If you or your company is working in any field in which personally identifiable information is involved, you had better take a look at this analysis, with clear steps to take, written by my French colleagues Karine Riahi and Julien Brunet of Spring Legal. Their contact info is at the end of this blog.
The European Union’s General Data Protection Regulation (GDPR) is one of the most wide-ranging pieces of legislation passed by the EU in recent years creating a completely new legal framework for the collection, use and sharing of personal information that will apply well beyond Europe. GDPR must be enforced by all businesses that serve European Union customers on May 25, 2018 and will apply to organizations which have EU “establishments” and where personal data are processed “in the context of the activities” of such an establishment. If this test is met, GDPR applies irrespective of whether the actual data processing takes place in the EU or not.
Practically, organizations with EU sales offices, which promote or sell advertising or marketing targeting EU residents will likely be subject to the GDPR – since the associated processing of personal data is considered to be “inextricably linked” to and thus carried out “in the context of the activities of” those EU establishments (Google Spain SL, Google Inc. v AEPD, Mario Costeja González (C-131/12)).
So even though a company may not be actively targeting and monitoring EU residents, if the company has a website or app that tracks who visits and an EU resident happens to find their way to their digital property from within the EU, the company is impacted.
In consideration of the above, the main highlights that could potentially affect any company dealing with personal data are:
- Accountability: GDPR lays out a whole new set of rules around the accountability of controllers, the severity of which will depend on the privacy risks for individuals. These include obligations to implement compliance policies, data protection by design (i.e. all new systems will need to be developed with privacy in mind), data protection by default (i.e. consent to be obtained at the beginning of any process of data), record-keeping obligations, data protection impact assessments and to engage in prior consultation with data protection authorities in high-risk cases along with the creation of new rights such as the “right to be forgotten”, or data portability ;
- No sub-contract: There will now be legal obligations on data processors for the first time. The most radical being that a processor may not sub-contract the service without the consent of the controller;
- Breach notification: Organizations will have to provide data breach notification to data protection authorities within 72 hours of spotting an incident. From the discovery of a security incident, the clock starts ticking for the company to get notice out the door to the relevant data protection authority. There are some practical limits to this new obligation since the notification requirement kicks in only when there is a risk to the affected person. Technically, it means that if, at the time of the loss, the personal data was protected in such a way as to be unintelligible – and therefore useless to an unauthorized party – and the company can prove this to the supervisory authority, then the company is not required to disclose the breach to the individuals whose personal data was lost or stolen;
- International data transfers: Restrictions on international data transfers are strong, but there is a whole new menu of options to legitimize those transfers including the Privacy Shield, Model contracts and/or Binding Corporate Rules (BCR’s);
- Big time fines: There will potentially be very serious consequences for non-compliance including the right to compensation for breaches for material or immaterial damage, and huge fines of up to 4% of the total annual turnover of a company. Should companies actually suffer a data loss as a result of noncompliance, they would also have to pay the substantial price of rebuilding customer trust and recovering from damage to the brand.
With its high level of complexity and strict requirements, the implementation of the GDPR shall be addressed by an efficient and redefined data governance policy. While the new legislation does not require a specific type of technical control, it does make several references to encryption as one of the means to achieve an appropriate security measure to protect personal data.
In addition, GDPR recognizes the privacy-enhancing effect of anonymization and pseudonymization as techniques providing exceptions to many of the most burdensome provisions of the regulation when steps are taken to de-identify personal data. By making it impossible or impractical to connect personal data to an identifiable person, data controllers and processors are permitted to use, process and publish personal information in just about any way that they choose.
In the United States, the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS) and Sarbanes-Oxley (SOX) are a few examples of regulations that require data protection controls similar to those in the GDPR. Because it renders data unintelligible, encryption is widely accepted as an adequate means of addressing these requirements. If encrypted data becomes lost or stolen, it is essentially worthless. No one can access the actual data.
In a nutshell, to comply with the GDPR, companies will have to demonstrate that personal data is:
- Processed lawfully and fairly, and in a transparent way;
- Collected for specific, explicit, and legitimate purposes;
- Limited to only what is necessary for processing;
- Kept accurate and up-to-date;
- Stored so that the subject is identified only when necessary;
- Processed in a secure manner so it does not fall into the wrong hands or become lost, damaged, or destroyed;
- Protected “by design”.
Please keep in mind the EU public authorities, such as the French CNIL, are helping companies with compliance. French CNIL for instance provides a guidance in 6 steps on how to design a governance policy to comply with the GDPR Requirements and is already providing a standard form to help with the notification process and will implement an online process in the following months.
Karine Riahi (firstname.lastname@example.org) / Julien Brunet (email@example.com)