Amy C. Pimentel and Mark E. Schreiber
BridgeTower Media Newswires
The General Data Protection Regulation was the biggest story of 2018 in the field of global privacy and data protection.
The GDPR became enforceable in European Union Member States on May 25, significantly expanding the territorial reach of EU data protection law and introducing numerous changes that affected the way organizations globally process the personal data of their EU customers, employees and suppliers.
These important changes required action by companies and institutions around the world. In almost six months after the GDPR’s effective date, organizations are still working on compliance — and will be for years to come.
—————
Critical provisions
The GDPR applies to organizations inside and outside the EU. Organizations “established” inside the EU, essentially meaning a business or unit located in the EU, must comply with the GDPR if they process personal data in the context of that establishment.
The GDPR also applies to organizations outside the EU that offer goods or services to, or monitor the behavior of, individuals located in the EU. The GDPR uses other terms not familiar to U.S. businesses but which need to be understood.
Both “data controllers” and “data processors” have obligations under the GDPR, and data subjects can bring actions directly against either or both of those parties. A data controller is an organization that has control over and determines how and why to process data. A data controller is often, but not always, the organization that has the direct relationship with the data subject (the individual about whom the data pertains).
A data processor is an organization that processes personal data on behalf of a data controller, typically a vendor or service provider. The GDPR defines “processing” to mean any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means (e.g., collection, recording, storage, alteration, use, disclosure and structuring).
The GDPR also defines “personal data” broadly as any information directly or indirectly relating to an identified or identifiable natural person, such as a name, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Organizations in the U.S. are used to a narrower definition of personal data, which typically includes information that, if breached, would put an individual at risk of identity theft or fraud and require notice (e.g., Social Security numbers, driver’s license numbers, and financial account, credit and debit card numbers).
—————
Necessary steps
Compliance means more than just updating an online privacy policy, though that is also necessary. It involves, for many, mapping EU personal data processes, accommodating the rights of EU individuals, implementing accountability mechanisms, mitigating risk in the supply chain, and anticipating new data breach and cybersecurity obligations.
Recommended compliance steps will depend on the type of organization, the EU data collected, the GDPR footprint and exposure, and the organization’s risk tolerance.
The GDPR requires, among other things:
• Identifying data processing and confirming that data is processed lawfully, fairly and transparently;
• More detailed privacy notices that include information such as the purposes of the data processing, the legal basis for processing, categories of recipients, and the period for which personal data will be stored;
• Honoring data subject rights, including the right to access, modify and restrict the processing of data, the right to data portability, and the right to be forgotten;
• A record of accountability that details all data-processing activities;
• For certain companies, appointment of a data protection officer and/or an EU representative;
• Updating supplier contracts to include specific language prescribed by the GDPR;
• Compliance with tight timelines for breach notification (within 72 hours of being aware of the breach); and
• Adherence to rules and EU-approved mechanisms regarding cross-border data transfers (which are essentially the same as those under the previous EU data protection regime but often ignored by U.S. companies). Non-compliance with the GDPR can result in two levels of fines: the greater of 20m or 4 percent of global turnover, or 10m or 2 percent of global turnover, depending on the nature of violation.
—————
Implementation: better late than never
A Ponemon Institute benchmark survey sponsored by McDermott, Will & Emery this past April (one month before the GDPR effective date) revealed that many companies were behind schedule to achieve GDPR compliance by the May deadline.
The McDermott-Ponemon survey results showed that 40 percent of companies expected to achieve compliance only after the regulation came into effect. That is despite the fact that 60 percent of respondents said that the GDPR would “significantly change” their organizations’ workflows, and 71 percent of respondents acknowledged that lack of compliance could have a detrimental impact on their organizations’ ability to conduct business globally.
The survey made clear that there was a lot more work to be done for GDPR readiness, and that work continues to the present. The McDermott-Ponemon survey indicated that organizations heavily invested (relative to their general spend) in their GDPR compliance efforts. According to the findings, the average annual budget for compliance was $13 million — a figure that one in three companies expected to review annually. More than one in five organizations believed that a budget allocation would continue indefinitely in their organization due to a need to invest in technologies, governance practices and staffing.
The survey results reflect the concern of numerous organizations over the potential financial penalties resulting from non-compliance. As a result, many organizations have focused on those activities that are potentially most visible to regulators and data subjects, such as consumer or other public facing policies, data subject consents, and data subject rights.
Once complete, organizations have moved on to those compliance processes or tools that are required but seemingly less visible to regulators and data subjects, such as internal policies and procedures.
—————
Regulator activity is starting
In the six months since the GDPR came into effect, complaints over violations have been filed against several well-known tech companies. In July, the Information Commissioner’s Office in the United Kingdom issued the first formal enforcement action under the GDPR against a Canadian data analytics firm.
The enforcement action, in the form of an enforcement notice, required the firm to cease processing any personal data of UK or EU citizens obtained from UK political organizations for certain enumerated purposes (e.g., data analytics, political campaigning and advertising).
Additionally, in the last several months, data protection authorities in Germany and France announced that they would start audits to check compliance with the GDPR. Several other governments (such as Israel and Brazil) have moved on their own data privacy regulations to keep up with the GDPR regime.
The state of California passed the California Consumer Privacy Act over the summer, which provides GDPR-like protections and gives California consumers broader access and control over their personal information.
The California law, which will take effect Jan. 1, 2020, will move the U.S. privacy regime in the direction of the generally applicable privacy laws that have applied extraterritorially for years. We anticipate that this trend will continue, with GDPR-inspired data protection soon becoming the new normal.
Class actions are looming
Class actions have not been common in the EU for many reasons, but the GDPR has provisions that may encourage them. Data subjects and non-profits alike can take legal action to assert their rights and seek redress by claiming compensation, including for material damages and distress.
There is a reversal of the burden of proof in which the controller and/or processor must prove they were in compliance with the GDPR. Both data controllers and data processors can be 100 percent liable for a violation of the GDPR, if both were involved in the relevant data processing.
The post-GDPR world is full of apprehension and opportunity. Many organizations struggle to assess their obligations under the GDPR, and some have only begun to implement the infrastructure needed to respond to incidents and data requests.
As data subject requests start to come in, the waiting game of what’s next on the enforcement side continues. It is clear that the GDPR requires many organizations to build data protection into their day-to-day business operations, and a thoughtful approach to GDPR compliance can also help mitigate risk and exposure not only under the GDPR, but other global data privacy and protection regimes as well.
—————
Mark E. Schreiber is a partner in the Boston office of McDermott, Will & Emery. He is a co-leader of McDermott’s global privacy and cybersecurity group, focusing his practice on cybersecurity, data breach response, and global privacy coordination. Amy C. Pimentel is an associate in McDermott’s Boston office. She assists clients in identifying, evaluating and remediating privacy and data security risks on an enterprise level and global scale.