Authored by Sean Letz, vice president in the Marsh Cyber Center of Excellence; Rich Reiter, partner at Wilson Elser; and Chris Seusing, associate at Wilson Elser and member of Wilson Elser’s Information Governance and Cybersecurity & Data Privacy practices.
Companies that handle EU citizens’ data must be prepared to comply with a sweeping set of data security regulations that go into effect on May 25, 2018. The EU’s General Data Protection Regulation (GDPR) will significantly burden any company that handles or processes personal data of EU residents. Never before has a privacy regulation had the potential to reach companies anywhere on the globe on such an immense scale.
The GDPR dramatically changes the rules of data security and may be a harbinger of stricter privacy regulations from around the globe. As the result of a lengthy effort by the European Union to strengthen data security on the continent, the GDPR contains a number of new protections for EU citizens, from a 72-hour data breach reporting requirement to data minimization and data portability standards.
A company’s failure to comply with these regulations, regardless of size or country of domicile, can result in a fine of up to four percent of global annual revenue turnover or €20 million, whichever is greater. EU data protection authorities can enforce this significant penalty against any company, which touches data of an EU data subject in relation to the offering of goods or services, including those in the United States. Under the GDPR, it will no longer be necessary for a company to have conducted business in or even have minimum contacts with the European Union to be subject to the continent’s data security regulations.
Obligations and technical requirements
While many companies already have privacy processes and procedures in place, the GDPR imposes dozens of new obligations and technical requirements that present pitfalls for companies should they fail to alter their established business practices. For example, prior to the use or processing of data, controllers are required to demonstrate that consent is received with “clear affirmative action;” silence or inaction is no longer acceptable, as had been the practice for many organizations.
The new regulations also put significant restrictions on automated processing of personal data to analyze or predict an individual’s behavior. Specifically, the regulations restrict this activity if it will have a significant impact on an individual, such as in a hiring or credit decision. Many companies will have to adjust their business models around such restrictions.
Additionally, data breach notification obligations are expanded under the GDPR, which defines “personal data” as “any information relating to an identified or identifiable natural person.” A company that discovers there has been a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data…” must notify the supervisory authority of the relevant EU member state within 72 hours of becoming aware of the breach. There is a limited exception to the reporting requirement if “the personal data breach is unlikely to result in a risk for the rights and freedoms of natural persons.”
The vague language of this exception does not provide much guidance to companies and will require clarification and interpretation by the supervisory authorities. In light of the limited guidance provided, it is important to have incident response policies and procedures in place to avoid the inefficient or improper handling of an incident. These procedures should be consistent with other company policies, such as requirements under a cyber insurance policy, and should be regularly tested through employee training exercises. Additionally, companies should establish relationships with experienced breach notification counsel and forensics vendors, so that a team is ready to respond immediately in the event of a data incident.
The GDPR also codifies the “right to erasure” and the “right to be forgotten.” Recognized in a 2014 case from the European Court of Justice involving Google, this remedy allows individuals to request deletion of their personal data. Under the GDPR, a company that processes EU citizens’ data must delete the personal data without undue delay if an individual objects to the processing of data. Individuals also have the right to request personal data concerning them from the company, which must be transferred to them in a “machine-readable” format. These examples are only a few of the requirements with which all companies that process EU citizens’ data must be ready to comply.
Recognizing the complexity of these obligations, the GDPR will require companies that regularly process data on EU citizens or handle especially sensitive types of personal data (such as race, ethnicity, political opinions, or religious beliefs) to appoint a “data protection officer” with expert knowledge of data protection law and practices. The regulations do not contain any exemptions based on company size, but do allow the “data protection office” to be outside counsel hired on behalf of the company.
In addition, many data protection authorities within the EU have begun issuing guidance to companies to assist in compliance with the GDPR, and more will follow. The Information Commissioner’s Office in the United Kingdom issued 12 guidelines for companies, including educating key decision-makers about the effect of these new regulations, reviewing privacy policies, and appointing a data protection officer. Additionally, the French data protection authority authored a six-step guide for companies, including mapping how personal data is treated within a company, implementing internal data security procedures, and documenting compliance. Further, data protection authorities are expected to issue guidance throughout the coming year.
Between now and the date of implementation in May 2018, companies should take steps to ensure compliance by becoming familiar with the GDPR and guidelines for compliance issued by various authorities. The first steps toward compliance include:
(1) assessing current data security systems, policies, and procedures;
(2) identifying the location of all data;
(3) determining the scope of data retained; and
(4) evaluating the safeguards in place.
If personal data of EU citizens is maintained in any manner by any part of a company, it will be necessary to thoroughly review the various provisions of the GDPR to ensure the company is in compliance with these regulations. Companies affected by GDPR also should consult their insurance brokers to determine the impact of the regulations on their insurance programs.
In particular, companies should discuss adequacy of limits, coverage for GDPR violations, and the ability of policies to pay into GDPR-regulated countries. The GDPR, by design, will subject significantly more companies to its regulatory framework than current regulations, and companies of all sizes and locations should prepare accordingly.
To further reading about the data security and privacy practices of six companies with global operations, download the ACC primer on "Leading Practices in Privacy and Data Security: Compliance Programs Across the Globe". Organizations featured in this primer describe practices and approaches for working through the matrix of varying and changing requirements across multiple jurisdictions, as well as integrating policies and practices with systems and security features.