What the fast-approaching GDPR means for firms doing business in the EU, wherever in the world they are
Like it or not, you may be hiring in the new year. You may be asking your software team to rethink how they approach the development of new products. You may be asking your legal department to rewrite the miles of legalese that go into terms-and-conditions checkboxes. As an enterprise financial institution doing business in the European Union, you may soon be being doing lots of things you aren't currently doing or, frankly, have any interest in doing.
But it doesn't matter what you'd like to do or not like to do, because on May 25 the General Data Protection Regulation goes into effect. With it will come unavoidable, significant change to how businesses across the EU are required to operate. Unlike the Data Protection Directive, the current data-privacy protection regime, the GDPR is a regulation not a directive. It will hence be immutable law in all member states the day it takes effect, leaving far less room to maneuver in terms of implementation.
Regulatory centralization can have its good sides as well as its bad sides. Here's the step-by-step of exactly who will be affected by the GDPR and how, no matter where in the world they're headquartered or where they do their work.
As discussed in part one of our GDPR blog series, the new regulation is all about the data privacy of the data subject, because that concern lies at the heart of the EU's thinking. From this concern, all other thinking flows.
A proto-societal and regulatory concern for the data privacy of the individual can be traced back to a set of guidelines published by the OECD in 1980, which set out eight principles intended to "protect personal data and the fundamental human right of privacy." These principles became the philosophical underpinning of the DPD, and have in essence been carried through to the GDPR. Any requirements on how business will operate moving forward, post-DPD, arise from this core view of data privacy as a human right.
This zealousness for the cause of individual data-privacy helps explain the sheer grasp of the GDPR as a piece of EU legislation versus the DPD. First and foremost, any organization that offers goods and services to any citizen of the EU, or monitors the behavior of EU data subjects, will be subject to the strictures of the GDPR, no matter where in the world they're physically located or where the work is being done. Unlike the DPD, this applies to data processors as well as to data controllers. It's also worth noting that even if payment for said goods and services is not required, the GDPR still applies.
Consent of the governed
Another point of significant change coming with the GDPR deals with consent. Remember that overworked legal department? Sooner than later those legal eagles are going to have to get to work updating the text for any terms-and-conditions boxes you may ask customers to check. That is, the text no one ever reads. The text written in unintelligible lawyer-speak.
That will be changing under the GDPR, explicitly: "Companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent." It must also be as easy for data subjects to withdraw consent as it is to give it.
And for data subjects under the age of 16, parental consent will be required to process personal data. Individual states may set the bar lower than this, but never lower than 13. And while explicit consent is required for processing sensitive personal data, for non-sensitive data unambiguous consent will suffice.
Know their rights
The GDPR also lays out a number of data-subject rights. The first of these is the Right to Breach Notification. Simply, data controllers will have to notify their customers of any breach likely to "result in a risk for the rights and freedoms of individuals." Data controllers will have 72 hours to do this, from the time they first become aware of the breach. Data processors will also have to notify the data controllers they work for of any breach, as soon as they become aware of it.
Another soon-to-be right is the Right To Access. Data subjects will have the right to know if their personal data is being processed, where it's being processed, and for what purpose. Further, data controllers will be required to provide data subjects a free copy of their personal data in a machine-readable electronic format. Closely related to the Right to Access is the Right To Data Portability, which adds that data subjects have the right to transmit their personal data to another data controller.
Data erasure, or the Right To Be Forgotten, is probably a familiar concept already. Under the GDPR, data controllers will be required to erase a data subject's personal data and cease further dissemination and processing of that data if he or she asks. This could potentially apply to third parties. Conditions for erasure include the withdrawal of consent, and the personal data no longer being relevant to the original purpose for which it was collected.
Keep your friends close, and your regulators closer
Privacy By Design will be a legal requirement under the GDPR, though as a concept it's also nothing new. It calls for data protection to be designed into data collection and processing systems from the start, rather than as an afterthought.
And that new hire this year may very well be a Data Protection Officer, or DPO. DPOs are something new, and shouldn't be confused with DPAs, or Data Protection Authorities, which were created by the DPD. Each member state has a DPA, whose job it is to "supervise the application of [the DPD] and serve as the regulatory body for interactions with businesses and citizens."
DPOs are supposed to make notification of an organization's data processing activities easier. Companies will no longer have to submit notifications or registrations of data processing activities to each local DPA, nor notify or obtain approval for transfers based on Model Contract Clauses. Instead, under the GDPR there will internal record keeping requirements, with DPOs riding herd.
But DPOs will only be a requirement for controllers and processors with core operations that require "regular and systematic monitoring of data subjects on a large scale, or of special categories of data or data relating to criminal convictions and offences." As such, all public authorities must appoint DPOs.
You may not even have to hire for this position. The DPO can be an already existing staff member, so long as he or she possesses the requisite expert knowledge on data-protection law and practice. The DPO may also be an external service provider. But either way, the DPO must have a direct line to the highest level of management, such as the board of directors, and must not have other duties that could result in conflicts of interest. Requirements for DPOs hold for both data controllers and processors.
Some penalties may apply
The DPD prohibited exporting data out of the European Economic Area. This will hold under the GDPR, though there will be "adequacy" recognition for territories, sectors, and member states. But don't let this bit of maneuvering room fool you. It should be very clear by now the EU means business when it comes to the GDPR. What's in store, then, for organizations that don't comply?
Penalties, potentially significant ones, with a tiered approach taken. For companies found to be in most serious breach of the GDPR, a fine of 4% of annual global turnover or €20 million (whichever is greater) can be assessed. Serious breaches include processing data with insufficient customer consent, or not following the Privacy By Design concept.
For less serious GDPR breaches—such as not notifying the supervising authority and data subject about a breach, not conducting an impact assessment, or not having records in order—a fine of 2% of annual global turnover can be assessed. DPAs will also have mandatory audit rights.
Brexit: The brawling elephant in the room
It would be remiss not to mention Brexit, the United Kingdom's looming exit from the EU. On June 23, 2016, the UK voted by referendum to leave the EU. It's been a contentious year and a half, with much back-and-forth, indecision, and negotiation on the part of all parties involved. Some of the most fractious discussion has been in the UK itself, with numerous sectors of society, and the government itself, at odds over precisely what form Brexit should take.
Brexit is still very much a work in progress, but on the one hand planning for the GDPR is very straightforward. If you'll be controlling or processing data on EU citizens on or after May 25 you will need to comply with the GDPR, no matter what form Brexit ultimately takes. If your data handling activities will be limited to the UK, you'll need to wait and see what data-privacy legislation the British government finally produces. As of now, the government has indicated it will implement something equivalent to the GDPR.
If old acquaintance be erased
Under the GDPR, at least 50 provisions will be open to interpretation by each state. Regardless, it remains primarily a centralizing piece of legislation.
The good news is, companies will know exactly what to expect across the trading bloc as a whole. No more fretting about state-to-state changes in data-handling and reporting expectations. But the same expanded reach and dogmatizing effect of the GDPR means most every organization that touches EU citizen data needs to reevaluate how it operates, in some form or another.
The EU undertook the task of rethinking the relationship of data to its citizens because it felt the world of data and data rights had profoundly changed in the decade or so since passage of the DPD. It's true. It's a Big Data-driven world now, and it's reasonable to make sure passengers can keep at least one hand on the wheel. Get ready, then. On May 25, the driver's seat gets a little more crowded.
If you missed part one of our blog series on the fast-approaching GDPR, in which we explore its genesis, you can read it here.