In mid-December 2015, the European Union (EU) finalized sweeping reforms to its data protection regulations. The new rules (GDPR) will be formalized in early 2016, and take affect 2 years later in 2018. EU leaders took on the massive reform to account for the realities of the digital economy. Their objectives were to promote a unified EU digital market and protect citizens’ fundamental right to protection of personal information.
Clarifications and insights on how EU data protection authorities will implement the new regulations will emerge in the coming months. For now, here’s a look at some key areas in the updated regulations, and practical tips on how to get ready for 2018.
One Law Across Europe. If your company processes personal information of EU residents while offering services or products or tracking behavior, you must comply with the new rules. The good news is you will no longer have to deal with a patchwork of 28 different national data protection laws – now there is only one, pan-EU law. For example, if you have European headquarters in a Member State and operations across the EU, you will only have to deal with the data protection authorities in your headquarters country for pan-EU issues. This has been dubbed “one-stop-shop.” An EU Data Protection Board has been established to resolve objections by data protection authorities to draft decisions by the lead data protection authority.
Practical tip. Don’t expect this to be lightning fast “one-stop-shop” in the early days. Success depends on the cooperation of national data protection authorities, some of whom have not seen eye-to-eye in the recent past.
Bigger Fines. Companies are now subject to fines as high as 4% of their global annual revenue, or “turnover” as it is known in Europe. The ratcheted up penalties are an attempt to force gigantic companies to take compliance seriously. European regulators have complained in the past that penalties of a couple hundred thousand dollars don’t get the attention of companies such as Alphabet’s Google.
Practical Tip. Audit and update your current processes and policies for handling, processing, storing, securing, and obtaining consent regarding EU personal data. Develop awareness and monitoring programs to ensure GDPR compliance in your organization. Consider using enterprise-wide technology for compliance monitoring to stay on top of any issues that could lead to fines or other penalties.
Breach Notice. Under the new rules, companies must tell data protection authorities about any personal data breaches where feasible within 72 hours of becoming aware of the breach. The company must also notify the individual whose data has been breached as soon as “reasonably feasible,” depending on the impact of the breach to the individual.
Practical Tip: Start to develop protocols and procedures for breach notification. Develop and rollout a program to raise awareness with executives and employees. With the tight timeframes it’s important they know what to do what to do when a breach occurs. Put breach notice protocol requirements in vendor contracts.
The Right to be Forgotten. Are you ready for the “right to be forgotten?” This law updates individuals’ right to demand that companies erase obsolete or irrelevant information about them in their databases. Deletion can also be demanded when an individual removes their consent to processing, such as when they drop membership in a social media site. Another common example is a request for a search engine to delete obsolete personal information that is appearing in public search results.
Practical Tip. If applicable to your business, develop a process for how you will respond to a request to delete personal information. After a European court upheld the right to be forgotten in 2014, Microsoft developed a form on their search engine Bing for “right to be forgotten” requests related to blocking (not erasure) of data.
Data Transfers Outside the EU. The GDPR continues to permit data transfers outside the EU under binding corporate rules and standard contract clauses. Once improvement is that notice of data transfers under standard contract clauses is no longer required. Also BCR requirements are spelled out more thoroughly. Transfers to “white listed” countries determined to provide adequate protections remain. Though of course, the US-EU Safe Harbor agreement is no longer valid.
Practical Tip. Given the maelstrom surrounding the invalidation of the US-EU Safe Harbor Agreement, the potential new Safe Harbor agreement in early 2016 and the GDPR changes overall, eDiscovery practitioners should obtain updated legal advice on EU eDiscovery strategies. Explore getting BCRs in place this year if you move personal data from your EU locations to the US. Also be sure to review your vendor contracts to ensure compliance with the GDPR before 2018 rolls around.
Marketing Data. Companies that use personal information for profiling and direct marketing need to understand the stricter “consent” requirements and the “right to object.” Burying consent explanations in dense technical language won’t cut it anymore. Companies must plainly tell consumers they have a right to say “no” to the use of their information for marketing, and must stop processing information when an individual demands it.
Practical Tip. Consult industry associations to learn what the new regulations mean for your marketing and profiling practices. Opt-out/Unsubscribe practices will likely still work to comply with the “right to object.”
Data Protection Officer; New Assessments. Companies whose core processing activities require regular, systematic and large scale monitoring of data subjects must appoint a Data Protection Officer. The Data Protection Officer’s duties are (1) to inform and advise on GDPR and EU laws and (2) to monitor compliance with these laws and the company’s data protection policies. Companies must also conduct a Data Protection Impact Assessment before they use a processing type or new technology that poses high risks to individual rights.
Practical Tip. If you do regular, large scale processing of EU personal data, seek legal advice to see if you have to appoint a Data Protection Officer. Also watch for supervisory authorities to issue a list of the kinds of processing operations that would require an impact assessment.
Data Protection by Design. The GDPR introduces the principle of “data protection by design,” requiring companies to take data protection into account upfront during the design of their data processing. The intent is to incentivize innovation in methods and technologies for the security and protection of personal data. The regulation promotes techniques such as anonymisation (removing personally identifiable information where not needed), pseudonymisation (replacing personally identifiable material with artificial identifiers), and encryption (encoding messages so only those authorized can read it) to protect personal data.
Practical Tip. If you process EU data, you may want to consider these privacy-friendly techniques to protect privacy while still leveraging customer and prospect information for your business.
For more information, download our white paper, The New EU General Data Protection Regulation: A Strict Legal Framework for Digital Privacy
Carolyn Casey is a consultant and attorney who writes on global information governance, eDiscovery and legal technology trends.
Information in this blog should not be viewed as legal advice.