General Data Protection Regulation (GDPR)

Europe map with padlock symbolizing the General Data Protection Regulation (GDPR)With the European’s Union’s new General Data Protection Regulation (or GDPR) taking effect in less than 100 days, the interest of many U.S. Companies has been piqued as to how the GDPR may affect their overseas and internet-based businesses.  This article on CFO.com, “Why GDPR Matters,” which I co-authored with Bill Shipp from Vaxient, LLC and Jonathan Marks, CPA from Marcum, LLP, tackles this hot issue and answers why GDPR should matter to U.S. companies in a wide variety of industries.

To assist U.S.-based companies in determining how GDPR may affect their business, Fox Rothschild has also developed a GDPR mobile app called “GDPR Check” (details and download information here).  The app is designed to help companies determine which areas of their business (if any) may require GDPR compliance.

If you have any questions about how GDPR may affect your company, we encourage you to consult a knowledgeable attorney and experienced professionals.

The clock is ticking toward the May 2018 implementation of the EU’s General Data Protection Regulation (GDPR) and, according to PwC’s recently released Pulse Survey, U.S. companies are now investing significantly in compliance measures. Per the survey, 92% of respondents consider GDPR a “top priority” for 2017, with 77% of companies planning to allocate more than $1 million, and 68% saying their budget falls between $1 million and $10 million.

Illustration of binary code rippling out from the European Union flag, in relation to GDPR“No legislation rivals the potential global impact of the EU’s General Data Protection Regulation,” said Jay Cline, PwC’s U.S. Privacy Leader. “The new law will usher in cascading privacy demands that will require a renewed focus on data privacy for U.S. companies that offer goods and services to EU citizens.”

In December, prominent GDPR analyst Chiara Rustici advised businesses “to ring fence 4 percent of 2016 global turnover and earmark it as budget for 2017 compliance.” (Because of its proximity to the release of the EU Article 29 Working Party’s own GDPR guidance, which clarified certain key enforcement issues for member states, Rustici’s budget advice was unable to fully account for the new information.)

“American multinationals that have not taken significant steps to prepare for GDPR are already behind their peers,” Cline also said. This statement echoes Rustici’s advice in 2016, in which she stated that “there are no excuses for not having a GDPR budget in place before the end of 2016.” Though more than a year remains for companies to achieve compliance, and further guidance is expected from EU data protection regulators, PwC cautioned that companies should not wait to make it a priority.

For organizations wondering where to start, here are perhaps the most important steps they should take.

Need for Data Portability and Data Mapping

In its December guidance, the Article 29 addressed a major issue that companies will need to develop infrastructure and processes to address. Namely, it discussed data portability – the ability for an EU citizen to access their personal data and easily transfer it to a different service provider. Closely tied into this concept are two central rights within GDPR: the Access Principle, whereby a user can discover what personal data of theirs a company holds, and the “right to be forgotten,” whereby a user can request the deletion of that data. To turn these concepts into reality, Article 30 of GDPR practically obligates companies to create comprehensive data maps to easily discern what data the company possesses, where it is stored, how it flows, with whom it is shared, and how it is used.

The guidance also indicated the need for companies to develop systems, technological or otherwise, to respond to individual requests under the data portability provision. According to the Working Party, “one of the ways in which a data controller can answer requests for data portability is by offering an appropriately secured and documented Application Programming Interface (API). This would enable individuals to make requests for their personal data via their own or third-party software or grant permission for others to so do on their behalf.” Regardless of process, fulfilling the data portability and data mapping requirements represent no small IT investment for affected companies.

Budgeting

GDPR applies to companies as a whole, and for budgeting purposes, leaders should also take the regulation into account across the full enterprise, as opposed to merely in the legal, compliance and IT areas. “[T]he budget is there to ensure that any interaction of EU-based individuals with a brand’s real and digital estate follows the EU data protection principles,” noted Rustici, and “that will mean product design, user experience, distribution and after sales support, HR, marketing, legal, risk and compliance, storage and security should all own a share of the corporate GDPR budget.”

A good GDPR budget may allocate money to some or all of the following line items:

  • data inventory and mapping
  • privacy and state-of-the-art safety by design
  • solutions to enable data portability and the right to be forgotten
  • internal GDPR training
  • stress-testing GDPR resilience, information security, and audit
  • enterprise-wide coordination and compliance
  • vendor management
  • hiring of a GDPR architect, CISO, and/or DPO

Hire a Data Protection Officer

Relevant to the last line item above, GDPR requires companies that process personal data “as a core activity” and/or monitor data subjects “on a large scale” to hire a Data Protection Officer (DPO). This role acts to independently oversee corporate compliance. In its 2016 Guidance, however, the Article 29 Working Party went so far as to recommend voluntary designation of a DPO when GDPR does not specifically require it.

The guidance also indicated that the terms “large scale” and “core activity” as they pertain to the DPO requirement will also be broadly interpreted. Regulators will consider a number of factors including the volume of data, its geographic breadth, and its importance to a company’s operations. The Article 29 Working Party clarified this point by way of example: “the core activity of a hospital is to provide health care. However, a hospital could not provide health care safely and effectively without processing health data, such as patients’ health records. Therefore, processing these data should be considered to be one of any hospital’s core activities and hospitals must therefore designate DPOs.” Following this example, organizations operating in highly regulated industries, such as healthcare, financial services, insurance and consumer businesses, should anticipate the need to hire a DPO.

A GDPR architect – a CTO, CISO, CIO, data privacy lawyer, compliance officer, or all of the above – may also be required however. As Rustici warned, “Think of a DPO as a ship’s captain and of a GDPR architect as the naval engineer. [T]o set sail to the seas you rely on a good captain, who can chart a course and avoid thirty-foot waves; but to build or make a ship sea-worthy, and ensure that it can withstand even thirty-foot waves, you first rely on a good naval engineer.”

Other Initiatives

Ensuring data portability and enabling data mapping, budgeting across the organization for GDPR, and designating the DPO and other important roles are only three of the most prominent steps U.S. multinationals are taking in the new year. Other top priorities could include reviewing and revamping privacy policies, examining procedures to ensure consent for collecting/processing personal data, and improving vendor management programs. Many organizations are also considering data localization, including moving data centers to Europe, while others are assessing the viability of transitioning operations out of Europe altogether.

 

In the wake of yesterday’s referendum decision in the UK to leave the European Union, markets are tumbling and predictions on its impact are far from scarce. Despite the turmoil, privacy officers should follow the old British refrain: Keep Calm and Carry On.

Europe map with padlock symbolizing the General Data Protection Regulation (GDPR)That’s because no matter the uncertainty or negotiations or eventual regulatory environment, it will likely take years for the UK to untangle itself from its 40+-year membership in the European Union. Even given that fact, the UK may well remain within the European Economic Area. For U.S. companies with transatlantic operations concerned about eventual GDPR compliance, the best course is to continue a measured but deliberate approach.

The Immediate Impact

In terms of U.S.-UK data transfer standards or compliance requirements, there is little to no immediate impact. Though the European Court of Justice’s decision in the Schrems case last fall shifted focus to the EU Data Protection Directive and the invalidated Safe Harbor framework, the true source of law for U.S.-UK data transfers is the UK Data Protection Act of 1998. The DPA incorporates and even expands upon the Directive’s principles. Furthermore, the Brexit vote is not Brexit itself. Until the UK actually negotiates its exit from the EU, it remains a member and subject to its regulations.

The EEA Option and GDPR

The UK may elect to remain within the European Economic Area. Doing so would allow the country to engage in free trade with EU member states, assuming that the UK remains harmonized with EU laws. A decision to remain in the EEA would mean that GDPR will eventually take effect in the UK as originally planned.

The Fully Independent UK Option

If the UK exits both the EU and EEA and does not take action on data protection, it would likely become a “third country” as far as EU data protection laws are concerned, assuming the same status as the U.S. If that occurs, EU-to-UK data transfer could be subject to restrictions and an adequacy determination, a la Switzerland, Canada, and Israel. Such restrictions seem unlikely, however, since the DPA currently stands as one of the more comprehensive and strict data protection regulations in Europe. The UK has also already begun working towards eventual adoption of the GDPR.

Much like the “Brexit-lite” option of remaining in the EEA, FieldFisher, a leading European privacy firm, has speculated that the UK may consider adopting a law that amounts to “GDPR-lite”, though such a decision may have pitfalls.

For now, the best course for U.S. companies is to take “Keep Calm” and take a wait-and-see approach to Brexit, while continuing to work towards general GDPR compliance.

Luxembourg politician Viviane Reding proposed three years ago to overhaul the EU Data Protection Directive. Now, European Union officials have settled on an agreement to replace the Directive with new privacy legislation called the General Data Protection Regulation (GDPR). It is not EU law just yet, but the EU Parliament is expected to fully approve it during its next meeting. Upon approval, the GDPR will become law in 2018 across all 28 EU Member States and replace the widely inconsistent laws previously implemented to comply with minimum data protection requirements set out in the directive.

Illustration of binary code rippling out from the European Union flag, in relation to GDPRFirst enacted in 1995, the Directive needed to be updated due to a routine change in the technology sector. It is anticipated the EU government will synchronize privacy laws across the Euro zone through GDPR. Heavy fines are expected for any company’s failure to implement these new requirements.

In its current form, the GDPR contains provisions expected to change how data is collected, stored and transmitted in and out of the EU. This includes the following:

  • Instituting more rigorous requirements for accessing and obtaining consent for collecting and individual’s information.
  • Raising the consent age for collecting information to 16 years old (from 13).
  • Mandating that companies must delete an individual’s data if they are no longer using the data for the original purpose for which it was collected.
  • Requiring all companies to notify the EU of data breaches within 72 hours.
  • Implementing one national office to monitor and manage complaints brought under GDPR.
  • Instituting fines up four percent of a company’s global revenue for non-compliance.

The GDPR’s most critical change is that jurisdiction is not a physical or geographical barrier; the jurisdiction will be digitally measured, which means that companies outside the EU could be affected by new regulations by virtue of collecting data that belongs to an EU citizen. As previously mentioned, fines for non-compliance are four percent of a company’s global revenue, and the financial impact to Fortune 500 companies could be in the billions. It remains to be seen how strictly the EU government will enforce these restrictions. Still, companies should begin planning and implementing new business practices into their workflows and expect the EU to be aggressive in its enforcement when the 2018 deadline hits.

The GDPR will also recognize standard contractual clauses and binding corporate rules as authorized frameworks for transferring citizen data out of the EU. The Safe Harbor was invalidated in 2015 in the wake of the Edward Snowden disclosure of the United States’s comprehensive surveillance programs. As such, the recognition of standard contractual clauses and binding corporate rules should, in theory, provide relief to business owners who rely on self-certifying their company’s compliance with Safe Harbor principles. Negotiations between the United States and the European Union are underway to establish “Safe Harbor 2.0.” Both parties are pushing to finalize the framework by the end of January 2016. This would provide another avenue for data transfer to about 4,000 companies that relied on the first Safe Harbor to collect and transfer data.

Following the CJEU’s invalidation of the Safe Harbor Agreement, U.S. companies certified as Safe Harbor compliant have found themselves in murky regulatory waters. We provide insights and suggestions to establishing next steps.

Safe Harbor is Invalid. What Does That Mean?

Illustration of binary code rippling out from the European Union flag, in relation to GDPRSafe Harbor provisions provided U.S. companies a path to comply with EU data transfer regulations. Thousands of businesses who rely on EU-U.S. data exchanges are suddenly non-compliant, and inter-company agreements and BCRs are now more complicated as long-term. The latter data transfer methods are considered valid, but their long-term efficacy is unclear. DPAs are refraining from examining them as the CJEU decided not scrutinize those transatlantic data transfers.

To avoid economic and organizational fallout, companies should avoid drastic changes to or suspensions of current EU-U.S. data transfer methods. Abrupt changes to business models could severely disrupt EU and U.S. economies. DPAs will likely hold back from immediately launching tough regulatory policing campaigns due to limited political capital and resources.

Regardless, companies must be ready for inevitable oversight. In most cases, DPAs will pursue issues based on how well they address their specific privacy agendas.

That is not to say that there will be no new enforcement. Companies should expect increased scrutiny. DPAs will simply have to prioritize the issues and organizations that are most relevant to their particular privacy expectations. Which leads us to our next point…

Plan, Document and Strategize

While European organizations sort out the CJEU decision, U.S. companies have time to review and change compliance plans. .

Begin by auditing current policies for compliance with the seven core Safe Harbor Principles and the Directive. Following policy review, it’s important to ensure that data flows within business models reflect the commitments in company policy.

Next, strategize and weigh the options for adopting alternative data transfer methods. BCRs and contractual agreements provide possible alternatives, but there are no one-plan-fits-all solutions. Even though these alternatives may be deemed invalid in the long-term, they will buffer your company from short-term DPA scrutiny. Additionally, having a record of good faith compliance efforts can only benefit the company.

Track Updates

Be sure to follow developments and updates about data-transfer compliance as many key questions remain unanswered. For example, DPAs may enforce the CJEU opinion as it is, or diverge in its interpretation. And DPAs have yet to indicate how strictly they will police data protection laws. However, DPAs have significantly more authority following the CJEU decision, and U.S. companies must brace for increased regulatory oversight. When General Data Protection Regulation takes effect in May 2018, which bear penalties of 100 million Euros or 4% of global turnover (whichever is higher), DPAs will have immense influence over investigations and company sanctions.