By Todd Ruback, CPO Ghostery Inc
Privacy is the new black but with the EU’s incoming General Data Protection Regulation (GDPR) coming into force, businesses need to understand the high level requirements and not leave it to the legal department to ensure compliance. There’s too much at stake.
The EU, already well established as a privacy centric zone, has stepped up its game with GDPR. This regulation has the effect of a singular law that aims to give back control of personal data to the European citizen. A secondary goal, aimed at corporations, is to give compliance certainty to organisations doing business in the EU, so they only have to comply with one law instead of twenty-eight. Noble concepts indeed, but execution will be difficult.
The GDPR applies if you offer your wares to anyone in the EU and as a result will become a de facto global privacy law, unless you don’t plan to sell to the EU. Already many multi-nationals are considering whether they should simply standardise to the GDPR globally, since it is one of the most prescriptive privacy laws in the world. Comply with this, the theory goes, and you comply with 80% of the privacy laws around the world.
What’s tricky about the GDPR is that although it doesn’t come into effect until May 18, 2018, there isn’t a lot of time to act. Seasoned executives, like myself, may be thinking that GDPR will be 2018’s Y2K moment.
In short you’ll most likely need to form a cross-functional GDPR team to undertake a gap analysis and baseline your present privacy practices against future requirements and then create a roadmap to compliance. Getting budget, issuing RFPs to law firms, consultants and vendors, as well as implementing and testing GDPR solutions will take time. Similar to Y2K, you would be wise to consider non-compliance on May 25 as an end of existence event, at least as it pertains to your job.
Here’s what you need to know:
Application – The GDPR applies to all countries in the EU. Outside of the EU, the GDPR applies to any organisation that sells or offers its goods or services to a EU citizen.
Consent – To put people back in control of their personal data, a set of new individual rights are codified and bestowed upon the person, while organisations they are doing business with will have new obligations. The onus is upon organisations to inform consumers of their new rights and obtain consent, unless you have a “legitimate interest” in collecting certain data ¬– but that is legalese and won’t apply to most businesses. In broad terms, bundled consent buried in the footer of a website’s terms of use policy will be no good under the GDPR. Consent can’t be a take it or leave it proposition, and before it can be obtained meaningful notice needs to be given of the individual’s new rights in an easy to understand and concise format.
Companies will need to be transparent about what they collect, how it’s used, and if the information is to be used for something new, the consumer needs to be informed. In addition, businesses need to know exactly what data is collected about people and inventory and categorise it across their enterprise. Why? Because the law says a person has the right to access their data and request it be erased (right to be forgotten), or given to them in a readable format (right to portability). If you allow tracking, the GDPR calls it “profiling”, on your websites or apps, then you need to provide a mechanism to object or opt-out. If the tracking has a legal effect, i.e. to make a decision on someone’s credit worthiness, there is a higher consent requirement.
Although nuanced getting up to speed quickly is key as the GDPR will affect everything your business does. In fact, organisations will be required to conduct an annual privacy impact assessment to see how their processes impact a consumer’s privacy. Your internal compliance group also needs to implement new enterprise-wide data protection policies that are maintained and documented. All of this rolls up into a meta-requirement to have a comprehensive review and analysis of all processes and workflows, from websites and apps, to customer service, order fulfillment and beyond, and it all needs to be documented and available. If there is a privacy risk to the consumer, a control needs to be implemented.
The risk of ignoring or not acting upon the incoming legislation is some hefty fines. The GDPR has enforcement teeth and the data protection regulators, those empowered with protecting the data and privacy of the EU citizens, are empowered with staggering authority to impose two levels of fines. The first tier allows for discretionary fines of up to 2% of a company’s annual gross revenue or €10 million, whichever is greater. Fines at this threshold are transgressions such as not properly notifying a supervising agency or individual about a data breach or not properly designating a data protection officer. The second tier allows for the imposition of fines of up to 4% of annual gross revenue or €20 million, whichever is greater. Fines at this level are for transgressions against the basic principles of data collection and processing, including not gaining consent properly, or other violations of the new data rights mentioned earlier.
If your organisation finds itself before an enforcement agency, believe me when I say it can be a career defining moment. It’s not time to panic yet, but it is time to get involved. Reach out now to the General Counsel and get the conversation going. GDPR compliance will require the efforts of a cross-functional set of empowered high-level executives with the authority to get budget and push out compliance. Like Y2K, however, the clock is inexorably ticking, so sooner is preferable to later.
