With Europe’s General Data Protection Regulation (GDPR) set to take effect on May 25, 2018, legal teams across the world—including those in the United States—should be preparing for the new requirements affecting organizations inside and outside of Europe.
As we explain below, you don’t have to have physical operations in Europe to be affected by the GDPR, and failure to prepare can have severe ramifications, including crippling fines.
Directives, Regulations, and Federalism
People are often amazed at the diversity of laws in the various states of the United States. US federalism, where the national government shares power with state and local governments, results in often conflicting laws.
Data protection laws in Europe have had variances, as well. The difference between a directive and a regulation is important.
Under what is known commonly at the 1995 Directive—officially, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data—European data protection law is somewhat like the federalism of US law.
In the US, one has 50 states, a federal district, and various territories making laws. At the same time, the EU—at least for the moment—has 28 member states, and a total of 31 nations comprise the European Economic Area (EEA). They make different laws that sometimes contradict each other. The 1995 Directive, which took effect in 1998, provides guidance, but Europeans sought a regulation that would harmonize European data protection laws.
Enter the General Data Protection Regulation (GDPR), which will become effective May 25, 2018. In this article, we’ll examine the rationale behind the new regulation, analyze the provisions of the GDPR, and let you know how you can prepare for next May.
Data Law Harmony in Europe
As an initial matter, we should note that—although many observers say simply the EU GDPR—the new regulation actually affects more than merely the EU.
First, the regulation itself is not merely for the 28 member states of the European Union. It is for the 31 member states of the European Economic Area (EEA), which includes the 28 EU member states plus Iceland, Norway, and Lichtenstein. The GDPR is being integrated into the 1992 EEA Agreement.
Second, if you’re sitting in Des Moines, thinking, “I don’t care what the Europeans do, I’m in Iowa,” you probably should care because the GDPR affects not only EEA nations, but any organization offering goods or services to European data subjects or organizations controlling, processing, or holding personal data of European nationals—regardless of the organization’s location.
Yes, Des Moines, that means you, too.
At first glance, one would think the GDPR is good for cross-border business and for e-discovery with Europe. After all, with data protection laws and regulations harmonized among the 31 EEA nations, things should be easier, right?
The problem is that some of the new provisions make European data protection law even more different from US law, a big challenge for international business and litigation.
To put the provisions of the GDPR in context, we should note the United States and Europe have very different views of data privacy.
In the US, we tend to put greater value on free speech—and the right to evidence in litigation—than we do for data privacy.
In fact, contrary to what many Americans think, there is no specific right to privacy in the US Constitution.
American courts have interpreted certain privacy rights from amendments to the Constitution, including the first 10 amendments, known commonly as the Bill of Rights. However, the original document is silent on the issue of privacy, and it wasn't until 1965 that the US Supreme Court articulated an individual right to privacy when it overturned a state law on contraceptives in Griswold v. Connecticut.
Contrast that with Europe.
From the beginning of Europe to the tragic history of World War II, privacy has come to carry greater importance there. In fact—unlike in the US—privacy is a fundamental right in Europe under article 8 of the EU Charter of Fundamental Rights.
Controller v. Processor
When determining how the GDPR affects you, an initial consideration is whether you’re a data controller or merely a data processor. The difference is significant.
Article 4 of the GDPR provides the following definitions:
A controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
A processor is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
GDPR article 5 provides that data controllers assume responsibility for and must demonstrate compliance with the principles for handling personal data, while article 24 mandates that controllers implement technical and organizational measures to ensure GDPR compliance.
Processors do have certain limitations. For instance, GDPR article 28 provides that processors may not engage another data processor without permission of the data controller.
Processors, too, must implement proper controls, and article 83 provides that GDPR fines apply to both controllers and processors.
One of the biggest data protection changes coming with the GDPR comes in the form of substantial fines. GDPR violations can result in fines of 4 percent of annual turnover (revenue) or 20 million Euro, whichever is greater.
Data controllers must be able to show data subjects gave consent for the handling of their data, and the consent must be obtained with clear and plain language.
Data Breach Notification
One of the more controversial provisions of the GDPR is that data breach notifications must be given to the applicable supervisory authority within 72 hours of a data breach where feasible and where the breach is likely to “result in a risk to the rights and freedoms” of individuals. Critics worry the 72-hour notification is unrealistic at best and counterproductive at worst.
Right to Erasure
Known formerly as the “right to be forgotten,” these provisions were also controversial, giving data subjects the right to have information about them “erased.” The data may not be disseminated, but there is a balancing test between the individual’s rights and the public interest in the data.
Right to Access
The GDPR also gives data subjects greater access to their data, requiring controllers to confirm to subjects whether, where, and for what purpose their data are being processed. In addition, controllers must provide data subjects electronic copies of their data free of charge.
Data Protection Officers
Another GDPR requirement is that companies appoint data protection officers (DPOs). Initially, the DPO requirement was limited to companies of more than 250 employees, but the final version of the GDPR contains no such restriction. However, during negotiations on the GDPR, the number of organizations required to have a DPO was reduced substantially. Although almost all public organizations will have to have a DPO, only private organizations conducting regular monitoring of data subjects or processing conviction information will have to have them. Among the DPO’s responsibilities are advising controllers and processors of GDPR requirements and monitoring compliance.
Given these new requirements, how should you be preparing for the GDPR? We have a few tips:
Obtain ISO 27001 Certification: Promulgated by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO 27001 is the international standard for data security.
ISO 27001 certification requires that an organization examine its information security threats and vulnerabilities, develop and implement security controls, and continue to monitor potential security threats. ISO 27001 certification won't ensure complete compliance with the GDPR, but it will go a long way.
Hire a DPO or CISO: Hiring a data protection officer (DPO) is no longer a requirement for many companies under the GDPR. As we noted above, original drafts of the regulation required far more organizations to have a DPO, but just because the GDPR doesn't require you to have a DPO doesn't mean you shouldn't. Having a DPO or a chief information security officer (CISO) can help in achieving GDPR compliance and ISO 27001 certification.
Hire a Consumer Data Ombudsman: Consumers have far greater rights vis-a-vis their data under the GDPR. Unless you want your DPO/CISO or other staffers bogged down with incessant customer data demands, create a role or department specifically for dealing with requests and complaints from data subjects.
Use Consultants and the IAPP: Although the GDPR may be a wake-up call to many organizations, others have been monitoring and preparing for the GDPR during the years of negotiation. Consulting firms and organizations such as the International Association of Privacy Professionals (IAPP) can provide guidance, and the EU itself offers some insight.
Build a Data Map: Under the GDPR, having a map of exactly what data you have and where that data reside is critical. If your data is flowing outside the EEA or the nations deemed to have adequate data protection standards, you need to know and take appropriate safeguards.
However you prepare, time is of the essence. Next May will be here soon, and the EU will, in all likelihood, be making an example out of someone. Don’t let it be you.
David Horrigan is Relativity’s e-discovery counsel and legal content director. An attorney, law school guest lecturer, e-discovery industry analyst, and award-winning journalist, David has served as counsel at the Entertainment Software Association, reporter and assistant editor at The National Law Journal, and analyst and counsel at 451 Research.