Disclaimer: Neither InteliSecure nor the author of this post is purporting to offer legal advice in this blog. The author is not an attorney nor is InteliSecure a law firm, nor is either party making a representation on behalf of a law firm. Nothing in this blog should be construed as legal advice and should not be relied on as such.
There are still many questions organizations around the world have regarding the European Union’s General Data Protection Regulation (GDPR). This post is designed to provide an introduction to the regulation and touch on some of the key points organizations should be aware of. For organizations concerned with the impact GDPR may have on their data security program, including data loss prevention and privacy, InteliSecure does offer an analysis to assist in identifying potential areas of risk.
What is GDPR?
Consent and Right to Withdraw
Data Transfers to Foreign Countries and Organizations
Privacy Impact Assessments
Data Protection Officers
What is GDPR?
GDPR stands for General Data Protection Regulation and was passed on April 14, 2016 after four years of debate by the European Union as the data protection standard that would apply to all member countries. According to the timeline set forth in the legislation, organizations who fail to comply by May 25, 2018 will face heavy monetary penalties. Replacing the Data Protection Directive from 1995, the first difference organizations will notice is that it seeks to impose massive penalties of up to €20 million, or 4% of an organization’s global earnings in case of a data breach relating to personal data. The second major difference in GDPR is its massive scope, applying to any organization that is doing business with any European citizen, rather than relying on location of the business operation itself, which means that, essentially, GDPR applies to every business globally.
Theoretically, if you’re running a hot dog stand in Chicago, you are in scope because you may interact with a French citizen on vacation who gives you his or her credit card for payment. Realistically, there is little to actually enforce a fine on that hot dog stand and the methods in which enforcement will actually be carried out are still unclear at this point, but the implications are massive. Certainly if you have significant business operations in the European Union, compliance is going to be necessary as the European Union has the ability to significantly impact your business.
Note: There is little indication so far as to what, if any, impact Brexit will have on the need to comply for organizations inside the United Kingdom without significant business operations elsewhere in Europe.
In this blog, we will briefly introduce each of the major parts of GDPR. For a more in depth understanding of GDPR and how it is likely to affect your business, we encourage organizations to engage InteliSecure’s Professional Services team for a detailed analysis.
Provisions and Scope
GDPR is designed to protect the free movement of personal data belonging to European Union citizens within the Union while also protecting the fundamental rights and freedoms of citizens’ personal data including data privacy. The scope of the regulation pertains to the storage, processing of, and transmission of EU citizen personal information regardless of where that data resides.
There are exceptions to GDPR which seem straightforward when reading them, like the provision stating that it does not apply when the processing of the personal data falls outside the scope of European Union law. This particular provision raises a question about what happens when data belonging to EU citizens is mishandled according to GDPR, but the activity happens in the jurisdiction of another country. This question is best posed to legal counsel because it is clear that the intent of the law is that data will be protected regardless of terrestrial borders, but the issue of jurisdiction is likely to be litigated when penalties are levied against organizations without significant business operations inside the European Union. The size of the penalties could represent a significant transfer of wealth from many nations to the European Union and it will be interesting to observe whether or not that transfer of wealth will be allowed to occur.
There are other, far less controversial exceptions including exceptions for competent authorities to conduct investigations and prosecute criminal offenses that are less likely to be challenged. In general, the scope of the regulation is intended to apply to personal data belonging to European Union citizens wherever it resides.
Consent and Right to Withdraw
GDPR establishes a requirement that individuals whose information is collected, processed, and/or retained by any organization around the world must consent to the specific intended use of that information. In this case, the age of consent is 16 years old. Legal guardians can consent on behalf of minors. The burden on organizations processing the information is to appoint a Data Controller who must be able to demonstrate that the data subject has consented to the processing of their information, which requires maintaining records of that consent. These records will necessarily contain personal information, which must be taken into account in order to comply with other provisions of GDPR.
GDPR also stipulates that data subjects have a right to withdraw, also known as a right to be forgotten. This provision means that an individual can withdraw his or her consent at any time and the organization who originally collected the information has a duty to remove all information related to the data subject.
An example of the provisions at work is the following. If I was a retailer with a loyalty program, and I wanted to enroll John Doe in my program, I would need to gain consent from John Doe to gather specific information about him. I would also have to include in that agreement what specific activities I would use his information for. If I later wanted to use that information for another purpose that was not expressly spelled out in the original agreement, such as a marketing campaign for a new product, I would first need to gain specific consent for that use of the information. Further, if John called my organization at a future date and withdrew his consent, I would have the duty to remove any information related to John and any copies of such information, completely from all of my systems in such a way that it cannot be recovered.
Data Processing is an interesting requirement because it touches on a few key areas. First, it requires that organizations’ Data Controllers ensure that information is collected in a lawful and transparent way. The key word in that sentence is transparent. For many years, organizations have covertly collected information about people, or transparently collected some information while covertly collecting other information to facilitate marketing campaigns or other activities. According to GDPR, all data that is collected about an individual must be collected in a transparent way.
Further, it requires the scope of the data collected to be limited to specific and explicit data necessary for the task at hand. This could be arguable in some cases, but many organizations collect as much information as they can about individuals so that they have the opportunity to use that information for other activities, which may or may not be specifically authorized uses of the information. GDPR specifically forbids this practice.
Third, GDPR mandates that organizations collecting data ensure that the data they collect is accurate. This raises questions about the level in which organizations should be reasonably expected to ensure accuracy. For example, if a person intentionally provides false information, is the organization responsible to find that out and fix it, or is the standard only requiring that the organization makes every effort to ensure data is entered into their systems exactly how it was provided to them? My opinion is that it is likely intended to be the latter, but that point is open for interpretation.
Finally, GDPR mandates that data is not stored longer than it is needed. Essentially, this is an acknowledgement that over-retention is a risk to consumer data, which I completely agree with. However, how long data is “needed” is open to interpretation as well. It also raises the question of whether GDPR supersedes data retention requirements from other regulations, especially regulations related to retention for Financial Services organizations.
Data Transfers to Foreign Countries and Organizations
In GDPR, data transfer is restricted to countries and organizations designated by the Commission and proven to ensure adequate levels of personal data protection. This is an interesting opportunity for global cooperation on the government level as well as the organizational level. For example, Swiss regulations allow organizations to comply voluntarily with the law and organizations that do may transfer Swiss citizens’ information outside of the country where their data centers reside. This provision of GDPR opens the door for similar arrangements, which may be very interesting to multinational organizations. At this point in time, the process to be designated by the Commission to ensure adequate levels of personal data protection has not yet been made clear to my knowledge.
There are also specific exceptions to data transfer requirements that are not subject to government oversight. Those include:
- Transfer of data where subjects have explicitly consented to the transfer and been informed of potential risks associated with that transfer
- Transfer of data that is necessary to perform a contract between subject and controller
- Transfer of data necessary for public interest
- Transfer of data necessary for defense of legal claims
- Transfer necessary to protect vital interests of the subject who is physically or legally incapable of providing consent
These exceptions provide potential for service providers who are operating multi-nationally to continue normal business operations without becoming non-compliant with GDPR.
Privacy Impact Assessments
GDPR also requires organizations to conduct Privacy Impact Assessments when evaluating new technologies or processes that could impact personal data. A Privacy Impact Assessment, as defined by GDPR, must include the following elements:
- A description of the data processing operations and the purpose of the processing
- An assessment of the necessity of the data processing operations in relation to the purpose of the explicitly authorized purpose of the data collection
- An assessment of the risks to the rights and freedoms of the data subjects
- The measures intended to address risks, safeguards, security measures, and mechanisms in place to ensure the protection of personal data and demonstration of compliance with GDPR regulations
Many organizations do risk analysis similar to a Privacy Impact Assessments as part of their due diligence process when acquiring a new technology. The Privacy Impact Assessment simply provides a guideline and establishes a minimum standard for such an assessment.
GDPR stipulates that organizations must report any data breach to its assigned Data Protection Authority within 72 hours of becoming aware of the breach. For extenuating circumstances that cause an organization to fail to report a breach within 72 hours, the company must provide a report that explains the reason for the delay. In the event such a report is not produced, or in the event that the Data Protection Authority does not find the reasons to justify the delay, the offending organization can be fined for violating breach reporting regulations.
The notification an organization gives to the Data Protection Authority must include the full details of the breach to the best of the organization’s knowledge along with measures being taken to address the breach and to mitigate the side effects of the breach.
When a breach may result in high risks to the impacted individuals, the organization must make contact with the affected individuals without undue delay. What constitutes a high risk and what constitutes an undue delay seems to be open for interpretation and isn’t well defined, but it is clear that it is a good idea to notify all affected parties of a potential breach situation as soon as possible. The increased notification burden is that the organization must also notify the proper Data Protection Authority, as well as, the potentially affected individuals.
The penalties portion is where GDPR becomes heavy handed, and in my opinion, shockingly so. Data Protection Authorities have the ability to impose fines up to 20 million Euros or 4% of the company’s annual revenue, whichever is larger. Therefore, it is feasible that a small organization could be fined an amount that is greater than or equal to their entire annual revenue. I don’t think it’s in the interest of the EU to put companies out of business, but GDPR certainly grants them a mechanism to do so.
GDPR also gives individuals a legal ability to be able to assert and enforce their rights under GDPR and to seek compensation for the infringement of these rights. The major change in this provision is that individuals can seek damages for inappropriate exposure even if it does not cause material damage. That removes a significant legal burden for anyone bringing a data privacy suit against an organization. Now you still must prove it happened but you no longer must prove you suffered harm as a result.
GDPR also requires organizations to appoint Data Controllers who must maintain a written record of processing activities that includes the Data Protection Officer overseeing the activity, the purpose for processing the information, categories and descriptions of the data being processed, any applicable transfers to foreign entities or territories, the amount of time they intend to store the data, and a description of active security measures to protect the data. Organizations over 250 employees that fail to comply with these guidelines may be fined 10 million Euros or 2% of global revenue, whichever is larger. Again, the fact that the larger of the two values is the limit opens the door to massive fines as a percentage of revenue, or massive fines in terms of actual Euros paid on the other end of the size spectrum, with very few upper limits in terms of total exposure for large organizations.
Enforcement provisions inside the GDPR regulation focus on the fact that each individual data subject has a right to report any potential infringement of their privacy rights to a Data Protection Authority and that there be an effective judicial remedy applied. There is little in the way of explanation as to what happens when the offending organization is outside the European Union and does not have significant operations inside the European Union. What happens then? This is a question posed by many, but given the gravity of the fine, it would stand to reason that very few organizations would want to be the first to find out.
It should be further noted that these fines represent only the direct costs of the breach. Since the breach must be reported to a Data Protection Authority, it seems that the chances of breaches being widely publicized dramatically increase, causing further brand damage are higher under GDPR than they would be otherwise.
Data Protection Officers
Organizations that practice large-scale data processing of information within special categories such as race, religion, biometrics, gender, etc., are required to appoint one or more Data Protection Officers. I have yet to see a concrete definition of “large-scale processing” which leaves another significant provision open for interpretation. The Data Protection Officer must have the following at a minimum as part of his or her duties:
- Act as the main point of contact for Data Protection Authorities
- Inform data controller or processor of what obligations they are required to adhere to
- Monitor compliance with GDPR
- Provide assistance where required for any Privacy Impact Analysis that must be conducted
- Cooperate with supervisory authorities and serve as a liaison between the organization and the authorities
GDPR is a far reaching regulation that establishes severe penalties for non-compliance. When the penalty phase takes effect in May of 2018, we will see what the penalties levied actually are. Most multi-national organizations I have spoken with know they are in scope for GDPR and are working to ensure they’re able to comply. Those organizations likely need help with specific things, but also understand the broader concept. Many other organizations do not know or are just finding out that they are in scope for GDPR even though they don’t have significant operations in the European Union and they need help understanding how to comply. Either way, InteliSecure can help you understand the regulation and its potential impact on your organization.