When the European Union passed the General Data Protection Regulation (GDPR) back in April 2016, they recognized that it would take a while for organizations – especially large companies with multiple divisions that all separately collected and processed personal data to some extent or another – to meet all of its requirements. Thus, they set the compliance deadline more than two years in the future.
At the time, that date seemed like a comfortingly long way away – but time flies and here we are, and the May 25, 2018 enforcement date is upon us. After many months of scrambling to make the transition, thanks to the vagueness of some of the provisions, many organizations are still uncertain as to whether they’re fully in compliance.
What happens now?
You might be wondering exactly what is going to change on May 25 for your organization. The answer to that question is: it depends. If you’ve already checked off all the checkboxes and taken the measures recommended by your compliance specialists and legal advisors, the answer is “not much.” You can go on conducting business as usual, following your new policies for handling personal data.
However, there are some situations that are going to trigger additional work on your part. If a data breach involving personal data occurs, and your company is classified under the GDPR as a processor, you must notify the controller “without undue delay” under the provisions in Article 33. If your company is classified as a controller, you’re required to notify the appropriate supervisory authority within 72 hours after becoming aware of it, if feasible. If it’s not possible to make the notification within 72 hours, you’d better have a good reason and that reason must be provided to the supervisory authority. The controller is also required to document the breach, its effects, and what remedial action is taken.
Further, under certain circumstances and if the breach is likely to result in “high risk” to the rights and freedoms of natural persons, you also must notify the impacted data subjects of the breach. However, there are exceptions to this that are listed in Article 34. For example, if the data was encrypted, notification to the data subjects is not required.
If your organization has been avoidant and you haven’t yet taken measures to comply with GDPR, you are now at risk of being fined. The amount of the fine will, of course, be up to the enforcement authority, and is expected to be based on the severity of the violation, but the regulation authorizes fines up to €20 million or 4% of the company’s worldwide annual turnover (revenues).
If 4% doesn’t sound like much, it’s important to note that we’re talking about revenues, not profits. This is the total amount taken in before operating expenses are subtracted. Thus 4% of your revenues could be a much larger percentage of your actual profits. In a worst-case scenario, the fine could equal or exceed a company’s entire annual profit.
The good news is that this worst-case example is unlikely. The GDPR states fines should be “proportionate” and the point of the legislation is not to put companies out of business – it’s to protect the rights of individuals (data subjects) in regard to the privacy of their personal information. However, the possibility of such dire consequences should be a powerful motivation for organizations to take their responsibility to comply seriously and invest the money, time and effort to meet the requirements rather than risk a much higher cost of not doing so.
The not-so-good news is that the fines are not the only – and possibly not even the most financially damaging – aspect of failure to comply with the GDPR. The other side of that coin is the litigation costs. This includes not only defending the organization in actions taken by the supervisory authorities but also the possibility of class action lawsuits by data subjects whose rights were violated.
Update: On day one of GDPR enforcement, lawsuits in the amounts of 3.9 billion and 3.7 billion, respectively, were filed against tech giants Facebook and Google, alleging their new policies aren’t adequate to protect personal data.
European Union member states are required by the GDPR to appoint national supervisory authorities who will be responsible for monitoring and ensuring that the Regulation is applied consistently within that jurisdiction. The member states are further required to provide the necessary financial support, personnel, and infrastructure for doing so. This is laid out in Article 51 and its related recitals.
Organizations that are subject to the GDPR will have a lead supervisory authority (LSA) as their point of contact for compliance-related activities (for instance, registering a data protection officer if your organization is required to do so). Your org’s lead supervisory authority is determined by the location of your “main establishment” in the EU. If your company operates in several EU countries, you can deal with a single LSA. This is referred to as the one-stop shop.
The bad news is that if your company operates completely outside the EU but collects, stores or processes the data of EU residents in multiple member states, you won’t be able to use the one-stop shop approach, but will have to deal with the local supervisory authorities in each individual member state, according to Article 29, Data Protection Working Party.
Because each member state will handle enforcement for that state, it is likely to shake out that the supervisory authorities in some states will enforce the regulation more strictly and apply more severe penalties than those in other states. This could be due to philosophical differences toward privacy protection, national priorities, and/or simply the available resources for monitoring compliance and enforcement.
The bottom line is that until the GDPR has been in effect for a while, no one knows for sure exactly how it will be enforced. This is particularly true regarding organizations that don’t have a physical presence within the EU. Enforcement may prove to be particularly difficult when the organizations are located in certain places, such as South America.
The past two years have served as a learning experience for most organizations as they became acquainted with what the GDPR is, whether and how it impacts them, and what they need to do in order to achieve compliance by the deadline. Now that the deadline has arrived, the next months will involve another learning curve as we find out how the Regulation will be interpreted and enforced in the various member states.
Remember that compliance, like security, is not a destination but a journey. You don’t “get there” and then sit back and pat yourself on the back. The law and its interpretation will evolve as courts address those issues that aren’t clearly defined, precedents will be set, new questions and new situations will arise, and maintaining compliance will be an ongoing process for as long as your org has dealings with the data of anyone residing in the EU.
Even if you don’t, that doesn’t mean you’re off the hook forever. Many U.S. privacy advocates, think tanks, and legislators have proposed that the country adopt laws similar to the GDPR to provide similar protections to Americans. They will be watching closely to see what the benefits, disadvantages, and unintended consequences of the GDPR turn out to be for member states, businesses, and individuals in Europe.
Although the legal systems, institutional structures, and cultures are different and it’s highly unlikely that Congress would adopt legislation identical to the GDPR, it is just as likely that new and stronger privacy protections will find their way to U.S. shores. The GDPR has, if nothing else, given most businesses a head start on complying with new U.S. privacy policies if and when they arrive.