The reason is that on May 25th, GDPR went into effect and if a business isn’t compliant, then hefty fines and penalties await.
What Is GDPR and Why Is It Necessary?
The General Data Protection Regulation (“GDPR”) is a legal framework that requires businesses to protect the personal data and privacy of European Union (EU) citizens for transactions that occur within EU member states. It covers all companies that deal with the data of EU citizens, specifically banks, insurance companies, and other financial companies.
The 1995 Data Protection Directive
In April 2016, the European Parliament adopted the GDPR, replacing its outdated Data Protection Directive, enacted back in 1995. Unlike a regulation, a directive allows for each of the twenty-eight members of the EU to adopt and customize the law to the needs of its citizens, whereas a regulation requires its full adoption with no leeway by all 28 countries second. In this instance, the GDPR requires all 28 countries of the EU to comply.
The issue with the Directive is that it’s no longer relevant to today’s digital age. Its provisions fail to address how data is stored, collected, and transferred today—a digital age. Like many regulations and statutes throughout the EU and U.S., these regulations haven’t been able to keep up with the pace of the levels of technological advancement.
Exploring the GDPR
The full text of GDPR is comprised of 99 articles, setting out the rights of individuals and obligations placed on businesses that are subject to the regulation. GDPR’s provisions also require that any personal data exported outside the EU is protected and regulated. In other words, if any European citizen’s data is touched, you better be compliant with the GDPR. For example, a U.S. airline is selling services to someone out in the UK, although the airline is located in the U.S., they are still required to comply with GDPR because of the European data being involved.
It is a very high standard to meet, requiring that companies invest large sums of money to ensure they are in compliance. According to the EU’s GDPR website, the legislation is designed to “harmonize” data privacy laws across Europe, providing greater protection and rights to individuals.
Before the Internet, Europe has long been the model for how our data should be protected and regulated. The reason is that the public’s concern over privacy has dominated the business sphere, ensuring that stringent rules on how companies use the personal data of its citizens is always taken into account.
Two days ago, the UK government created and enacted a new Data Protection Act, replacing the previous law that was passed into law back in 1998. Running 353 pages and full of complex provisions, it largely incorporates all the provisions of GDPR, but differs in that individual countries were able to select parts of GDPR that could be customized to their citizen’s needs.
After months of learning about data breaches from companies like Facebook and Equifax, this couldn’t be more necessary. Even Mark Zuckerberg jumped on board in his testimony before Congress on Capitol Hill, believing GDPR to be a very positive step for the Internet.
What Data Is Protected Under GDPR?
With the enactment of GDPR today, two major protective rights should be highlighted. First, the right of erasure, or the right to be forgotten. If you don’t want your data out there, then you have the right to request for its removal or erasure. Second, the right of portability. When it comes to “opt-in/opt-out” clauses, the notices to users must be very clear and precise as to its terms.
GDPR requires clear consent and justification. Pursuant to the GDPR, the following types of data is addressed and covered:
(1) Personally identifiable information, including names, addresses, date of births, social security numbers
(2) Web-based data, including user location, IP address, cookies, and RFID tags
(3) Health (HIPAA) and genetic data
(4) Biometric data
(5) Racial and/or ethnic data
(6) Political opinions
(7) Sexual orientation
What Criteria Needs To Be Met?
As mentioned earlier, the GDPR requirements comprise of a total of 99 articles–that’s alot of reading. Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. Companies are subject to GDPR if:
(1) The business has a presence in an EU country;
(2) Even if there is no presence in the EU, the company still processes personal data of European residents;
(3) There is more than 250 employees; and
(4) Even if there is fewer than 250 employees, if the data-processing impacts the rights and freedoms of its data subjects
How Do You Know If You Are Prepared?
Well, individuals and businesses have had almost two years to figure out how to ensure their compliance, so there shouldn’t be an excuse for failure to comply. But, let’s be realistic, a large number of companies are going to get hit, hard. Today marks the day in which all that effort is broadcasted to the world of consumers.
#1 –Data Breach Incident Response Plan
The biggest sign of readiness is having a data breach plan or incident response plan in place. While most companies have some form of a plan in place, they will need to review, amend, and update it, ensuring full compliance with GDPR requirements.
This is only half the battle. You better be prepared to enact it when a data breach occurs. Testing these plans is essential, otherwise, how will you know if its actually ideal? The GDPR requires that companies report breaches within 72 hours, or 3 days. How well the data response team is able to implement the plan and minimize any damage will affect how much a company is fined and/or penalized.
#2 –Hiring A Data Protection Officer (DPO)
The GDPR requires that a data protection officer (DPO) be appointed and hired. However, it doesn’t address whether it needs to actually be a discrete position, so presumably, a company could name an officer who already has a similar role to that position, so long as they are able to show their protection of personally identifiable information (PII), with no conflict of interest. GDPR allows for the DPO to work for multiple organizations, lending support for a “virtual DPO” as an option.
#3 –Create a Record or Log of Risks and Compliance Progress
Now that the clock has ticked its last tock, companies better have an updated record as to its progress made over the past two years, showing its identification of all its risks and measures taking in attempts of minimizing or eliminating those risks. This record, or Record of Processing Activities (“RoPA”), is required in Article 30 of GDPR, focusing on the inventory of risky applications and programs that may be operating.
However, another question presents itself in terms of the keeper of the log and how its maintained. The fear of manipulation, alteration, and fraud are still issues to be addressed. In the era of blockchain, having a log stored that’s stored on the blockchain that is unable to be manipulated or altered could prove extremely useful for companies moving forward.
How Does This Affect the US?
When it comes to US businesses, the GDPR requirements will force them to change the way they process, store, and protect customers’ personal data. Companies must provide a “reasonable” level of data protection and privacy to its customers, ensuring its storage only upon the individual consent by those customers and no longer than absolutely necessary for which the data is processed. However, the regulation doesn’t define what “reasonable” means in terms of ensuring compliance, so this could present future complications when incidents occur and whether or not an organization took enough steps to ensure minimal damage.
Upon request, companies must erase personal data—unlike the Cambridge Analytica and Facebook data breach that is still unfolding. The right to be forgotten is a powerful right and a right we as citizens are all entitled to. However, GDPR doesn’t supersede any current legal requirement where an organization is required to maintain certain data, like HIPAA requirements.
How Does This Affect Social Media Companies?
Your mind probably just jumped to Facebook and how this will affect social media networks. As we’ve seen since Mark Zuckerberg’s congressional hearing on Capitol Hill two months ago, many social media companies and online networks have already updated their privacy policies and terms of service in anticipation of today’s deadline.
Facebook’s response is going to be closely scrutinized by European regulators in wake of the Cambridge Analytica breach as well as lingering concerns over the company’s data collection. Same with Twitter, yet no major scandal has put them in the public spotlight.
Accountable EU Representative
If you think social media platforms are exempt from this regulation, you’re thinking is also outdated. GDPR requires that social media companies have a designated EU representative that can be held accountable for the GDPR compliance of the organization within Europe.
Clear Privacy Notice
After hearing Zuckerberg’s testimony, it’s clear that users need to be presented with a simple and clear privacy notice that they can actually understand—not something that looks like a bulk collection of Harry Potter books bound together.
The Right To Be Forgotten
It will be interesting to see how these companies will deal with user requests for deletion of certain personal data. It is no longer safe for a company to assume that their customers or users are content with their personal data being held—seeing as most of the have no idea it’s held until something unfortunately happens.
I asked Arizona internet attorney, Anette Beebe, what she thought about “the right to be forgotten” and how it affects our freedom of speech.
“In the EU, under The Right to Be Forgotten, people who were once bad actors have been able to sweep their history of wrong doing under the rug. However, in the U.S., we value the freedom of speech and providing people with more information, rather so they can make informed decisions, rather than hiding it. I can understand privacy and respect that, but I don’t respect a law that helps unscrupulous people being able to hide from their misdeeds or have truthful, but unflattering information taken down just because someone doesn’t like it.”
Beebe anticipates a wave of demand letters directed to website clients, asking for content to be taken down that in reality, has no chance of being taken down. “It will be interesting to see how the courts tackle these issues moving forward,” says Beebe.
What Happens If You Fail To Comply With GDPR?
Just ask Facebook and Google who were hit with a collective $8.8 billion lawsuit (Facebook, 3.9 billion euro; Google, 3.7 billion euro) today by Austrian privacy campaigner, Max Schrems, alleging violations of GDPR as it pertains to the opt-in/opt-out clauses. Specifically, the complaint alleges that the way these companies obtain user consent for privacy policies is an “all-or-nothing” choice, asking users to check a small box allowing them to access services. What happens if you don’t choose “I accept”? You’re denied service. A clear violation of the GDPR’s provisions per privacy experts and the EU.
Failing to adhere to the GDPR has steep penalties of up to €20 million, or 4% of global annual turnover, whichever is higher. Reports estimate that about half of U.S. companies that should be compliant on GDPR requirements by today, won’t be. There’s more to it than all those emails coming to your inbox about updated privacy terms.
According to a December 2016 PwC survey, 68 percent of U.S. based companies expect to have spent $1-$10 million to meet these GDPR requirements.
But, some websites in the U.S. have decided to block their services entirely rather than adhere to the new regulations, going completely dark. Dozens of American newspapers are currently blocked in Europe and web services like Instapaper have suspended operations in the European Union for the foreseeable future.
Facebook and Google Already Hit With $8.8 Billion Lawsuit for GDPR Violations
The GDPR is no joke and nothing to mess around with.Today is a big day for every business and organization in the world. Let’s hope that the companies we are loyal to, are loyal to us.
This article is by Andrew Rossow, an Internet Attorney in Ohio and a Contributor for Forbes. This article is a repost from Forbes and cab be found here.