In mid-December 2015, the European Union (EU) finalized sweeping reforms to its data protection regulations. The new rules (GDPR) will be formalized in early 2016 and take effect in 2018. EU leaders took on the massive reform to account for the realities of the digital economy. Their objectives were to promote a unified EU digital market and protect citizens’ fundamental right to protection of personal information.
How does this affect companies that work internationally and have a need to collect data from international custodians in a legal matter? Clarifications and insights on how EU (DPAs) will implement the new regulations will emerge in the coming months. For now, here is a look at some key areas in the updated regulations, and practical tips on how to get ready for 2018.
One Law Across Europe
If your company processes personal information of EU residents while offering services or products or tracking behavior, you must comply with the new rules. The good news is you will no longer have to deal with a patchwork of 28 different national data protection laws – now there is only one, pan-EU law. For example, if you have a European headquarters in a member state and operations across the EU, you will only have to deal with the data protection authorities for pan-EU issues in the country where are your headquarters are located. This has been dubbed a “one-stop shop.” An EU Data Protection Board has been established to resolve objections by data protection authorities to draft decisions by the lead data protection authority.
Practical Tip: Don’t expect this to be a lightning-fast one-stop shop in the early days. Success depends on the cooperation of national data protection authorities, some of whom have not seen eye to eye1 recently.
Companies are now subject to fines as high as 4 percent of their global annual revenue, or turnover, as it is known in Europe. The ratcheted-up penalties are an attempt to force gigantic companies to take compliance seriously. European regulators have complained that penalties of a couple hundred thousand dollars don’t get the attention of companies such as Alphabet’s Google2.
Practical Tip: Audit and update your current processes and policies for handling, processing, storing, securing and obtaining consent regarding EU personal data. Develop awareness and monitoring programs to ensure GDPR compliance in your organization. Consider using enterprise-wide technology for compliance monitoring to stay on top of any issues that could lead to fines or other penalties.
Under the new rules, companies must tell data protection authorities about any personal data breaches within 72 hours, when feasible, of becoming aware of them. The company must also notify the individual whose data has been breached as soon as “reasonably feasible,” depending on the impact of the breach on the individual.
Practical Tip: Start to develop protocols and procedures for breach notification. Develop and roll out a program to raise awareness with executives and employees. With the tight time frames, it’s important they know what to do when a breach occurs. Put breach notice protocol requirements in vendor contracts.
The Right to Be Forgotten
Are you ready for the “right to be forgotten?” This law updates individuals’ right to demand that companies erase obsolete or irrelevant information about them in their databases. Deletion can also be demanded when individuals remove their consent to processing, such as when they drop membership in a social media site. Another common example is a request for a search engine to delete obsolete personal information that appears in public search results.
Practical Tip: If applicable to your business, develop a process for how you will respond to a request to delete personal information. After a European court upheld the right to be forgotten in 2014, Microsoft developed a form3 on its search engine Bing for “right to be forgotten” requests related to blocking (not erasure) of data.
Data Transfers Outside the EU
The GDPR continues to permit data transfers outside the EU under binding corporate rules and standard contract clauses. Under the GDPR, if you have standard contract clauses in place, you no longer have to give DPAs notice of every transfer. Also BCR requirements are spelled out more thoroughly. These transfer mechanisms are important for U.S. companies as they are alternatives to the defunct Safe Harbor and its recently announced replacement, the Privacy Shield. However, the Privacy Shield is still not entirely fleshed out and will not take effect until likely mid-2016. In addition, many expect legal challenges to the new arrangement.
Practical Tip: Given that the Privacy Shield’s requirements are still emerging and the GDPR is new as well, e-discovery practitioners should obtain updated legal advice on EU e-discovery strategies. Many may want to consider the alternative mechanisms for moving data during discovery, as exactly how the more aggressive data protection authorities (Germany and France, for example) will implement the Privacy Shield in the early going is unknown. Other strategies include using e-discovery vendors with EU data centers so the data stays in the EU (though compliance with the GDPR is still required) or preparing to self-certify under the new Privacy Shield so the data can be transferred to the U.S. for review.
Companies that use personal information for profiling and direct marketing need to understand the stricter consent requirements and the right to object. Burying consent explanations in dense technical language will not cut it anymore. Companies must plainly tell consumers that they have a right to say no to the use of their information for marketing, and companies must stop processing information when an individual demands it.
Practical Tip: Consult industry associations4 to learn what the new regulations mean for your marketing and profiling practices. Opt-out/unsubscribe practices will likely still work to comply with the right to object.
New Assessments of Data Protection Officers
Companies whose core processing activities require regular, systematic and large-scale monitoring of data subjects must appoint a data protection officer. The data protection officer’s duties are to inform and advise on GDPR and EU laws and to monitor compliance with these laws and the company’s data protection policies. Companies must also conduct a data protection impact assessment before they use a processing type or new technology that poses high risks to individual rights.
Practical Tip: If you do regular, large-scale processing of EU personal data, seek legal advice to see if you have to appoint a data protection officer. Also watch for supervisory authorities to issue a list of the kinds of processing operations that would require an impact assessment.
Data Protection by Design
The GDPR introduces the principle of “data protection by design,” requiring companies to take data protection into account up front during the design of their data processing. The intent is to incentivize innovation in methods and technologies for the security and protection of personal data. The regulation promotes techniques such as anonymization (removing personally identifiable information where not needed), pseudonymization (replacing personally identifiable material with artificial identifiers) and encryption (encoding messages so only those authorized can read it) to protect personal data.
Practical Tip: If you process EU data, you may want to consider these techniques to protect privacy while still leveraging customer and prospect information for your business.
Here are a few salient changes recently announced in an EU Privacy Shield update: all companies must resolve GDPR complaints within 45 days; complainants can seek help from DPAs who will escalate to the Federal Trade Commission if needed; the U.S. State Department will establish an ombudsman for Privacy Shield issues; companies handling human resource data (frequent in e-discovery) must comply with advice from European DPAs; companies that violate their Privacy Shield obligations are subject to sanctions or exclusion; and conditions for forwarding data on to partners (such as e-discovery vendors) are tighter. Also, be sure to review your e-discovery vendor contracts to ensure compliance with the GDPR before 2018 rolls around.
For more information, download our white paper5 “The New EU General Data Protection Regulation: A Strict Legal Framework for Digital Privacy.”
Abdes Afras, Vice president of international markets at AccessData, based in Frankfurt, Germany. firstname.lastname@example.org
Published March 31, 2016.