On April 14, 2016, the European Parliament adopted the General Data Protection Regulation, and GDPR will go into full effect in approximately six months. According to numerous recent studies, a majority of firms are not ready to meet compliance.
The stated goal of the GDPR is to harmonize data privacy and security laws across Europe, protect and empower the privacy of all EU citizens, and ensure that organizations across the EU approach data privacy and security in the same manner. The GDPR applies to and imposes compliance obligations upon all companies that control or process the personal data of EU citizens.
“Data controller” is defined broadly, including any individual or entity that gathers personal data for processing. The definition of “data processor” is similarly broad, encompassing any individual or body that processes personal data on behalf of the controller. It is important to note that the GDPR applies to data controllers and processors outside the EU that offer goods or services or even monitor EU citizens.
All companies that operate in the EU are likely to process at least some personal data as data controllers, if only as it relates to their employees. Certainly, organizations that gather consumer data should be focusing on compliance, while all companies should, at the least, review their data processing activities, identify all activities for which they are a data controller, implement policies and technical safeguards in accordance with GDPR guidelines, audit their current third-party data storage contracts, and set up a practical incident response plan in the event of a data breach.
Data processors, including cloud service providers and other information technology vendors that process personal data, also must review their legal obligations under the GDPR, as they have independent compliance responsibility for the first time. These obligations include maintaining written documentation of processing activities carried out on behalf of a data controller, designating a data protection officer, and notifying the data controller upon discovering a data breach without undue delay.
So how are companies digesting the GDPR and reviewing their internal data policies? According to a survey of 200 European-based companies by cloud security provider Alert Logic published last month, while 77 percent of the surveyed companies are familiar with the GDPR, only 5 percent believe they are compliant with all applicable requirements. Moreover, only 27 percent reported that they were confident they will be ready when the GDPR becomes enforceable in May 2018.
The lack of confidence likely stems from the sheer scope of the GDPR. With 99 articles and 173 recitals, it is a massive document that, despite its goal of reducing administrative burdens for companies dealing with multiple data protection authorities within the EU, places high accountability burdens and new, regulations on data controllers and processors.
Many companies do not even know where to start, but companies should focus on identifying the key areas of change between the GDPR and the aged 1995 EU Data Protection Directive that it replaces. These include:
Expanded Jurisdiction and Scope
The GDPR applies to companies without a legal establishment in an EU member state provided that they control of process the personal data of EU citizens.
Stricter Requirements for Consent
The GDPR makes it more difficult for companies to obtain valid consent from data subjects, stating that consent must be freely given, specific, informed and unambiguous, either by a statement or by a clear affirmative action.
More Practical and User-Friendly Privacy Policies
Article 11 of the GDPR demands “transparent and easily accessible policies” and communications in “clear and plain language” adapted to the data subjects. If a controller uses automated means of gathering data, it must allow data subjects to submit choices, requests, and complaints electronically.
Restrictions on Direct Marketing and Profiling
The GDPR requires data subjects to be given the option of opting out of direct marketing, and it further requires that this opt-out be clearly distinguishable from other information.
Removal of Notification Requirement, Imposition of Documentation and Accountability
The GDPR removes any requirement for a data controller to notify a data protection authority of its processing activities and replaces it with a policy of accountability, documentation, and fines for failing to meet its obligations.
The Principle of “Privacy by Design”
The GDPR includes a new principle that data controllers should design and implement processes to protect personal data, retain it only for specific (disclosed) purposes, keep it only as long as necessary, and restrict access to it.
Increased Data Security
Article 30 of the GDPR imposes technical security requirements that include the obligation to conduct risk evaluations.
Appointment of a Data Protection Officer
if the core activities of the controller and processor require regular and systematic monitoring of data subjects on a large scale or consist of processing special, sensitive categories of data, then the GDPR requires the appointment of an internal or external Data Protection Officer with sufficient expert knowledge.
Keep in mind that the GDPR has significant teeth. Its tiered approach to fines empower EU member state Data Protection Authorities to impose fines of up to the higher of 4 percent of a company’s annual worldwide turnover or 20 million Euros (for breaches of basic principles such as consent, breach notification, etc.), with lesser violations resulting in the imposition of fines up to the higher of 2% of annual worldwide turnover or 10 million Euros.
Overall, while the GDPR is not a drastic overhaul of data protection regulations in the European Union, it is an expansion of prior efforts to protect the data privacy rights of EU citizens that is designed to gain the attention of high-level executives and spur change at companies lagging behind in this area. While one cannot predict the speed with which member state Data Protection Authorities will levy fines for entities not in immediate compliance, demonstrating good faith efforts toward compliance is the wisest course of action for every organization doing business in the EU.