The Global Data Protection Regulation (GDPR) is set to go into effect across the European Union in May 2018. Following a general trend both in Europe and in the United States, the GDPR ratchets up significantly the data privacy obligations imposed on companies with the goal of further protecting citizenry from the dissemination of their data. As one observer noted, the GDPR represents a major step toward a single digital market. Yet, with Brexit now reaching finalization and other consequential elections on the horizon, many have questioned whether the GDPR will ever come into force. This article examines why the GDPR is likely to go into effect and why it is likely to have a significant impact on American businesses.
No matter where one stands on merits of the English Brexit, the fact is that some measure of international cohesion with respect to data regulation is probably necessary and desirable. The question is what impact will be felt with these regulations in the wake of the Brexit. Although the timetable is not firm, it is highly likely that Britain sill will be part of the EU in May 2018, in which case the GDPR will automatically go into effect for British subjects. And even upon departure, if Britain joins the European Economic Area, the GDPR will continue to apply with some minor exceptions and caveats. In either scenario, British regulation will substantially mirror the GDPR. Indeed, even if Britain completely severs relations and the GDPR ceases to apply, recent statements from British politicians across the political spectrum indicate that further cooperation with the EU on this issue is likely. It would be very counterproductive to foist compliance with an entire regulatory regime on British businesses for a period of time only to rescind all such regulations, thus imperiling the ability of a British firm to hold European data subject to the GDPR. Therefore, it is unlikely that the Brexit will have a meaningful effect on the scope and application of the GDPR.
The GDPR expands the EU’s regulatory jurisdiction significantly, and it is likely to directly apply to a significant number of American entities. It regulates data controllers or processors outside the EU whose processing activities relate to the offering of goods or services to EU citizens or the monitoring of EU citizens. So the GDPR will apply not only to Facebook and Google, but also most entities doing any type of business in the EU that rely on and retain information about individuals. In short, lots of businesses in the U.S. will end up being data controllers or processors.
Much of the commentary in the U.S. thus far has focused on the need for subject entities to designate Data Protection Officers (DPOs). This requirement may very well create thousands of new positions, but the aspect most likely to get the board’s attention is undoubtedly the fines. The fines for the worst violations are nothing short of huge: 4 percent of annual worldwide “turnover” (revenue) or €20 million, whichever is higher. The goal of these numbers was to get the attention of the most senior executives, and on this score the GDPR surely succeeds. Regulators have urged boards to focus on privacy issues and consumer protection for years, and now they have a new, substantial weapon in their arsenal.
Additionally, the data security and breach notification requirements are stricter than almost any American regulations and will therefore require a recalibration of existing policies and procedures to meet a new and higher standard. Article 32 of the GDPR provides specific recommendations for data security risk management such as “the pseudonymisation and encryption of personal data” and “the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.” These are only recommendations, but they are more specific than the vague references to reasonableness in most current regulations. In addition, under the GDPR, the window for reporting a data breach to a Data Protection Authority (DPA) is reduced to only 72 hours. Thus, in many important respects, GDPR compliance will represent the new, more exacting standard for many American businesses.
The GDPR is coming, and politics won’t stop it. Its momentum, at this juncture, is likely to carry it through to full recognition in Europe. And it is likely to impact a host of American firms, requiring a recalibration of existing policies and procedures to address the storage and processing of European data.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
Christian Auty is a Principal in the Health Care Law practice group at Chicago-based law firm Much Shelist. He has an established reputation as a strong client advocate and is well versed in issues that arise at the intersection of law and technology. Christian can be reached at (312) 521-2473 or firstname.lastname@example.org.