Whether you are ready or not, the European Union (EU) General Data Protection Regulation (GDPR) goes live today, May 25, 2018. It will impact companies doing business in the United Kingdom (UK) and the EU as much as any other legislation. Over the past few months, I have been visiting with Jonathan Armstrong, partner at Cordery Compliance in the UK, about the new regulation. Today, we reflect upon some of the key highlights for you to consider.
GDPR is a wide piece of legislation and covers all personal data; the definition of which is much wider than the US definition as it includes information such as geographical locations. GDPR applies to anyone doing business in the EU. It could be as simple as having a website which is accessible to people in the EU. GDPR has heightened obligations on data security; in most cases your organization will be required to report data breaches to a data regulator within 72 hours of the awareness of the breach. Another distinction is the right for an individual to ask companies what information it may hold on them and to exercise the right to be forgotten. All of these requirements present special challenges for US companies. Finally, one area that has received quite a bit of attention is the fine range. Armstrong noted, “if you’re a small business then you’re subject to a fine of 20 million euros. And if you’re a larger business that fine can be 4% of your global annual general revenue.” Lastly, to top it all off, there is a private right cause of action under GDPR.
You will need to consider whether your company should have a Data Protection Officer (DPO). What is the role of the DPO in complying with the new regulations? The DPO must be suitably qualified and is mandated with a number of tasks, including advising on data-processing, and must be independent in the performance of their tasks – they will report directly to the highest level of management. Businesses will therefore have to determine whether a DPO must be appointed or not, but, given the significance of privacy compliance today, even if technically-speaking a DPO is not required to be appointed, a business of a particular size that regularly processes data may wish to consider appointing one in any event.
Policies and Procedures
What are some of the some of the basic policies and procedures that you need to have in place to comply with the GDPR? Armstrong believes there are two key policies to begin your process with going forward. The first should be an internal document you send to all employees which reiterates the basics of data protection which are the simple tactics of being aware, deleting suspicious emails and not opening unknown attachments or attachments from indeterminate sources. A second policy which will be much more focused on GDPR compliance so there will also need to be robust procedures created to implement the specific requirements of GDPR. You will need policies on and procedures around the new rights created under GDPR. This includes the Right to Portability, which is an individual’s “right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine- readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data has been provided”.
Next is the key element of the Data Protection Impact Assessment (DPIA). A DPIA is mandatory in some cases under GDPR. At its simplest, it is a way of assessing data protection risk in any process that involves personal data. A good DPIA process will enable you to identify exactly what you are planning to do with personal data, what the risks are and how you are going to address them. The key thing to remember about DPIAs is they are essentially risk assessments and that should not scare anyone. As such, whenever you are doing something new; whether that be a process, new business venture partner or using a new vendor, you should consider this risk from the data protection perspective through a DPIA. You can use the DPIA to help design a risk mitigation strategy for your data protection risks. Unfortunately, Armstrong has found that many compliance practitioners and even DPOs are afraid of them “and I think many people are putting them into the bottom of their desks, when really they should now be at the top.” DPIAs are a significant way of reducing risk in a business, and can also reduce your legal exposure, thereby reducing your risk which aides in reducing your potential for fines and suspension of transfers civil actions.
Data Security and Data Breaches
The backbone of the GDPR is data protection and the ancillary topic of responding to data breaches. GDPR introduces significant changes on the mandatory reporting of data breaches, including both a requirement for reporting to the relevant regulator(s) and communication to those affected by any data breach. Some of the data security protections a company can engage in are really the most basic security measures such as putting padlocks on backpacks used to transport documents. However, it is really just common sense. Of course, reminding people not to leave papers (or iPads, iPhones and laptops) in taxis and at airports is always appropriate. The bottom line under GDPR is that you have to keep data secure but if you fail to do so, there are serious potential consequences.
Every data breach must be reported to the relevant regulator no later than 72 hours after a data controller has become aware of the breach, further a reasoned justification must be provided where reporting is not made within the 72-hour period. Armstrong has, somewhat dryly, noted that regulators will have “some rigidity” on this point.
Subject Access Requests
Subject Access Requests (SARs) may turn out to be one of the most onerous, costly and time-consuming issues for companies after the go-live of GDPR. Of all the requirements of GDPR, this may be the single one which companies are least prepared for going into the new regime.
A SARs allows a person to exercise their right to gain access to data your organization might hold on them. A SAR must be answered within one month of receipt of the request but may be extended for a maximum of two further months when necessary taking into account the complexity of the request and the number of requests. Unfortunately, under GDPR, the ability for a business to ask for a fee for a SAR has been abolished.
Once again, the key is to have policies and procedures in place to deal with SARs. It begins with training so employees understand what a SAR might look like when it comes in because there is no one prescribed form. Further, a SAR can be made orally as well. From there you will need a process for escalating the SAR to the correct person or department. The person who will respond is critical not only for the reasons detailed above in appropriately responding to the SAR but, as Armstrong noted, “there needs to be a more highly trained person, who can diagnose whether that request is validly made and deal with it.” Such a trained and designated person should not pass up the opportunity to speak to the person making the SAR, as “sometimes there is a rumbling of discontent behind a SAR. It might be that you could resolve the underlying issue, avoid the entire SAR” by handling whatever the issue is which led to the SAR in the first place.
Armstrong believes that we are “going to see a significant increase in the number of subject access requests that people will make”. Moreover, SARs can be very difficult and time consuming to fulfill. Some of Cordery’s clients estimate they spend between 100 and 300 hours per SAR.
The time of GDPR is here. There is no getting around this new regulatory regime or its effects. EU regulators have consistently said they would aggressively enforce this new law. With the continued fallout from the Facebook/Cambridge Analytica scandal and the treatment of the EU and UK by the Trump Administration, EU regulators may be ready to go after American companies who have not taken steps to comply with the law.
For a White Paper on preparing for GDPR click here.
To listen to the full “Countdown to GDPR” podcast series follow the links below:
Episode 1 – Introduction
Episode 2 – The Role of the Data Protection Officer
Episode 3 – Policies and Procedures
Episode 4 – DPIAs
Episode 5 – Vendors in GDPR Compliance
Episode 6 – GDPR for Communications Professionals
Episode 7 – Data Security and Data Breaches
Episode 8 – Subject Access Requests
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2018