Questions from our clients around the EU’s General Data Protection Regulation (GDPR) spiked this last May when the regulation went into effect. Then, they quickly tapered off. The amount of media attention paid to the regulation probably had something to do with it. Once a few high-profile cases hit the courts, we can expect more ink to be spilled.
Right now, many US-based businesses are waiting to see what impact the GDPR will have on the unlucky few who get caught in its clauses. Even global enterprises to whom GDPR most definitely applies seem to be dragging their feet on this one. SAS found that less than half of the global businesses they surveyed earlier this year expected to be compliant when the regulation went live.
Our view is that GDPR is not something you want to turn your back on. Since many organizations do an end of year compliance review, we thought this might be a good time for a few reminders.
#1 GDPR applies to businesses outside of the EU. If you do business in the EU, GDPR applies to you. But let’s say you’re a small boutique shop selling products online, and you maintain a mailing list so you can email your customers about new products. One day, a shopper from Germany visits your online storefront. They don’t buy anything, but they sign up for your mailing list. Because you collected information from an EU citizen while they were in the EU, you now need to comply. Though I doubt your small shop would be the first organization anyone files a complaint against – Google and Facebook hold that dubious honor – it could happen.
#2 GDPR regulations are not always clear. GDPR shares one very important characteristic in common with other regulations. In its earliest form, it’s not very specific. That means regulators have wiggle room to interpret the rules as they see fit. That’s both good and bad. It’s good because they aren’t creating hard-coded rules that make it impossible for companies to comply. But it’s bad because you can never really be sure what compliance looks like.
As the months pass and GDPR violations are adjudicated in the EU courts, we’ll all learn more about what kinds of fines are being levied and for what sorts of violations. We’re watching this closely, and we recommend our clients do the same.
#3 The fines are steep. While we don’t yet know what level of fines will actually be levied, we do know that the upper limits are steep – Up to €20 million or 4% of the worldwide annual revenue of the prior fiscal year, whichever is higher.
In its FAQs, the GDPR organization ominously points out that you might also be subject to additional lawsuits by “affected data subjects.” In other words, individuals can come after you for compensation above and beyond what you pay to the EU. Plus, each country in the EU can institute its own laws and levy additional fines for breaches.
#4 GDPR covers third-parties as well. GDPR covers anyone who comes into contact with the data you collect. Companies like Connectria would most likely fall into the category called “processors,” whereas our clients would be considered “controllers.” We list some of the responsibilities of these third-party data handlers on our website if you’d like to learn more.
Like HIPAA/HITECH where you can be fined for entrusting data to a third-party without a Business Associate Agreement, GDPR also allows for controllers to be fined for choosing processors that are not GDPR compliant. These violations are considered “lower level,” but the fines can still run up to €10 million or 2% of the worldwide annual revenue of the prior fiscal year.
Unfortunately, there is not yet third-party auditing services available for GDPR like there are for regulations such as SSAE 18 (SOC1, SOC 2), HIPAA, PCI DSS, and FISMA, so you may need to do a deeper level of due diligence on your processors than you would for other regulations.
#5 It’s about more than security. Companies like AWS and Microsoft have announced that their cloud computing services are “GDPR ready,” to use Amazon’s terminology. AWS touts its 500+ security features on their GDPR landing page. But while other regulations such as HIPAA/HITECH and PCI DSS seem to mostly be about security, GDPR is a much broader regulation.
One of the key concepts found in the GDPR has to do with consent. The individual whose information is being collected needs to be able to see what is being collected and give or withdraw consent “without detriment,” meaning it can’t be a condition of doing business.
Businesses will also need to have a valid reason for collecting each specific piece of data or risk being in violation. This could put a damper on a few Big Data initiatives that involve collecting hundreds of data points on customers and figuring out what to do with them later. Take the time to scrupulously document what you collect and how it’s used. It could be the best investment you ever make should you find yourself on the wrong end of a GDPR complaint.
The fine print
Connectria does businesses with customers around the world, many of whom are in the EU or doing business in the EU, so we have had to become quite familiar with the GDPR regulations in the last couple of years. However, our advice is never intended to be considered legal counsel. In all matters having to do with the GDPR, you should seek qualified legal guidance. As always, we are happy to work with our clients and their GDPR/compliance team to ensure we do everything in our power to help them reach their compliance goals.
Now that that’s out of the way, if you have questions on GDPR and how we’re seeing companies respond to it, we’ll be happy to offer the point of view of a “processor” who deals with these issues every day. Just reach out to us here, we’re happy to help.