The European General Data Protection Regulation (GDPR) took effect in May 2018, requiring companies that handle or process EU residents’ personal information to conform to practices that seek to more fully protect consumer sensitive information. Companies that fall under this category, known as data controllers, must secure consumer consent or another legally acceptable method of gathering personal information, notify individuals of the personal information that is collected and how it will be used, and limit the collection and maintenance to necessary information for a limited period of time. The individuals whose personal information is gathered also have a right to access the information, limit its use, and withdraw their consent from data controllers for such use.
Over the past year, GDPR regulators have started monitoring companies’ data protection procedures and issuing fines for insufficient practices that do not meet GDPR requirements. For example, companies face fines for failing to adequately inform individuals about how their information was used, as well as failing to allow consumers access to their personal data. Noncompliance with the regulations could result in penalties up to 4% of a company’s annual revenue.
One of the requirements of the GDPR that has received particular attention from data controllers over the past year is the mandatory reporting of a data breach within 72 hours of its detection. As companies attempt to avoid fines without clear direction on what exactly constitutes mandatory disclosure, the data protection authorities have been flooded with reports of data breaches. During the GDPR’s second year, data controllers expect clearer guidance on these requirements.
One of the challenges for data controllers that has arisen with the GDPR in its infancy is regulatory enforcement under the European Data Protection Board (EDPB), and the criteria that regulators use to issue specific penalties. The GDPR’s introduction has led companies to add data protection officers to their leadership in order to guide them through this new territory and prevent sanctions handed down from the national authorities under the EDPB. Until regulators complete investigations and issue penalties, however, these companies and officers will have little insight into where the regulation’s priorities lie. Further, companies have been grappling with the question of uniformity across the EDPB, as each member state has its own data protection authority, leading to the possibility that multiple states could potentially issue penalties against one company. Data controllers that manage operations in various countries should pay particular attention to forthcoming guidance by the EDPB regarding jurisdiction over data protection authority.
Lessons learned from the evolution of the GDPR will be important for companies around the globe, as similar types of regulations will start to be seen elsewhere. California, for example, is gearing up to introduce its own Consumer Privacy Act and will require companies to meet standards similar to the GDPR. State-led enforcement of data protection laws raises the question of potential federal enforcement of data protection similar to that of the GDPR, which was created after EU states enforced their own differing data protection laws. In the United States, if more states continue the trend of introducing their own data protection regulations, the possibility of federal action could grow more realistic in the future.