The EU Privacy Regulation (the “GDPR”) is now applicable and becomes an obligation for whoever processes personal data of people located in Europe, regardless of where it is, but what do you need to know?
The GDPR provides for burdensome (very burdensome) obligations but, at the same time, if applied correctly, privacy can become a competitive advantage over competitors at the time when data become a major asset for businesses.
The principles of GDPR are similar to those of the EU Privacy Directive, but there are 5 significant changes that can not be ignored:
1. Potential sanctions become huge
The major change introduced by the GDPR is that the sanctions applicable in case of violations have increased up to € 20 million or 4% of the worldwide turnover of the company that performs the violation. This change is significant if it is considered that, under the current regime, one of the highest sanctions issued in the European Union for privacy breach was adopted by the Italian Data Protection Authority against Google of € 1 million, subsequently beaten by the sanction of € 11 million of the Italian Data Protection Authority against 5 money transfer companies. Google-size companies risk with the GDPR sanctions exceeding $ 4 billion, capable of getting bankrupt any company.
And with such high sanctions, it is not possible to exclude liability claims from shareholders vis-à-vis directors who did not take the necessary measures to comply with the GDPR, as well as the potential criminal liability against directors in countries like Italy.
But that’s not all, because these measures would be in addition to possible actions by customers and users whose data were violated that would have a tool at their disposal that is very similar to the “class action”, in addition to the order to delete data illicitly collected that could cause huge operational and economic damages in a business that will increasingly rely on data.
2. We need to monitor the data and who is processing them
One of the aspects that we are exponentially finding in assisting companies that have to comply with the GDPR is the lack of control over data processed by them. There are companies with millions of customers in which most of their employees (and sometimes even agents and suppliers) can access data of all current and past customers. And they never deleted any data, simply because it would be too burdensome or because data can be “always useful”.
It is not just a question of drafting the c.d. register of processing activities that shows in a very detailed manner the type of processed data who has access to it, how they are used and how long they are stored. But you must have the support of technical applications that are able to identify where the data are located inside the company and check if they are treated correctly.
This is also because, in case of unauthorized access to personal data or loss of data (the so-called data breach), it is necessary in some cases a notification to the data protection authority and even to individuals whose data have been violated. A data breach can happen not only because of a hacker that enters into a computer systems, but even if an agent loses an unencrypted USB flash drive on the train with last year’s customer data or if pay slips are forgotten on a desk and they are subtracted.
Therefore it is necessary to implement internal policies for data control and these must be supported by technical applications.
3. GDPR compliance checks must be effective
In the event of significant regulatory changes such as the GDPR, the most frequent response by companies has been that the adoption of new policies that lawyers adore, but that do not are not useful, if they are not observed.
The GDPR requires companies to adopt a system of policies, organizational and technical measures that allow to have a continuous control on the company’s compliance with privacy legislation and that are a continuous “work in progress“.
This activity is supported by the appointment of the so called data protection officer which is one of the big news of the GDPR, but that is not very useful (and that does not represent an adequate protection), if then the DPO cannot actually verify the data processing carried out by the company. The DPO in groups of large size can be supported by a committee, but every investment is not sufficient if not supported by adequate measures of an organizational and technical nature.
In fact, we need among others to
- adopt technical measures that are blocking or at least generate “alerts” in case of anomalous behavior;
- carry out internal training courses (at least yearly) for its employees, agents, sellers, etc. on internal privacy policies and their obligations;
- carry out checks (also through the so-called compliance checklist) during the establishment of the contractual relationship, on a periodic basis and in case of termination of the contract in order to verify that its agents and suppliers have the necessary infrastructures and procedures to process the data in compliance with the GDPR and that at the end of the relationship with them they do not keep data of customers/employees of the instructiong party;
- make sure there is a collaboration between technicians, legal, marketing, HR and anyone who processes personal data within the company and outside it on behalf of the company. In fact, the GDPR introduces the concept of privacy by design which obliges to prove that measures to preserve privacy from the design of any product / service that treats personal data have been taken.
4. Be prepared to handle portability requests
The right of data portability is another new feature introduced by GDPR that allows users, employees or any person whose data are processed by a third party to be able to “transfer” their data to the new service provider, employer, consultant etc.
The scope of this right is huge because for example new entrants in the market could use this right in order to reduce the gap of historical data related to customers, offering them incentives in case of exercise of the right of data portability towards their own supplier.
And the impact could be even greater for companies that are not ready to receive these requests which would not be able to handle them, without risking liabilities.
5. We must “evangelize” the whole company on GDPR obligations
This change is a kind of summary of all the previous principles. The need to ensure compliance with privacy legislation is no longer a “nice to have”, but cannot be ignored. And this is true even more in a period when companies are facing a process of digitization that involves considerable profiling and in any case a high processing of personal data.
Compliance with privacy legislation and certification of the same will often become a mandatory requirement to be able to enter into contracts with banks, insurance companies, tech companies etc. and to access public tenders. Compliance with privacy legislation can therefore become a competitive advantage over competitors, especially in this phase of transition towards the first adoption of the GDPR.
May 25, 2018 will be remembered as the “millennium bug” of privacy. We must remember, however, that the GDPR will accompany companies in all their activities and companies that do not change their approach to privacy compliance risk not to survive.