Time is running out for companies to make significant changes to their data policies. But the biggest problem isn’t finding the time to make the changes before they go into effect; it’s the fact that many organizations don’t know the new rule applies to them.
On May 25, 2018, the European Union (EU) will begin enforcing new privacy standards that are more stringent than previous practices and guidance. The scope of the privacy requirements in the General Data Protection Regulation (GDPR) mean that many foreign companies, including those based in the U.S., will need to update their data collection and monitoring practices to be in compliance. All companies that work with individuals in the EU will need to take a crash course in the GDPR regulations to be ready for the rollout. The buzz around the GDPR is already underway. Having to separate fact and fiction from the information out there doesn’t make preparing for the GDPR any easier. The following may help debunk some of those myths and provide guidance with how you can take steps toward ensuring any necessary compliance.
Fiction: GDPR and ePrivacy Only Impact Businesses That Are Established in the EU
Businesses are subject to compliance with EU privacy law if they meet any of the following criteria:
- Provide goods and/or services to persons in the EU (regardless of citizenship or residency), OR
- Perform data processing of the protected data on behalf of any person or organization, regardless of where the data came from (e.g. parent organization provides data to subsidiary, sister organization provides data for processing support, company acts as third party for data hosting), OR
- Perform marketing activities, either through the internet or other telecommunication methods (e.g. emails, newsletters, phone calls) to any persons in the EU.
One of the biggest struggles companies will need to tackle is where their data comes from. Knowing the transaction was provided to an individual with an EU mailing address is not the basis for subjectivity. Rather, companies will have to ask whether that individual was in the EU when the transaction occurred.
Fiction: As a Business, We Collect an Immaterial Amount of Data from the EU so the EU is Not Interested in Us
While the latter part of this statement might be partially true in enforcement, the Regulations do not include how much data collection is necessary to require compliance. A single data subject from the EU is enough to trigger a need to comply with these laws.
Organizations often collect data at multiple interaction points. Knowing what these interaction points are and being able to identify which ones could be pulling in data from an EU subject will significantly help an organization understand the scope of compliance. Hypothetically, an organization could make the determination to eliminate a data collection point from potential EU subjects to aid in alleviating their compliance needs if it determines the data historically collected is of an immaterial benefit to the organization.
The EU understands not all data is considered equal. Certain types of data are considered more sensitive than others (e.g. political views, religious views). Privacy decisions can be made on a risk-assessment basis. The EU may consider this a good faith effort to address the more risky privacy requirements relative to the data subjects, while preparing a road map to meet the full scope of the Regulation’s requirements. While it is impossible to know for sure without precedence, we do not expect significant fines will be placed on an organization if it makes a good faith effort to address/work toward addressing the Regulation requirements.
Fact and Fiction: GDPR and ePrivacy Are Legal Issues
European laws are drafted in a way that attempts to leave little room for interpretation or “loop holes.” GDPR and ePrivacy are not intended to be negotiated as their basis is to protect the fundamental right to privacy of EU peoples.
Review of the principles of the law show that application of GDPR and ePrivacy is a company-wide effort to understand and mitigate risk. Information security will be at the heart of this effort because the company serves as the protector and facilitator of the covered data. The data controller, the person(s) who determine what data is collected and how it is used, are also pivotal to the equation. Any department that touches the data would also need to be involved, including, but not limited to, Human Resources, Marketing, and Finance.
Fiction: The U.S. Has Adequate Protection Regulations. If I’m in Compliance with U.S. Law, I Will Meet the Requirements of GDPR
How privacy is treated in the EU is why the GDPR is so fundamentally different than U.S. privacy requirements. The EU provides its peoples the right to respect for private and family life.
While practices performed under U.S. information security compliance frameworks will greatly assist an organization in its GDPR compliance, the frameworks still leave aspects of GDPR unaddressed, such as the right to portability (the ability to ask for your data from an organization and to have the organization purge it from all its records). The data covered under a U.S. compliance framework might not include the data being collected from EU persons that are subject to GDPR.
Another framework known in the privacy space is Privacy Shield, which was developed as a means for a U.S.-based company to establish themselves as “adequate” for cross-border data transfer.
While becoming Privacy Shield certified might seem like the golden ticket to a U.S. company, there are a couple of nuances which should be clear. Privacy Shield is directed at U.S. companies who serve as processors for an EU company, not for a U.S. company that is the controller of the data from the covered persons. This means that a U.S.-based company who transacts directly with EU covered persons cannot assume compliance with GDPR simply by being Privacy Shield certified.
Another nuance worth noting is Privacy Shield is only available to companies which the FTC or DOT have jurisdiction over. This is because without an authoritative body, a self-certification is only as enforceable as the paper it is written on. A number of U.S. banks, financial services companies, telecommunication companies, and others do not currently have a method to certify under Privacy Shield.
Lastly, continuing litigation within the EU is constantly challenging the validity of Privacy Shield. When GDPR goes into enforcement, there can be no guarantees which way the European Commission or European Court of Justice will swing on whether Privacy Shield remains an adequate method for cross-border data transfer.
Fact and Fiction: Privacy Laws Are Driven by EU Member States
The EU has the power to enact and enforce laws such as the GDPR, and it has the power to pursue cross-border companies including international companies interacting with EU persons.
That being said, it is important to note member states have the opportunity to further define the GDPR principles, which means understanding member state specifics is relevant. These interpretations are still in the early phases of being formalized, and will require proactive awareness in order to ensure adequate compliance.
Fact and Fiction: The EU Has No Ability to Enforce EU Laws Across International Borders
The EU maintains its right as a government and authoritative body for a company that has an established branch or representatives in the EU. For U.S.-based companies that do not have any established branches or representatives in the EU, enforcement gets more complicated. History has proven it can still be done with the assistance of the U.S. authorities, such as when EU fined Google $2.7 billion in 2017.
Fact: Fines Issued Will Range in Severity Where Noncompliance Is Identified
The EU has been clear that the May 2018 deadline is not an all-or-nothing compliance expectation for which any organization found with gaps will be issued fines of €20 million or 4 percent of global revenue, whichever is greater. While it is impossible to say without precedent, we expect the hefty fines will be reserved for organizations identified as intentionally negligent or that experience a security breach that causes personal damage to protected EU persons.
Now That I Understand Some of the Nuances, What Else Should I Know?
It is essential that companies evaluate the new rules closely. An outside provider can assist with assessing and analyzing the applicability of GDPR, including which parts may apply. The first step is to establish what data you are collecting, where it is coming from, and where it is going (both internally and externally). From there, organizations should re-evaluate their data against the new criteria and determine whether they still have a legal basis to collect and process that information. This could mean data needs to be purged from the systems and re-collected in a lawful manner.
Once these initial two steps have been completed, compliance can be addressed through a risk-based remediation road map against the frameworks’ attributes. Understanding and interpreting risks requires technical understanding and judgment based on information security practices. Being able to gather timely evidence for compliance also requires the establishment of formal policies and metrics.
If you have specific comments, questions, or concerns about EU’s new data protection regulation requirements, or would like assistance in assessing and analyzing their applicability to your business, please don’t hesitate to contact a member of our IT Risk & Security management team.
Related Reading
Copyright © 2018, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).