T-Minus 11 Months for EU Privacy Regulation
With fines of up to 20 million euros ($23 million) or four percent of global annual turnover—which, for Fortune 100 companies, could reach billions of euros—and new rules on a right to be forgotten and data portability, the European General Data Protection Regulation (GDPR) has grabbed the attention of compliance professionals and C-level executives alike. Far from being just a European law, the GDPR extends to companies that handle any European’s personal data all over the world. As less than a year remains until the date of its implementation, the GDPR requires companies to quickly devise and implement comprehensive data governance programs.
The GDPR introduces new obligations on matters such as data subject consent, data anonymization, breach notification, trans-border data transfers, and appointment of data protection officers. In addition, it requires companies that handle the personal data of people in the EU to undertake major operational reforms, implementing new governance mechanisms and technological tools.
Companies that already have well-developed privacy programs have less work to do. The GDPR follows the general outline of the 1995 data protection directive and codifies many existing industry best practices. But it also changes the game in some innovative ways. For example, companies need to adapt to new rights and obligations, such as the right to be forgotten and the restriction on profiling, and implement these rights into their products and services.
Companies that are starting from scratch are in for a lengthier journey. They must first understand the scope of application of the new regulation and whether it applies to their activities. Next, they must set up a privacy program, including appointment of a data protection officer (DPO) and appropriate training for staff. Finally, they should build lasting internal accountability mechanisms to map data flows, document privacy impact assessments and deploy privacy by design and by default.
This brief overview serves as a primer to the scope of the GDPR and the provisions that may prove most significant for companies that seek to avoid its substantial penalties.
Scope of GDPR
The GDPR applies to any organization that is established in the EU, offers goods or services to individuals in the EU, or monitors the behavior of individuals in the EU. For example, a developer of a dating app that is based in California—but used by thousands of individuals in the UK, Netherlands, and France—is subject to the GDPR, even without any physical presence in Europe.
The GDPR regulates the collection, storage, use and disclosure of personal data—that is, data about identifiable people. This means the GDPR only applies to data about individual human beings, not companies, governments or other organizations. Trade secrets or confidential government information may need to be protected, but since those types of information do not relate to an individual, they are not personal data and are not covered under the GDPR.
It is important to realize that “personal data” under the GDPR is not necessarily sensitive. It could be as mundane as a name, email address or telephone number. Moreover, to be protected, personal data need not be secret. In fact, even publicly available data, such as a class roster or a public comment with a name attached, is considered personal.
The GDPR distinguishes between two types of entities: controllers and processors. This is an important distinction since controllers bear ultimate responsibility for any activity with respect to their customers’ and employees’ data, even if stored or analyzed by third-party processors. A controller is defined as the entity that “determines the purposes and means of the processing” of personal data.
Companies that have well-developed privacy programs have less work to do in preparation for the EU’s new GDPR.
Processors are entities that actually process personal data on behalf of controllers. For example, a real estate firm may outsource its payroll to a separate company. In this case, with respect to its employees’ salary data, the real estate firm is the controller—the entity that controls the information and decides how it is treated. The company processing the payroll information is the processor—responsible for handling, storing and distributing the data to employees, financial institutions and tax authorities.
Start with Expertise
Once an organization determines it is subject to the GDPR, it must proceed to create a privacy program. Importantly, the GDPR requires certain companies to designate a DPO if their data processing activities fit either of two situations:
- The “core activities” of the company involve “regular and systematic monitoring of data subjects on a large scale”
- The company conducts “large-scale” processing of “special categories” of data, including any data that reveals “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership,” as well as “genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”
The DPO must be a person with “expert knowledge of data protection law and practices” who reports directly to “the highest management level” of the controller or processor. The job of a DPO involves monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, training data processing staff, and conducting internal audits. The DPO also serves as a point of contact for data subjects and data protection authorities. Given the broad scope of the DPO requirement, experts estimate that the GDPR will drive a thriving market for tens of thousands of data protection professionals in Europe and beyond.
Build a Lasting Privacy Program
Privacy professionals use a set of consistent and scalable tools to implement effective data handling practices throughout a company. Chief among these tools is the privacy impact assessment (PIA), a practice that assesses the risks associated with the processing of customer data at the beginning of any operational process.
PIAs aim to reduce the risks to organizations and data subjects created by misuse of their personal information by mapping data flows, prescribing lines of control, limiting use to specified purposes, and ensuring proper disposal. Under GDPR, privacy pros must also incorporate “privacy by design” and “privacy by default,” ensuring that privacy is part of the product development cycle from conception to implementation. When coupled with a robust understanding of the GDPR’s requirements, incorporating these practices will help companies to comply with global privacy norms.
A robust privacy program must also implement processes to accommodate the new rights of data subjects under the GDPR: the right to be forgotten and the right to data portability. The right to be forgotten allows subjects to request deletion of personal data and removal from publication. Controllers must comply unless maintaining the information is in the public interest or necessary to defend against legal claims, or where deletion is outweighed by freedom of expression. Additionally, if an individual requests removal of personal information that has been made public, the controller must take reasonable steps to inform other parties that already process the same data about the request.
The right to data portability requires controllers to provide personal data to the data subject in a commonly used machine-readable format and to transfer that data to another controller upon an individual’s request. This will no doubt stoke competitive tensions with companies that try to preserve their existing customer base.
Don’t Forget the Details
The GDPR creates clear lines of accountability between controllers and processors. It expands the controller’s responsibility for processing activities and sets out specific rules for contractually allocating responsibility between a controller and processor. Liability under the GDPR falls primarily on the shoulders of the controller. But if a processor acts as a controller or outside the scope of authority granted to it, then it is treated as a controller for purposes of that processing.
Processors’ duties include the requirement to process data only as instructed by a controller, to use appropriate technical and organizational measures to ensure data security, to delete or return data to the controller once processing is complete, and to submit to specific conditions for engaging any sub-processors. In the event of a data breach, processors are required to notify controllers, who are themselves required to notify data subjects and data protection authorities.
Consistent with the recent trend toward regulating the transfer of data across national lines, the GDPR only permits personal data to be transferred to countries outside of the EU under certain conditions. The path of least resistance is an “adequacy decision” from the European Commission, which designates a receiving country as “adequate” under European data protection standards.
Absent adequacy, however, cross-border transfers may still be possible, but companies are required to put in place time-consuming expensive solutions such as standard contractual clauses or binding corporate rules.
Challenge and Opportunities
The GDPR presents a challenge and an opportunity for companies. In our data-driven modern economy, the potential mismanagement of customer data is a serious risk both to companies’ brands and consumer trust.
Improper handling of data can expose companies to enormous reputational harm and civil liability. Companies that succeed in implementing privacy practices from the ground up will have a competitive advantage. The GDPR is simply a catalyst, providing a legal incentive and a due date for implementation of best practices for data privacy.
IAPP’s Westin Research Fellows, Cobun Keegan and Calli Schroeder, assisted with this article.