EU GDPR: Past the Deadline, What's Next?
What is GDPR?
GDPR is a data protection regulation that became enforceable effective May 25, 2018, that standardizes and modernizes data protection regulations for the current digital economy. It imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents.
It applies regardless of location. Like the credit card commercial from years ago – it goes wherever your data want to be (i.e., goes where the personally identifiable EU resident data goes).
Past the deadline for possible enforcement, so now what?
Recent surveys indicate that most companies are not ready for the data security and privacy regulation and many don’t expect to be fully compliant by year end. After the deadline, enforcement actions are possible.
Penalties are expected to be applied per Article 83 – which allows EU supervisory authorities to impose administrative fines and calls for fines in each case to be “effective, proportionate and dissuasive”.
GDPR provides for (1) fines of up to 4% of an undertaking’s global annual revenue for the preceding fiscal year, or €20,000,000 (whichever is higher) can be levied for breaches of key data processing principles (such as lawfulness, fairness, transparency, purpose limitation, data minimization, storage limitation, integrity, confidentiality and accountability) or of data subjects’ rights (such as the right to be informed, right of access, right to rectification or the “right to be forgotten”) or for transferring personal data outside the EU without a valid ground or derogation; and (2) fines of up to 2% of an undertaking’s global annual revenue for the preceding fiscal year, or €10,000,000 (whichever is higher) can be levied for other breaches of the GDPR, including those concerning the principles of data protection “by design” and “by default”, the failure to designate a data protection officer, the failure to take appropriate security measures or the failure to duly notify data breaches.
Some recently published Article 29 guidance provides insight for those considering compliance priorities.
• “Undertaking” should be construed broadly as an economic unit engaging in the same commercial/economic activities, which may include the parent company and all relevant subsidiaries.
• A fine may not always be appropriate. A reprimand may be issued instead of a fine when a fine would constitutes a disproportionate burden to a natural person: where the breach is a minor infringement; and where the infringer adheres to a code of conduct, and the regulator considers that enforcement under the code will be sufficiently effective or proportionate.
• Regulators consider several factors when assessing the nature, gravity and duration of the infringement:
o the number of individuals affected relative to the total pool;
o the purpose of the processing (and whether use was compatible the specified purpose);
o the level of damage suffered by affected individuals; and
o the duration of the processing; as a longer duration may indicate willful misconduct or failure to take appropriate preventative measures.
• Regulators should take into account the degree of responsibility of the controller or processor. The degree of responsibility will require an assessment of, for example, whether technical, organizational and security measures were implemented by the organization (by design and by default).
• Notification to the supervisory authority. Failure to notify may be considered by a supervisory authority as an aggravating circumstance meriting a more serious penalty.
• Failure to follow the advice of your data protection officer may constitute an aggravating factor, as it could show that a breach was intentional. Other indicators include amending records which include personal data to give a misleading impression about targets being met, or trading personal data for marketing purposes without regard to data subjects’ consent.
• Other aggravating factors include not dedicating enough resources; previous infringements, where this indicates a general disregard for the data protection rules; economic gain obtained by from the breach.
• Actions taken to mitigate impact on individuals may reduce the fine, although guidance emphasizes that no credit will be given to organizations for simply complying with GDPR obligations. For example, taking timely action which prevents breach from continuing or expanding.
If we haven’t started, what should we do?
GDPR lenience is more likely, in the short term, for companies that can show a good effort. Educating the workforce, reviewing and updating privacy policies, ensuring customer notices are adequate, as well as defining the personal data collected and establishing a legal basis for data collection are key steps. Consider your organizations level of exposure to EU resident data (current and future). The business will be in a better position if able to demonstrate awareness and improvement efforts.
Besides avoiding fines, is there a GDPR value proposition?
Some organizations view GDPR as an opportunity to improve policies and procedures designed to protect personal and private data and establish more credibility and trust with the customers. According to a Cap Gemini survey - Individuals are more willing to engage with, and be more loyal to, organizations when confident they can and will protect the data. When convinced, individuals have increased spend with an organization by as much as 24 percent. But if consumers are unhappy with organizations’ privacy performance, over 70 percent said they are prepared to decrease spend, stop doing business with the organization, and warn their contacts.
GDPR is a data protection regulation that became enforceable effective May 25, 2018, that standardizes and modernizes data protection regulations for the current digital economy. It imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents.
It applies regardless of location. Like the credit card commercial from years ago – it goes wherever your data want to be (i.e., goes where the personally identifiable EU resident data goes).
Past the deadline for possible enforcement, so now what?
Recent surveys indicate that most companies are not ready for the data security and privacy regulation and many don’t expect to be fully compliant by year end. After the deadline, enforcement actions are possible.
Penalties are expected to be applied per Article 83 – which allows EU supervisory authorities to impose administrative fines and calls for fines in each case to be “effective, proportionate and dissuasive”.
GDPR provides for (1) fines of up to 4% of an undertaking’s global annual revenue for the preceding fiscal year, or €20,000,000 (whichever is higher) can be levied for breaches of key data processing principles (such as lawfulness, fairness, transparency, purpose limitation, data minimization, storage limitation, integrity, confidentiality and accountability) or of data subjects’ rights (such as the right to be informed, right of access, right to rectification or the “right to be forgotten”) or for transferring personal data outside the EU without a valid ground or derogation; and (2) fines of up to 2% of an undertaking’s global annual revenue for the preceding fiscal year, or €10,000,000 (whichever is higher) can be levied for other breaches of the GDPR, including those concerning the principles of data protection “by design” and “by default”, the failure to designate a data protection officer, the failure to take appropriate security measures or the failure to duly notify data breaches.
Some recently published Article 29 guidance provides insight for those considering compliance priorities.
• “Undertaking” should be construed broadly as an economic unit engaging in the same commercial/economic activities, which may include the parent company and all relevant subsidiaries.
• A fine may not always be appropriate. A reprimand may be issued instead of a fine when a fine would constitutes a disproportionate burden to a natural person: where the breach is a minor infringement; and where the infringer adheres to a code of conduct, and the regulator considers that enforcement under the code will be sufficiently effective or proportionate.
• Regulators consider several factors when assessing the nature, gravity and duration of the infringement:
o the number of individuals affected relative to the total pool;
o the purpose of the processing (and whether use was compatible the specified purpose);
o the level of damage suffered by affected individuals; and
o the duration of the processing; as a longer duration may indicate willful misconduct or failure to take appropriate preventative measures.
• Regulators should take into account the degree of responsibility of the controller or processor. The degree of responsibility will require an assessment of, for example, whether technical, organizational and security measures were implemented by the organization (by design and by default).
• Notification to the supervisory authority. Failure to notify may be considered by a supervisory authority as an aggravating circumstance meriting a more serious penalty.
• Failure to follow the advice of your data protection officer may constitute an aggravating factor, as it could show that a breach was intentional. Other indicators include amending records which include personal data to give a misleading impression about targets being met, or trading personal data for marketing purposes without regard to data subjects’ consent.
• Other aggravating factors include not dedicating enough resources; previous infringements, where this indicates a general disregard for the data protection rules; economic gain obtained by from the breach.
• Actions taken to mitigate impact on individuals may reduce the fine, although guidance emphasizes that no credit will be given to organizations for simply complying with GDPR obligations. For example, taking timely action which prevents breach from continuing or expanding.
If we haven’t started, what should we do?
GDPR lenience is more likely, in the short term, for companies that can show a good effort. Educating the workforce, reviewing and updating privacy policies, ensuring customer notices are adequate, as well as defining the personal data collected and establishing a legal basis for data collection are key steps. Consider your organizations level of exposure to EU resident data (current and future). The business will be in a better position if able to demonstrate awareness and improvement efforts.
Besides avoiding fines, is there a GDPR value proposition?
Some organizations view GDPR as an opportunity to improve policies and procedures designed to protect personal and private data and establish more credibility and trust with the customers. According to a Cap Gemini survey - Individuals are more willing to engage with, and be more loyal to, organizations when confident they can and will protect the data. When convinced, individuals have increased spend with an organization by as much as 24 percent. But if consumers are unhappy with organizations’ privacy performance, over 70 percent said they are prepared to decrease spend, stop doing business with the organization, and warn their contacts.