The General Data Protection Regulation (GDPR) recently went into effect on May 25, 2018. However, two tech giants already have complaints filed against them.
Both Google and Facebook swore they were ready to meet the strict requirements set forth by this legislation, which largely covering how the data of European Union (EU) citizens must be managed and protected. After only a single day of being in effect, both companies were accused of violating GDPR standards. Allegedly, the pair of tech giants gave users a choice; either opt-in to their data collection requests or delete their services. No middle ground was offered.
Additionally, the tech companies might not be meeting the requirements when it comes to securing “informed consent” from users, including covering what kind of data is needed for the service and why it is requested.
Ultimately, these amount to no more than complaints and accusations at this point, but it is a clear demonstration of how seriously European users are taking the matter.
What is the GDPR?
While GDPR was implemented in Europe, any company, regardless of their country of origin, must comply with this regulation. In April 2016, GDPR was adopted by the European Parliament as a replacement for outdated directives from 1995. It includes requirements that govern how businesses must protect and manage personally identifiable information (PII) associated with EU citizens for transactions taking place in EU member states. Additionally, GDPR outlines how PII can be exported outside of the EU.
GDPR applies in all 28 EU member states, creating a standard that applies to business operations that involve any EU customers. The standards set forth in the regulation are considered some of the most stringent ever put into place, impacting US companies that do business in Europe.
As mentioned, GDPR was implemented in Europe, but any company, regardless of their country of origin, must comply with the regulation if they collect PII on EU citizens. Failing to meet the requirements comes with strict penalties, including fines up to approximately $22 million or 4 percent of the company’s annual global turnover from the previous year. So having the proper systems and processes in place is an absolute must.
The Purpose of GDPR
GDPR was the result of increasing concerns over privacy, particularly when it came to PII. As companies began collecting and relying more heavily on customer data, issues regarding how the information was stored, gathered, and shared landed in the spotlight.
Wide-scale data breaches highlighted these issues, making people more aware of how vulnerable their data may be. GDPR aimed to create a standard that requires companies to take a hard look at their data security practices.
What is Considered PII Under GDPR?
In the US, personally identifiable information typically applies to specific kinds of information, such as customer names, addresses, and Social Security numbers.
However, under GDPR the definition of PII (referred to in the regulation as “personal data”) is broader, applying to a many forms of information that could create a re-identification path. For example, Google Analytics cookies can qualify under GDPR as well as IP addresses. Location data also falls under the umbrella as well as purchase histories associated with a credit card. Even MAC addresses associated with smartphones connected to company-supplied Wi-Fi are considered PII.
Anything that could potentially be used as a re-identification path by a company must be suitably protected under GDPR.
The shift to explicit consent is a significant requirement under GDPR. Previously, most companies required customers to opt-out of data collection or similar mechanisms. Now under GDPR, permission to gather data must be obtained.
In many cases, this requires a significant change in processes for companies. Businesses must clearly state that they are asking for the ability to collect and store data. This includes statements that explain how the information will be used, and request that customers opt-in. Without explicit consent, certain data cannot be collected.
Similarly, there are rules regarding the removal of data, should the consent be revoked. Regardless of when the information was collected, if an EU citizen decides they no longer what their data stored or used, it must be deleted in a timely fashion.
Failing to obtain explicit consent or remove the data once consent is revoked, can both carry stiff penalties regardless of whether the information is stored in-house or with a third-party.
Data Protection Responsibilities
One of the aspects of GDPR that left many businesses frustrated was the ambiguous nature of their terminology. Along with the loose definition of “personal data,” the “reasonable” data protection requirement also left many scratching their heads.
GDPR fails to fully define what is considered “reasonable.” This allows the governing body behind GDPR a significant amount of flexibility when it comes to determining whether a company is meeting the requirement.
However, even without a clear definition, most companies had to review their data security strategies and implement more robust systems to comply. In some cases, partnering with a third-party provider (such as a cloud services provider) was the more economical approach in comparison to internal implementation options.
This often involves having security measures in place that can monitor for improper access as well as data integrity. Identifying intrusions early gives companies the ability to attempt to stop the hacker from accessing protected information, or at least minimize the scope of a breach.
Monitoring for data integrity and authorized access patterns can alert businesses to breaches that may have otherwise been missed. This could include activities that may originate from an employee or someone else who has the credentials to access the systems.
It is important to remember that regardless of whether a provider is used, the company remains responsible for compliance. If a third-party provider falls out of compliance, your business is considered non-compliant. That means both of you can be penalized under GDPR.
Breach Reporting Requirements
GDPR has strict requirements regarding the reporting of breaches, and these apply to everyone involved.
At the core of this breach reporting requirement is a 72-hour window during which specific steps must be completed once a breach is discovered. This includes gathering related information and informing an appropriate regulator that an incident has occurred.
Companies must then identify what personal data has been compromised as well as determine how it was impacted. Then a comprehensive containment plan must be created, showing how the business will address the issue and any subsequent fallout.
In some cases, the company can provide justification if a delay occurs, providing the business with more time to meet the requirements. Though this creates an additional administrative burden and ultimately relies on a GDPR regulator to assert that the delay is in fact justified.
Informing any affected customers is also a must and needs to be completed without delay. However, there isn’t a precise window dictating when those notifications must occur, providing regulators with a significant amount of leeway when determining what is acceptable.
Failure to inform the proper authorities and individuals after a breach, as well as in a timely manner, carries stiff penalties.
Internal Employees Responsible for GDPR Compliance
There are several roles that are identified as being responsible for GDPR compliance. At the highest level is the Data Protection Officer (DPO).
A DPO is tasked with overseeing security strategies associated with data management and GDPR compliance. Having a DPO on staff is a requirement if a significant amount of data processed or stored by the company involves EU citizens, if the PII is particularly sensitive in nature, or if the company regularly monitors the activities of EU citizens.
At the next level are the data processors. These professionals process and maintain PII records on individuals, and may be internal staff members of third-party providers.
Data processors are considered liable under GDPR if a breach occurs as well as if issues of non-compliance arise. For example, if you use a third-party cloud provider for data storage and processing, both your company and the provider are liable (and subject to penalties) should a compliance issue or breach occur, regardless of whether the third-party alone is technically responsible.
Data controllers are the third identified position in GDPR. These professionals define how PII is processed for an organization as well as the purpose of processing the data. These individuals are responsible for ensuring third-parties comply with GDPR standards when it comes to the organization’s data.
Penalties for Non-Compliance
The potential penalties for non-compliance can vary depending on the nature and severity of the issue as well as how many people were impacted and the extent they will suffer as a result of the incident. Whether negligence is involved also plays a role and whether any steps were taken to mitigate the damage is also considered. Even the degree at which a company cooperates with regulators can be factored into the fine as well as how the regulator learned about the incident.
Failing to comply leads to a thorough audit, which can result in penalties including fines up to around $22 million or 4 percent of the company’s annual global turnover from the previous year, which ever is higher.
Companies that violate GDPR may be subject to lawsuits as well. Both Facebook and Google are already in the hot seat, being sued for $3.9 billion and $3.7 billion, respectively, by a privacy advocate. Whether the suits will result in awards is unknown, but this showcases the potential financial penalties that may come directly from users and those representing them.
Ultimately, GDPR is complex and requires businesses to take significant steps to protect and properly manage data. Failing to stay in compliance can lead to millions of dollars in fines and may even harm the company’s ability to continue to do business with all 28 EU member states.
If you are looking for more information about how GDPR affects US companies that do business in Europe or are looking to fill vacant positions that can assist you in managing GDPR requirements, the professionals at Solving IT can help. Contact us to discuss your organization’s needs today and see how our expertise can take the mystery out of GDPR.