GDPR is Almost Here. Is Your Company Ready?
by Michael Woolf | AApril 11, 2018
In a matter of weeks, the General Data Protection Regulation (GDPR) will go into effect. The GDPR was designed to create a standardization of data privacy laws across Europe. Though the GDPR is expected to standardize the laws so that more companies can be in compliance, companies may be challenged as they put systems and processes in place.
This is especially true as the world continues to shrink. The GDPR applies not just to companies in the European Union (EU), but to any company that collects data on citizens in EU countries will need to comply with strict new rules around protecting customer data by May 25. And penalties for breaches under the GDPR can be extremely severe, potentially putting many companies financial future at risk.
What it all means...
The GDPR contains provisions requiring businesses to protect personal data and privacy of EU citizens for transactions occurring within EU member states. It also regulates exportation of personal data outside the EU. And while the GDPR requires companies to provide a “reasonable” level of protection for personal data, it fails to define what protections are deemed reasonable.
This may give a lot of leeway to regulators when it comes to assessing data breaches and potential non-compliance. Given that the GDPR requires the same level of data protection for potential identifiers such as an individual’s IP address or cookie data as they do for actual identifiers such as name, address and Social Security number, companies must design their processes and procedures for such privacy.
Privacy by Design
Under the GDPR, companies must incorporate “privacy by design” into their regular operations (see GDPR Article 25, for more). That means that companies may no longer act reactively to data security. Instead, controllers and processors* must integrate “necessary safeguards” into the data processing to meet the requirements of GDPR to protect an individual’s rights.
That means that protection of an individual’s privacy is mandatory under the law, and controllers have a proactive and affirmative obligation to find ways to ensure data security to the best of their ability. This differs from United States law which is governed primarily by tort law – that is, if you don’t take adequate protections and you get hacked, you get sued – with some federal and state oversight thrown in for good measure (see HIPPA, the Massachusetts standards, and California data breach laws).
A person suing over a data breach will usually have to prove that the company did not address issues with the standard of care of the industry. And since most tort cases in the U.S. don’t get to trial, that means many (if not most) of these suits are settled out of court.
What happens next?
But in a few short weeks in Europe, the GDPR will be in full force and regulators will be able to conduct non-judicial inquiries and impose fines and costs outside of litigation. They will have the right and ability to find that a company is liable for a breach by virtue of simply not meeting the standards of Article 25 (determined by the totality of the circumstances). What’s more, controllers and processors each have an affirmative duty to notify the supervisory authorities of a breach “without undue delay” and, for a controller, no later than 72 hours after having become aware of a breach (where feasible).
With all of that said, it is imprudent to think that GDPR means that you should just pack up any business with Europe or that if you get hacked, you’re doomed. In most cases, that’s both impossible either practically or economically. Instead, the aim of GDPR is to drive companies toward prevention to the extent that prevention is possible.
Companies are advised do the following:
MAKE GOOD FAITH EFFORTS at adopting internal policies and procedures “to integrate principles of data protection by design and data protection by default”
FOLLOW GDPR PRINCIPLES such as processing data fairly and in a transparent manner for specified, legitimate purposes
PROMPTLY COMPLY with notification requirements (see GDPR Article 5, for more).
With only weeks left, it is incredibly important to address the process of implementing practices and procedures to reach compliance now. Companies doing business in the E.U. should maintain a demonstrated record of doing the work early to maintain compliance with the regulation. This allows a company to show regulators that good faith, transparency, and legitimacy are of paramount importance to the organization – even in event of a data breach.
*A “controller” is a person (or entity) which alone or jointly with others, determines the purposes and means of the processing of personal data. A “processor” is a person (or entity) which processes personal data on behalf of the controller. “Personal data” refers to information relating to an identified or identifiable data subject. A “data subject” is an identifiable natural person who can be identified, directly or indirectly, by reference to an identifier such as a name, ID number, location data, online ID, or to one or more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
If you do business with European citizens (including in the UK) and you haven’t begun to look at the way GDPR will impact your business, please contact your legal advisor or reach out to Boon Legal for a free consultation.
DISCLAIMER: Information available in this blog post is provided for general informational purposes only, and may not reflect the current law in your jurisdiction. No information contained in this post should be construed as legal advice from Boon Legal or the individual author, nor is it intended to be a substitute for legal counsel on any subject matter. Readers should neither act nor refrain from acting on the basis of any information included in, or accessible through, this post without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from a lawyer licensed in the recipient’s state, country, or other appropriate licensing jurisdiction.