Data protection in the US and Europe
There has traditionally been a marked difference in approach, between the US and Europe, when it comes to legislation designed to protect individuals’ private information. In the US, a number of disparate privacy laws have been enacted to protect various types of personal data. For example the Health Insurance Portability and Accountability Act (HIPAA) for Protected Health Information (PHI) and the Financial Credit Reporting Act (FCRA) for credit report information. Europe, however, has taken a different approach, treating privacy as a fundamental right protected by a single piece of legislation known as the Data Protection Directive which to date has regulated the processing of personal data throughout Europe.
General Data Protection Regulation specifics
The General Data Protection Regulation will replace the existing Directive and defines a broad range of data security measures that must be taken by organizations in order to protect PII that they hold on EU residents. Specifically, the GDPR:
- Defines measures data holders must take to protect data
- Emphasizes significant enforcement expectations
- Enables large fines to be levied
- Imposes broad disclosure requirements for data security breaches
Companies will be required to obtain unambiguous consent when collecting PII on EU residents. For websites, this will require an ‘opt-in’ mechanism that clearly indicates the individuals’ acceptance that data can be collected and processed. Companies must also implement personal data protection technologies such as pseudonymization, which masks the identity of any individual. Employees should be trained in these practices, and companies must regularly audit the data they maintain and document the reasons for its collection. Additionally, all uses of high risk data will be subject to a Privacy Impact Assessment or PIA to account for the risks of processing and to identify necessary safeguards. When it comes into effect on May 25, 2018, the GDPR can apply to an extremely wide range of organizations that control or process data about EU residents. Under EU law, a ‘data controller’ is any organisation that collects an individuals personal data. A ‘data processor’ is any organisation that processes the data on behalf of data controller e.g. cloud service providers. Given these definitions, GDPR will apply to many organizations without a physical presence in the EU.
Expanded Individual Rights
Under the GDPR, individuals gain a number of new rights, relating to the control of their personal data:
- The right to be informed: obligates data controllers to provide “information necessary to ensure fair and transparent processing” to data subjects, typically through a privacy notice and when an access request is made.
- The right to restriction of processing: allows a data subject to prevent further use of his or her personal data, while allowing the data controller to continue storing the information.
- The right to be forgotten: individuals can request that a corporation delete their information once its retention can no longer be legally justified.
- The right to portability of data: individuals can request a copy of all automated data which a company possesses about them. This data must be delivered in an easily transferable format which could be an arduous and expensive task for some companies.
The GDPR forces companies to consider individuals rights very carefully when using personal information in their business operations. The new regulation highlights the importance of an individual’s ability to control their personal data. Companies will need to be prepared to comply with requests related to these new rights’ by early 2018.
Regulation vs directive
It is important to note that the new legislation is a regulation, rather than a directive. This means that EU member states have far less latitude to apply their own interpretation of the law and are bound to act at an EU level in implementing GDPR. The intention is that this will guarantee a far greater level of harmonization across the EU for the protection of PII. In this way, GDPR further expands on the Data Protection Directive by centralizing powers that were previously reserved to EU member states.
Impact on organizations outside of the EU
The previous Directive applied only to those entities that processed data on EU residents and maintained physical locations or equipment in the EU. However, the General Data Protection Regulation applies directly to any entity that holds PII on EU residents, wherever they may be located. This means that companies in the US will need to prepare for compliance with the GDPR if they:
- Offer of goods or services to EU residents.
- Monitor the behavior of individuals resident in the EU.
Jurisdiction will be assessed digitally and regulators will look to a variety of factors, including how a website references EU residents, the currencies accepted and languages used. In addition, any profiling of EU residents will fall squarely within the GDPR criteria. This is a significant shift and something that organizations, previously outside the scope of the current Directive but now subject to the GDPR, will need to prepare for in the coming months. It is also worth noting that there is no grace period. 25th May, 2018 is the date upon which all applicable organizations must be compliant.
The role of the Data protection Officer (DPO)
Under the General Data Protection Regulation framework, any private sector organization that carries out “regular and systematic monitoring of data subjects” as part of its principal business activities will be required to employ a Data Protection Officer or DPO.
The primary function of the DPO is to inform and advise the data controller on how to manage compliance with the GDPR (and other data security standards and regulations). This includes conducting privacy awareness training, performing compliance audits, and, wherever appropriate, issuing privacy impact assessments. DPOs are also responsible for acting as the liaison between the company and the Supervisory Authority (SA). They are protected by law and cannot be dismissed for exercising the GDPR related duties of their position. Because of this, some companies may choose to employ DPOs on a semi-annual contract and then opt to renew or replace the DPO if necessary.
The International Association of Privacy Professionals (IAPP) estimates that 75,000 new DPO positions will be created as a result of companies seeking to meet their GDPR requirements.
Breach notification requirements
Another significant change from the current Directive is that the GDPR specifically defines a ‘personal data breach‘ as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data“. In the case of such a breach, data controllers must notify the supervisory authority not later than 72 hours after having become aware of it. Furthermore, if the data controller determines that the breach “is likely to result in a high risk to the rights and freedoms of individuals” it must also communicate the details of the breach to affected individuals “without undue delay“. This broad definition differs from data breach laws in most U.S. states. For example, in the US breach notification is typically triggered only upon exposure of information that can lead to fraud or identity theft, such as financial account information. Companies will need to come to terms with fact that they may well have to make public data breaches that, in past times, might never have seen the light of day. The inclusion of the breach notification rule highlights the fundamental importance that the GDPR places on data security. It also holds organizations accountable for their personal data security failures. In the end, the disclosure requirement may be the single most compelling reason for organizations to ensure they are compliant with the GDPR.
Fines and penalties
Sanctions under the new Regulation are much more severe than previous legislation demanded. The GDPR gives Supervisory Authorities (SAs), independent bodies set up in each State or geographic location, the power to investigate complaints then determine and sanction penalties. Administrative fines will vary depending on the severity of the violation of the GDPR rules. However, SAs can apply fines from the greater of 10 million Euros ($11.12 million) or 2% of total annual worldwide turnover to 20 million Euros ($22.23 million) or 4% of total annual worldwide turnover. In addition to imposing significant financial penalties, SAs will have a number of additional corrective powers that include:
- The power to suspend data transfer to a recipient in another country;
- The power to order a data controller to communicate a personal data breach to the data subject.
Other Potential Damages
Notification of a data breach can have far reaching implications for organizations, as has been seen with the existing breach notification requirements in the US. Retail giant Target can certainly attest to that fact. When that company was breached in 2013, not only were sales negatively impacted, but the cost of reparations reached a reported $240 million and eventually contributed to the resignation of Target’s top executives. Once a breach is made public it can lead to a chain reaction of invasive and expensive legal, political and news media investigations into the organization’s data security practices – such investigations almost always turn up issues with data security that should have been dealt with prior to the breach. Perhaps the biggest threat in a breach scenario is the damage to reputation and brand. A 2015 report by CNBC concluded that 70% of shoppers could correctly identify companies that had been breached, 15% of consumers planned to stop using breached retailers and finally, the report concluded, customers have significantly longer memories than investors when it comes to the loss of their personal data.
Put your GDPR plan in place now!
Although the GDPR doesn’t go into effect until May 2018, companies should be working on compliance strategies right now. Developing and documenting a GDPR compliance plan is a wise first step and will demonstrate to courts and regulators that you are a responsible steward of your customers’ personal data. This may also pay dividends if you are breached in the mean time, by showing that you are taking the GDPR seriously and applying the necessary resources to meeting its’ requirements. Any breach therefore may be treated more leniently by the SA than would otherwise be the case. Furthermore, by starting to build a track record of compliance today, you begin to build data protection processes and procedures that will underpin the GDPR requirements when they come into full force. This strategy will also enable you to take a prioritized approach to addressing the major data security issues in your business whilst at the same time moving your organization towards a compliant state. With so much at stake once the General Data Protection Regulation comes into effect, data security must be afforded a far more strategic role in the overall business strategy of any organization. It is critical that companies ensure that their security standards meet these obligations, not just today but in the future too. As your the business grows and develops the data security strategies, processes and technologies must remain relevant and effective.
About Welford Management & Consulting
Welford is a multi faceted technology consultancy providing advice, support and solutions for companies in a wide range of industries. We develop and execute strategies for our clients in three practice areas: Security & Compliance, Business Strategy & Support and Sales & Marketing Automation. Our expertise comes from a team of individuals who focus on one area of our practice disciplines so that we can bring the necessary skills and experience to the business challenge or opportunity that you’re currently facing.