The European Union’s General Data Protection Regulation (GDPR), Europe’s response to the digital age and the accompanying collection of personally identifiable information on a massive scale, goes into effect May 25. It harmonizes privacy guidelines across the 28 EU member states, but the implications of the GDPR are further reaching — it’s causing businesses across the globe to reevaluate how they collect, store, and use data and could affect the US government’s approach to privacy moving forward. It could also cause a few problems.
What is the GDPR?
In a nutshell, the GDPR aims to create “digital rights” for EU citizens, requiring companies that collect or use personal data to ask for consent from their users or customers. To comply with the GDPR, a company must protect information such as users’ internet protocol (IP) addresses and cookie histories in addition to data such as names, addresses, government ID numbers, biometrics, race or ethnicity, sexual orientation, political opinions, and tagged photos. All organizations that collect personal information (including third-party vendors) are considered data controllers and are accountable for any data collected, processed, or disseminated on an EU citizen. This includes companies that maintain databases containing personal data, even if they do not have a physical presence in the EU.
The GDPR requires organizations to establish policies, procedures, and response structures to address issues that may arise around GDPR-protected information. For example, GDPR compliance requires organizations to define processes for how data is managed and protected and requires breach notices within 72 hours of incidents. They also have to be prepared for requests from EU citizens, who have the right to ask for their information to be corrected, updated, or deleted by the organization holding the data. Organizations that don’t comply with the GDPR will pay a heavy price, such as fines up to 4 percent of annual global revenue for an infringement of customers’ information or a breach of security not reported correctly. This potential penalty has garnered the attention of corporate general counsels and data protection authorities around the globe. Since much of the data that will be protected by the GDPR is currently collected by firms to create profiles on clients to be sold for marketing and advertising purposes, the dynamics of regulatory risk versus monetary reward are about to change.
Problems on the horizon
The right to be forgotten is pitted against the right to be informed. One potential challenge of the GDPR request to keep identity data private is that this information is currently used by law enforcement, cybersecurity professionals and researchers, and trademark and intellectual property rights holders to find out bad actors who are committing security or legal violations on the internet. The publicly available data that is used to inform threat intelligence networks, find bad actors, and block these bad actors from accessing networks will no longer be available under the GDPR. I’ve discussed the security implications of the GDPR in a previous blog, as well as how it is upending the domain name system. Businesses are also having a difficult time understanding the scope of the GDPR’s requirements.
Implications for the US
In the US, the central question for privacy regulation is why the data is collected rather than on whom data is collected. Instead of a blanket requirement for the protection of individual privacy, US laws and regulations request data be collected by industry: The Health Insurance Portability and Accountability Act protects specific health care information; the Fair Credit Reporting Act provides consumers the ability to view, correct, contest, and limit the uses of credit reports; and the Gramm-Leach-Bliley Act requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.
According to a recent PricewaterhouseCoopers survey, 77 percent of US companies expect to spend about $1 million or more to comply with the GDPR. Companies with the capability to separate and migrate data are moving quickly to transfer customers’ data physically located in the EU onto servers in the US. If located in the US, data on users that aren’t EU citizens will be governed by US privacy laws instead of the GDPR.
Privacy has dominated headlines in the US with the recent congressional hearings on Facebook, but the hearings also brought to light that most internet users quickly click through terms of service without reading them to gain access to an application or a website. With consumer data privacy under such a hot spotlight, one may wonder if the US will be next to enact sweeping privacy regulations. Will Congress make a concerted push toward a national privacy standard for consumer information? Or will the practice of clicking and collecting stay the same in the land that created today’s social media marketing machines? Sens. Amy Klobuchar (D-MN) and John Kennedy (R-LA) have released a public outline that mirrors much of the GDPR guidance. Their draft outline for legislation plans to focus on the information gathering by social media platforms and creating rights for consumers.
Technology too can help inform consumers. Transparency and parity of information gathering can resolve many of these challenges without slowing the evolution of technology.
Five suggestions for managing the GDPR compliance challenge
- Find out what data your organization retains on your customer base through an audit process. Key questions for an audit are what data do you maintain on your customers, where is it located in your system, why are you retaining it, what value does it have to your business, and is it worth the new risk? In addition, how long you maintain data has legal obligations for certain industries, and your audit should take these legal liabilities into account.
- Understand the GDPR definitions around a “natural person” as defined under the GDPR and the retention and deletion obligations. Your legal team should know if you are a controller or processor of data on individuals. Consider appointing a data protection officer to be a point of contact for any European Union country that may have questions or concerns about your data collection and retention policies.
- Review service level agreements with any contracted third-party provider to ensure they are GDPR compliant.
- Consider where you locate your data centers. Moving data centers may be easier if you use a cloud-based database provider who can discern who your EU customers are and segregate their data on a separate server.