if it is “able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
The GDPR specifies the terms of data breach notification in Section 86 which states that data controllers must “communicate to the data subject a personal data breach, without undue delay, where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions.” Some of the specifics of the notification are spelled out, such as “describe the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects.” For a look at some of the implications of these notification rules, read this article on the IAPP blog.
Clearly, there is a lot to take in, and get ready for, especially if the idea of having to deal with European data protection law is new to you. A good source of GDPR information is of course the International Association of Privacy Professionals (IAPP) and they have documented the top 10 operational impacts of the GDPR. The law firm of Allen & Overy offers a good GDPR report (PDF) with a handy list of “8 things you should be doing now to prepare” and this blunt summation: “The level of risk associated with the GDPR has catapulted data protection into the boardroom.”
I found the GDPR webinar from UK law firm WedLake Bell to be very useful (registration required, but worth it). There is some good written analysis of the business and technical implications of the GDPR from one of the top privacy law firms, the one with the cool name: Morrison & Foerster, a.k.a. MoFo. Note that GDPR analysis written at the end of last year is still helpful because the Regulation was already close to final at that point.
If the idea of data protection is new to you, or if you have a hard time believing that companies and other organizations in Europe already operate under a system of regulations that requires them to register their use of data with a government agency, then it is instructive to visit this UK government website (and yes, the UK is still in the EU as of May 25, 2016). Finally, for privacy and security purists who want to read the GDPR for themselves (like I did) here is a link to the final version as a PDF, all 150 pages of it.
I will be writing more about the GDPR in the future, including the implications for information system security, and the folks who are tasked with providing it to the organization. I will also try to tackle the moving target that is the Privacy Shield, something the US and EU are developing to replace the Safe Harbor provisions, the arrangement which the EU court ruled was inadequate when it came to assuring protection for the personal data of natural persons when such data crossed the pond to the US.