How does a company transfer data from the European Union (EU) to the US under the General Data Protection Regulation (GDPR) which went live on May 25, 2018? I recently had the opportunity to visit Jonathan Armstrong, partner at Cordery Compliance in London and an internationally renowned data privacy/data protection expert on this topic. Armstrong noted there have been some changes which may significantly impact this issue going forward. There are basically four ways to affect such a transfer.

However, there is a method that many people may not realize is a data transfer as it involves reviewing data which sits on a server in the EU. This means that even if the data does not move out of the EU but you can access it from the US that counts as a data transfer as well. A fairly typical corporate example might be where your organization has a system for your employees that does that payroll and that payroll information is on a server in Belgium. Your Human Resources (HR) Department from the US can get into that server and extract data from it. This is a data transfer under GDPR.

  1. Consent.  The first method to safely and legally transfer data is through consent.
  1. Standard Contractual Clauses or Model Clauses. Armstrong noted he expects to see new form clauses at some point from EU data regulators. Once again, these standard contractual clauses in their current form are likely to face a number of legal challenges going forward, so they may well be less safe post-GDPR go live than there were before.
  1. Privacy Shield. One reason is that there are many Europeans who do not believe that the current US administration is respecting privacy as well as it might. Not that the Trump Administration is any friend of the EU (or data privacy for that matter) but if the European Commission is minded to retaliate, one easy way to do so would be to withdraw the Privacy Shield scheme.  Armstrong concluded by stating, “my gut feel would, would be the privacy shield will die. It is a question of when and not on privacy shield. Certainly, in a worse position now than it was on May 25th.”
  1. Binding Corporate Rules. Armstrong believes this is the one area for data transfer which has benefited from GDPR go-live. Under this scenario, an organization can go to any one of the EU data regulators ask it to be a group of companies lead regulator. From this point, the companies would put in place that system that is somewhat akin to Privacy Shield; including a series of commitments from all the other the entities which make up this the corporate network. These commitments are to each other. From there the lead regulator then reviews and assess then approve the entire network’s data privacy/data protection commitments. Finally, the lead regulator goes to such other regulators in the EU, supporting these Binding Corporate Rules.

Armstrong concluded by cautioning there is still much fluidity in the mechanisms for data transfer. There still may be many changes from both the regulatory perspective and the legal perspectives through court challenges. He concluded by stating “vigilance is the watch word here.”

You will note the new title for this episode, Life With GDPR. When Jonathan Armstrong and I began this series in early 2018, we had intended to give listeners a grounding in the new law in the lead up to its go-live date of May 25. However, the response was so overwhelming and Jonathan and I had so much fun putting on the podcasts that we decided to make Countdown to GDPRa permanent part of the Compliance Podcast Network, albeit with a more appropriate name. So welcome to the re-monikered Life With GDPR, which I hope you will enjoy as much as you enjoyed its predecessor. Today Jonathan and I take up the issue of non-monetary penalties.

While most practitioners focused on the heavy fines and penalties available under the General Data Protection Regulation (GDPR) of up to 4% of total global revenues or other very large fines, there are other remedies that each EU and UK data regulator can levy or put into place that may require considerable corporate cost and effort. Moreover, these lessor penalties and sanctions can be the precursor to larger monetary fines and penalties. Armstrong emphasized that each EU country has its own regulator and they will have varying degrees of aggressiveness.

Armstrong pointed to three areas the regulators can order companies to engage in activities. First, it can order a GDPR audit to determine if it has previously assessed its data protection/data privacy issues correctly. Here he pointed to an example of a healthcare organization that was ordered to perform a Data Protection Impact Assessment (DPIA) and report back to the regulators within one month.

Next, Armstrong pointed to the joint areas of date controllers and data processors. Regulators can require a company Data Protection Officer (DPO) to comply with data requests, even Subject Access Requests (SARs). He referenced to a recent example from the UK involving Cambridge Analytica, which was ordered to comply with a US academic’s SAR. Further, a regulator can order a company to bring its data protection program in line with GDPR. Additionally, regulators can maintain investigations in the form of data protection audits and have the right to obtain access to any premises of the controller and the processor, including any data processing equipment by obtaining a warrant. This may prove to be a significant tool in the data protection regulators’ toolkit.

Regulators can also order companies to stop certain activities. Here Armstrong provided the example of a US based company with operations in Europe who is not GDPR compliant around its internal reporting structures. An EU regulator could order the company to suspend its hotline in Europe until there is compliance. Under such a scenario, the US Company would be out of compliance with US securities law and it may be at risk under best practices compliance programs under the Foreign Corrupt Practices Act (FCPA), Anti-Money Laundering (AML) regulations, export control regulations or even US anti-trust law.

Armstrong emphasized that it is not simply the regulators who have powers under GDPR, individuals do as well. SARs of course are well-known but there are other individual rights Armstrong emphasized. If an individual files some type of GDPR complaint with a statutory regulator, who does not take up the complaint within 30, days that individual can appeal against both the regulator to get the complaint moving forward. This means that individuals can file SAR actions against companies that do not respond in a timely manner to SARs. Moreover, such individuals can then band together in a class action lawsuit over such failures. There is also a mechanism for equitable reallocation of damages between parties. If a data processor has to pay damages properly attributable to a data controller, GDPR Article 82 provides a procedure for claiming these damages back. Finally, recall that any person who has suffered “material or non-material damage” due to an infringement of the new rules has a right to compensation from the data controller or processor concerned for the damage suffered and you begin to realize the powers that individuals hold under GDPR.

Interestingly, Armstrong believes that the number of regulatory and individual remedies will mandate that if companies have an incident, they should investigate and remediate quickly. From there, the entity should prepare their investigative results, remedies and internal sanctions they may have put in place on those employees involved. These steps will all go towards mitigating any proposed financial penalty the regulators may be considering. Basically, businesses need to have their ducks in a row, as it can lead to not only reduced costs for corporations, but also could well lead to greater compliance if tied to a root cause analysis.

On Friday, the Rolling Stones are releasing in The Rolling Stones Studio Albums Vinyl Collection 1971-2016, a hefty new limited-edition box set that contains special 180-gram vinyl pressings of every Stones studio album from 1971’s Sticky Fingers through 2016’s Blue & Lonesome. It is the new Rolling Stones vinyl collection, transferred from original recordings and “turned up to 11” which informs today’s blog post on data transfers.

Dan Epstein, writing in Rolling Stone magazine online, in a piece entitled, “How the Rolling Stones’ Massive New Vinyl Box Came Together” profiled the sound engineer Miles Showell who lovingly remastered the original recordings “from analog transfers using a painstaking process known as half-speed mastering, the albums boast a richer, more detailed aural picture with a sparkling top end, all while keeping the punch and groove of the original recordings intact.” The work took the better part of nine months and was done largely at Abbey Road studios. Showell said of the end product, “If you imagine the original version of each album turned up to 11, to kind of quote Spinal Tap, it’s that – it’s just one better. That’s what I was going for, without disrespecting the feel and the atmosphere of what’s there.”

How does a company transfer data from the European Union (EU) to the US under the General Data Protection Regulation (GDPR) which went live on May 25, 2018? I recently had the opportunity to visit Jonathan Armstrong, partner at Cordery Compliance in London and an internationally renowned data privacy/data protection expert on this topic. Armstrong noted there have been some changes which may significantly impact this issue going forward. There are basically four ways to affect such a transfer.

However, there is a method that many people may not realize is a data transfer as it involves reviewing data which sits on a server in the EU. This means that even if the data does not move out of the EU but you can access it from the US that counts as a data transfer as well. A fairly typical corporate example might be where your organization has a system for your employees that does that payroll and that payroll information is on a server in Belgium. Your Human Resources (HR) Department from the US can get into that server and extract data from it. This is a data transfer under GDPR.

Consent.The first method to safely and legally transfer data is through consent. While this may work more easily in a B2B context, it is much more challenging in the employment context. Under GDPR an employer cannot require consent as a condition of employment. Moreover, this is carried over after the creation of the employment relationship in that an employee cannot give a valid consent. The reason is the EU holds the employer has undue influence over the employee and therefore no consent can be freely given.

Standard Contractual Clauses or Model Clauses.Armstrong noted he expects to see new form clauses at some point from EU data regulators. However, he tempered this with caution that there is currently a court challenge at the European Court of Justice (ECJ), referred from the Irish Data Protection Commissioner. Once again, these standard contractual clauses in their current form are likely to face a number of legal challenges going forward, so they may well be less safe post-GDPR go live than there were before.

Privacy Shield.Readers will recall that Privacy Shield was the regime put in place after the legal actions, led by Max Schrems, invalidated Safe Harbor. Armstrong believes that while “Privacy Shield is not dead yet, it’s certainly unwell.” One reason is that there are many Europeans who do not believe that the current US administration is respecting privacy as well as it might. Even this past week, US Secretary of Commerce Wilbur Ross, criticized GDPR in an op-ed piece in the Financial Times arguing the law was unclear, no guidance has been provided by regulators, it favored privacy rights over security and would likely cause job losses in the US.

Not that the Trump Administration is any friend of the EU (or data privacy for that matter) but if the European Commission is minded to retaliate, one easy way to do so would be to withdraw the Privacy Shield scheme. From the European legal perspective, Privacy Shield currently faces two faces challenges before the ECJ. These are likely to be heard in 12 to 18 months. Finally, the European Parliament and the several European data protection regulators are not fans of Privacy Shield and this has hampered progress since it was brought into force. Armstrong concluded by stating, “my gut feel would, would be the privacy shield will die. It is a question of when and not on privacy shield. Certainly, in a worse position now than it was on May 25th.”

Binding Corporate Rules. Armstrong believes this is the one area for data transfer which has benefited from GDPR go-live. Under this scenario, an organization can go to any one of the EU data regulators ask it to be a group of companies lead regulator. From this point, the companies would put in place that system that is somewhat akin to Privacy Shield; including a series of commitments from all the other the entities which make up this the corporate network. These commitments are to each other. From there the lead regulator then reviews and assess then approve the entire network’s data privacy/data protection commitments. Finally, the lead regulator goes to such other regulators in the EU, supporting these Binding Corporate Rules. It is more streamlined approach for dealing with the plethora of regulators in the EU.

Armstrong emphasized this is not a rubber stamp process but one which takes time and concerted effort. He estimated that it is an 18 month or so process. However, under GDPR there was the creation of a European Data Protection Board (EDPB) and one of its function is to help the process of getting Binding Corporate Rules approved more quickly.

Armstrong concluded by cautioning there is still much fluidity in the mechanisms for data transfer. There still may be many changes from both the regulatory perspective and the legal perspectives through court challenges. He concluded by stating “vigilance is the watch word here.”

While the Stone vinyl collection may seem a bit pricey, I for one have pre-ordered a copy. I cannot wait to turn up to 11 on my turntable and her the glorious sounds.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2018

Whether you are ready or not, the European Union (EU) General Data Protection Regulation (GDPR) goes live today, May 25, 2018. It will impact companies doing business in the United Kingdom (UK) and the EU as much as any other legislation. Over the past few months, I have been visiting with Jonathan Armstrong, partner at Cordery Compliance in the UK, about the new regulation. Today, we reflect upon some of the key highlights for you to consider.

Introduction

GDPR is a wide piece of legislation and covers all personal data; the definition of which is much wider than the US definition as it includes information such as geographical locations. GDPR applies to anyone doing business in the EU. It could be as simple as having a website which is accessible to people in the EU. GDPR has heightened obligations on data security; in most cases your organization will be required to report data breaches to a data regulator within 72 hours of the awareness of the breach. Another distinction is the right for an individual to ask companies what information it may hold on them and to exercise the right to be forgotten. All of these requirements present special challenges for US companies. Finally, one area that has received quite a bit of attention is the fine range. Armstrong noted, “if you’re a small business then you’re subject to a fine of 20 million euros. And if you’re a larger business that fine can be 4% of your global annual general revenue.” Lastly, to top it all off, there is a private right cause of action under GDPR.

DPO

You will need to consider whether your company should have a Data Protection Officer (DPO). What is the role of the DPO in complying with the new regulations? The DPO must be suitably qualified and is mandated with a number of tasks, including advising on data-processing, and must be independent in the performance of their tasks – they will report directly to the highest level of management. Businesses will therefore have to determine whether a DPO must be appointed or not, but, given the significance of privacy compliance today, even if technically-speaking a DPO is not required to be appointed, a business of a particular size that regularly processes data may wish to consider appointing one in any event.

Policies and Procedures

What are some of the some of the basic policies and procedures that you need to have in place to comply with the GDPR? Armstrong believes there are two key policies to begin your process with going forward. The first should be an internal document you send to all employees which reiterates the basics of data protection which are the simple tactics of being aware, deleting suspicious emails and not opening unknown attachments or attachments from indeterminate sources. A second policy which will be much more focused on GDPR compliance so there will also need to be robust procedures created to implement the specific requirements of GDPR. You will need policies on and procedures around the new rights created under GDPR. This includes the Right to Portability, which is an individual’s “right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine- readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data has been provided”.

DPIAs

Next is the key element of the Data Protection Impact Assessment (DPIA). A DPIA is mandatory in some cases under GDPR. At its simplest, it is a way of assessing data protection risk in any process that involves personal data. A good DPIA process will enable you to identify exactly what you are planning to do with personal data, what the risks are and how you are going to address them. The key thing to remember about DPIAs is they are essentially risk assessments and that should not scare anyone. As such, whenever you are doing something new; whether that be a process, new business venture partner or using a new vendor, you should consider this risk from the data protection perspective through a DPIA. You can use the DPIA to help design a risk mitigation strategy for your data protection risks. Unfortunately, Armstrong has found that many compliance practitioners and even DPOs are afraid of them “and I think many people are putting them into the bottom of their desks, when really they should now be at the top.” DPIAs are a significant way of reducing risk in a business, and can also reduce your legal exposure, thereby reducing your risk which aides in reducing your potential for fines and suspension of transfers civil actions.

Data Security and Data Breaches

The backbone of the GDPR is data protection and the ancillary topic of responding to data breaches. GDPR introduces significant changes on the mandatory reporting of data breaches, including both a requirement for reporting to the relevant regulator(s) and communication to those affected by any data breach. Some of the data security protections a company can engage in are really the most basic security measures such as putting padlocks on backpacks used to transport documents. However, it is really just common sense. Of course, reminding people not to leave papers (or iPads, iPhones and laptops) in taxis and at airports is always appropriate. The bottom line under GDPR is that you have to keep data secure but if you fail to do so, there are serious potential consequences.

Every data breach must be reported to the relevant regulator no later than 72 hours after a data controller has become aware of the breach, further a reasoned justification must be provided where reporting is not made within the 72-hour period. Armstrong has, somewhat dryly, noted that regulators will have “some rigidity” on this point.

Subject Access Requests

Subject Access Requests (SARs) may turn out to be one of the most onerous, costly and time-consuming issues for companies after the go-live of GDPR. Of all the requirements of GDPR, this may be the single one which companies are least prepared for going into the new regime.

A SARs allows a person to exercise their right to gain access to data your organization might hold on them. A SAR must be answered within one month of receipt of the request but may be extended for a maximum of two further months when necessary taking into account the complexity of the request and the number of requests. Unfortunately, under GDPR, the ability for a business to ask for a fee for a SAR has been abolished.

Once again, the key is to have policies and procedures in place to deal with SARs. It begins with training so employees understand what a SAR might look like when it comes in because there is no one prescribed form. Further, a SAR can be made orally as well. From there you will need a process for escalating the SAR to the correct person or department. The person who will respond is critical not only for the reasons detailed above in appropriately responding to the SAR but, as Armstrong noted, “there needs to be a more highly trained person, who can diagnose whether that request is validly made and deal with it.” Such a trained and designated person should not pass up the opportunity to speak to the person making the SAR, as “sometimes there is a rumbling of discontent behind a SAR. It might be that you could resolve the underlying issue, avoid the entire SAR” by handling whatever the issue is which led to the SAR in the first place.

Armstrong believes that we are “going to see a significant increase in the number of subject access requests that people will make”. Moreover, SARs can be very difficult and time consuming to fulfill. Some of Cordery’s clients estimate they spend between 100 and 300 hours per SAR.

Conclusion 

The time of GDPR is here. There is no getting around this new regulatory regime or its effects. EU regulators have consistently said they would aggressively enforce this new law. With the continued fallout from the Facebook/Cambridge Analytica scandal and the treatment of the EU and UK by the Trump Administration, EU regulators may be ready to go after American companies who have not taken steps to comply with the law.

Additional Resources:

Check out Cordery Compliance’s GDPR Navigator and FAQ’s.

For a White Paper on preparing for GDPR click here.

To listen to the full “Countdown to GDPR” podcast series follow the links below:

Episode 1 – Introduction

Episode 2 – The Role of the Data Protection Officer

Episode 3 – Policies and Procedures

Episode 4 – DPIAs

Episode 5 – Vendors in GDPR Compliance

Episode 6 – GDPR for Communications Professionals

Episode 7 – Data Security and Data Breaches

Episode 8 – Subject Access Requests

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2018

 

 

 

 

 

 

 

 

 

 

 

Today we consider Subject Access Requests (SARs) under General Data Protection Regulation (GDPR). As always, I am joined in this exploration by Jonathan Armstrong, a partner in Cordery Compliance in London. SARs may turn out to be one of the most onerous, costly and time-consuming issues for companies after the go-live of GDPR on May 25, 2018. Of all the requirements of GDPR, this may be the single one which companies are least prepared for going into the new regime.

SARs currently exist for all countries in the European Union (EU), in most jurisdictions companies can currently charge a small fee for them. Although the fees are generally fairly trivial, it does put off many applicants. However, post-GDPR Armstrong believes that we are “going to see a significant increase in the number of subject access requests that people will make”. Moreover, SARs can be very difficult and time consuming to fulfill. He noted that some of Cordery’s clients estimate they spend between 100 and 300 hours per SAR. But it is not simply the detailed work needed to fulfill the SAR but a company must also redact out the data on other people.

Armstrong provided an example for a SAR for emails sent to an individual. A SAR might come in for emails being sent to Mr. Jones. While you might be able to do a word search for Mr. Jones and find all emails relating to him, it could be that 10 other people were copied in on emails to/from Mr. Jones. You are required to redact out the details of those 10 people.

Armstrong further refined the example by adding the factor that the email related to performance appraisal and a manager is communicating how their seven direct reports accomplished in that performance appraisals for the year. In responding to the SAR, a company must disclose the information on the one individual who has made the request but redact the information on the others. He words like “he or she” must be reviewed as they can provide personal identifiable information such as a person’s sex. There is also information such as cell phone details, which might be found on the footers of emails that would identify individuals. This information must be redacted.

Obviously, this example is antithetical to the way in which US companies not only do business but the manner in which they try to avoid releasing any information to the public. However, Armstrong believes this is very important in the EU and will be going forward in the UK, post Brexit. He even pointed by to Max Schrems and the original litigation which brought down Safe Harbor. It could also be that EU and UK citizens might make SARs and then use the US corporate responses as the basis for class action type lawsuits. All of this mean US companies must not only take SARs seriously but have a protocol in place for handling them.

Once again, the key is to have policies and procedures in place to deal with SARs. He said it all begins with training so employees understand what a SAR might look like when it comes in because there is no one prescribed form. Also remember that a SAR can be made orally as well. From there you will need a process for escalating the SAR to the correct person or department. The person who will respond is critical not only for the reasons detailed above in appropriately responding to the SAR  but as Armstrong noted, “there needs to be a more highly trained person, who can diagnose whether that request is validly made and deal with it.” Such a trained and designated person should not pass up the opportunity to speak to the person making the SAR, as “sometimes there is a rumbling of discontent behind a SAR. It might be that you could  resolve the underlying issue, avoid the entire SAR” by handling whatever the issue is which led to the SAR in the first place.

For more information, visit the Cordery GDPR Navigator, which provides a wealth of information to utilize in your data privacy compliance program.