EU GDPR demystified: a straight-forward guide for US firms (PART 1)

Ahhh GDPR, the EU General Data Protection Regulation (EU-GDPR), the new European data legislation that revamps 20-year-old data protection laws to align with our digital age. It’s a radical and unprecedented piece of legislation, whittled down to a whopping 99 Articles, categorised in 11 Chapters.

Ugh.

AS if 99 articles isn’t bad enough, the effective date is coming sooner than you think….. May 2018, less than a year away.

Some of you, we know, are facing it head on, grappling with how to minimize the disruption to your operations, while others are hiding in the weeds…like a duck in full hunting season.

Now before you assume this EU stuff doesn’t apply to you or your non-EU-based firm, think again: the punishments are pretty severe if organizations are caught mishandling personal or sensitive data of EU residents, let alone citizens.

This law does indeed apply to organizations based outside the EU, too, like the United States, Canada or China.

“No legislation rivals the potential global impact of the EU’s General Data Protection Regulation (GDPR),” said Jay Cline, PwC’s US privacy leader.

It doesn’t surprise me that we are now in the midst of a scramble to get atop the GDPR bandwagon. The fracas has indeed highlighted a few GDPR-related problems.

First, there are a number of firms out there basically scaring the wits out of companies, trying to charge an arm and a leg to those who might require very little change, if any,  in how they process data.

According to recent PWC research, 68% of firms over 500 employees surveyed said they are planning to spend between $1-10 million USD to address GDPR obligations.  Are we surprised to hear that this is a rather frightening amount of moolah for the majority of mid-sized companies out there?

Other technology firms are presenting GDPR as a great business opportunity in disguise – that full compliance will give your business edge. (Pllllease, I doubt that any firm impacted by this legislation is seeing this as an exciting opportunity. While the legislation may be great for EU residents who will gain increased power over their own personal data, few – if any – data controllers and processors are relishing the new GDPR responsibilities, or indeed the associated liabilities.)

Rather than peddling fear or citing business opportunities, we’ve created:

EU GDPR demystified: a straightforward blog series for US firms

The focus here is simple: help US-based organizations understand whether they are impacted by the new GDPR legislation, and what they should be doing right now if they are.

We’ll also help you get to grips with the fundamentals of this European GDPR legislation, so you are armed with the right questions and recommendations should you need to seek external advice or assistance.

Knowledge is most definitely power in this game: the more you know about this, the less likely you are going to be fleeced by one of these cybersharks, similar to those who were circling around during the turn of the millennium.

The first thing to do is to find out is whether your organization is affected by the EU-GDPR regulation, coming into full force in May 2018.

Note that GDPR does NOT apply to every organization in the world. It definitely applies to all organizations that are established in the EU. For organizations outside the EU, the GDPR may or may not apply.

So step 1: Find out if GDPR applies to you.


EU-GDPR EXPLAINED


EU- GDPR (EU General Data Protection Regulation) is the new EU legal framework designed to provide the foundation for how global firms and agencies around the world must protect personally identifiable information of EU residents. The legislation also places limitations on what data can be used and how it is processed by an organization.

Aside: this is an awesome – in the true sense of the word – piece of legislation. It’s been taking shape since 2012, when the EU started scoping out the legal requirements of how personal data of EU residents should be handled. GDPR was finally was adopted by the Council of the European Union and the European Parliament in April 2016, and will become enforceable throughout the European Union in May 2018, following a 2-year post adoption grace period (half of which is already gone!). 


HIGHLIGHTS: EU-GDPR LEGISLATION


1. GDPR clearly defines the roles and responsibilities of data ‘processor’ and data ‘controller’:
Controller means the “body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
Processors means a “body which processes personal data on behalf of the controller”

“Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.”

See Article 4 and 24

2. GDPR requires clear user consent for personal data processing.

The data controller must “demonstrate that the data subject has consented to processing of his or her personal data.” The “request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language”

See Article 7

3. Requires parental consent to process any data from kids under 16.
“Where the child is below the age of 16 years … processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.”
See Article 8

4. Gives EU residents more control over data. Users can request their data in a common format, that their data be transferred to another party or that all their personal data be erased.

“The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.”
See Article 16

“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay”

“The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided”
See Article 16, 17, 20

5. Baking data protection capabilities into system design.
Affected organizations will need to “implement appropriate technical and organisational measures, such as pseudonymisation”, designed to implement data-protection principles, such as data minimisation. They must also “integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.”
See Article 25

6. Demands mandatory notification of data breaches within 72 hours.
“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent”
See Article 33

7. Hefty fines up to 20M Euros for non-compliance.
“Non-compliance with an order by the supervisory authority … shall …. be subject to administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.”
See Article 83


IS GDPR APPLICABLE TO YOUR FIRM?


If you collect or process personal data drawn from European subjects, GDPR applies to your organization, regardless of the country in which you are based or from which you operate, or where geographically the data is processed.

EU-GDPR applies to data ‘controllers’ and ‘processors’.

Data Controllers: The controller says how and why personal data is processed: GPDR also places additional obligations on controllers with regards to contracts with processors – these must now comply with the GDPR regulations too. In short, data controllers will be liable for the actions of their selected data processors.

Data Processors: GDPR places specific legal obligations on processors. Say you maintain records of personal data and processing activities, including those of EU residents. Under GDPR, you face a much bigger legal liability if you are responsible for a breach. GDPR provides guidance and obligations for how you should process data to align with the EU’s GDPR legislation.

“Take the example of a retailer outsourcing its database functions to a cloud provider. Currently, if there’s a data breach then it’s the retailer that’s liable for damages. Once the GDPR comes into force through national laws, that liability will be shared between the retailer and the cloud provider (or, in jargon-ese, the “controller” and the “processor” of the data),” wrote David Meyer in Fortune.com


GDPR QUESTIONS


If you answer Yes to any of the following questions, we recommend that you sit up and pay attention:

  • Your organization has an establishment in the EU;
  • Your organization has no establishment in the European Union, but it process personal data of European residents (e.g. cloud-based processing performed outside of the EU for an EU-based company is subject to the GDPR).
  • Your company employs more than 250 employees
  • Your company employs less than 250 employees but your data processing
    • impacts to the rights and freedoms of data subjects,
    • is not occasional, and/or
    • includes special categories of data or sensitive personal data*
    • relates to criminal convictions and offences.

*The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.


TBG SECURITY RECOMMENDS


Your first task is to determine whether you are impacted by EU-GDPR. This means having a clear understanding of what personal data of European residents you collect and how you process it.
In our next post, we will look at what constitutes personal data according to GDPR and clarify some of the new requirements for personal data processing and pseudonymization techniques.


MORE ON GDPR:


Here is some further reading on GDPR.


If you need help getting your head around EU-GDPR, get in touch. We’re experts on compliance and we’re here to help.

Previous ArticleWe’ve all got password fatigue, but are NIST’s new policies wise? Next ArticleEU GDPR demystified: a straightforward reference guide for US firms (PART TWO)