The General Data Protection Regulation or GDPR will have a major impact on companies that manage the private information of European Union citizens. This includes US companies that sell goods and services to EU residents. This article describes the most impactful requirements that US companies should know about GDPR.
Within the EU, businesses that collect individuals’ personal data are called ‘Data Controllers’ and any use of personal data is called ‘Data Processing’. In addition, Data Controllers may use ‘Data Processors’, such as cloud service providers or billing companies to handle personal data.
GDPR, which goes into force in May 2018, significantly increases the privacy requirements for all companies dealing with the personal data of European Union citizens. The Regulation, which has worldwide ramifications, changes how data should be handled and the controls that companies must implement over its’ use. The Regulation comes with the significant potential fines for those organizations who fail to protect the data effectively.
How prepared are US companies for GDPR? Not very, says Ann Cavoukian, former privacy commissioner for the province of Ontario and now executive director at Ryerson University’s Privacy and Big Data Institute. “In the U.S. companies don’t understand what a game changer it’s going to be,” she warns.
Here are ten key insights into how GDPR may affect your US business after May 2018:
Territorial Scope [Article 3]
GDPR applies to all companies that process the personal data of any individual residing in the EU. This is regardless of the processing company’s location and GPDR makes this new terrirtorial scope very clear. Under GDPR these individuals are known as ‘Data Subjects’. The Regulation will apply to the processing of personal data of Data Subjects in the EU by a controller or processor not established in the EU. US companies that offer goods or services to EU citizens, or monitor the behavior of Data Subjects that takes place within the EU, will fall under the GDPR. All non-EU Data Controllers must nominate an independent public authority, within the EU, to act as a Supervisory Authority (SA). The SA will be responsible for monitoring the correct application of the Regulation.
Penalties [Articles 83 and 84]
Under GDPR organizations can be subject to significant fines. The most serious infringements such as not having sufficient customer consent to process data or violating the core ‘Privacy by Design’ concept of GDPR can result in fines as high as 4% of annual global turnover or €20 Million (whichever is greater). It is important to note that these rules apply to both Controllers and Processors, meaning that personal data held in the cloud will not be exempt from GDPR enforcement.
Consent [Articles 6,7 and 8]
Requests for consent must be provided to Data Subjects in an intelligible and easily accessible format, with the purpose for data processing attached to that consent. Consent must be provided in an equally intelligible and easily accessible form, using clear and plain language. Furthermore, the withdrawal of consent by the Data Subject, once again, must be an easily accessible process.
Breach Notification [Articles 33 and 34]
Where a data breach has occurred and is likely to “result in a risk to the rights and freedoms of individuals” notification will be mandatory. Such notification must take place within 72 hours of the Controller first having become aware of the breach. Data Processors will also be required to notify their customers, the Data Controllers, “without undue delay” under the same rules.
Right to Access [Article 15]
Data Subjects have the right to obtain, from the Data Controller, confirmation as to whether or not personal data concerning them is being processed, where it is being processed and for what purpose. Furthermore, the Controller must provide a copy of the personal data, free of charge, in electronic format.
Right to Erasure (‘right to be forgotten’) [Article 17]
This is the right of Data Subjects to request that a Data Controller permanently erase all of their private information. Unless certain circumstances apply, such as the specified data being required for exercising the right of freedom of expression and information, the Controller must comply with the request. Erasure also means that the data can no longer be disseminated or processed by a third party. The right to erasure is applicable in the following situations:
- The data is no longer needed for the original purpose
- The data subject has withdrawn his/her consent and there are no other grounds for processing
- The data subject has objected to the processing
- A legal obligation requires the erasure
- The processing is unlawful
- The data was collected in relation to offering information society services to a child
Right to Object [Article 21]
Data Subjects have the right to prevent a Data Controller from using or processing their information on grounds related to their own personal circumstances. A justified objection would prevent the Data Controller from any further processing. The Data Subject is also able to object to any processing of personal data used for direct marketing purposes.
GDPR also makes data processing for scientific and historical research and statistics objectionable. The Data Controller must prove a “compelling legitimate interest” to continue processing data when a Data Subject has objected.
Data Portability [Article 20]
The right to data portability allows Data Subjects to obtain their personal information from a Data Controller and transfer that information to another Data Controller of their choosing.
Data Controllers must provide this information free of charge and in a structured, commonly used, machine-readable format to make the transfer as simple as possible.
Privacy by Design [Articles 23 and 25]
Privacy by design means that the Controller must consider data protection from the outset when designing organizational systems. This is as opposed to having to add or upgrade capabilities later in order to ensure the protection of private data. The Controller is required to implement appropriate technical and organisational measures in order to meet the requirements of the Regulation and protect the rights of Data Subjects. The Regulation calls for Controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimization), as well as limiting the access to personal data to those needing to undertake data processing.
Data Protection Officer (DPO) [Articles 37,38 and 39]
Under the GDPR framework, any organization that carries out “regular and systematic monitoring of Data Subjects” as part of its principal business activities will be required to employ a DPO by the May 25th, 2018 enforcement date. This includes American and Canadian companies that routinely process sensitive EU data. The DPO:
- Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices
- May be a staff member or an external service provider
- Contact details must be provided to the relevant Supervisory Authority
- Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
- Must report directly to the highest level of management
- Must not carry out any other tasks that could result in a conflict of interest
The primary function of the DPO is to inform and advise the Data Controller on how to “monitor compliance” with GDPR. This includes conducting privacy awareness training, performing compliance audits, and, wherever appropriate, issuing privacy impact assessments (PIAs). DPOs are also responsible for acting as the liaison between the company and the nominated Supervisory Authority.
DPOs should be proficient in IT and data security processes and should also have a strong understanding of corporate risk that extends beyond basic legal compliance. DPO’s are protected by law and cannot be dismissed for exercising the duties of their position. Because of this, some companies may choose to employ DPOs on a semi-permanent contract. Alternatively, companies are also permitted to make use of third-party services to fill the DPO position on a contract basis.
Finally, for most enterprises, data protection should be an integral element of their business strategy and a driver of business growth. It’s likely however that the immediate reaction of most organizations to GDPR will be to reluctantly take on a DPO as a means of complying with an unavoidable regulatory obligation. However, the reality is that this is an opportunity to take on board a knowledgeable and focused resource to safeguard critical customer and employee data.
About Welford Management & Consulting
Welford is a multi faceted technology consultancy providing advice, support and solutions for companies in a wide range of industries. We develop and execute strategies for our clients in practice areas that include: Security & Compliance and Business Strategy & Support. Our expertise comes from a team of individuals who focus on one area of our practice disciplines so that we can bring the necessary skills and experience to the business challenge or opportunity that you’re currently facing.
In the Security & Compliance practice we help assess your current level of risk related to the sensitive customer information that you may hold within your organization. This may be payment card information, personal health information or data on European citizens that fall under the requirements of the General Data Protection Regulation (GDPR) which becomes law on May 25th, 2018. We develop and execute strategies to address your data security requirements and support the implementation of the technologies and processes that help reduce the likelihood of you suffering a damaging and expensive data breach.