By John DeMarzo, Risk Advisory Services Associate | Cybersecurity Services Team
In April 2016, the European Parliament adopted the General Data Protection Regulation (GDPR), which will become enforceable on May 25, 2018. The regulation will affect all companies that use personal data of European Union (EU) citizens to provide goods and services or monitor their behavior, among other purposes.
All companies with more than 250 employees that store or process personal information about EU citizens that reside in the EU is subject to the GDPR. Companies with less than 250 employees are exempt from GDPR unless the company processes data that impacts the rights and freedoms of EU citizens, is not occasional, or includes certain types of sensitive personal data, e.g. racial or ethnic origin, political opinions, etc. This includes companies who have no physical presence in the EU, but process personal data of EU citizens.
The regulation also provides substantial financial penalties for companies who are not in compliance with the regulation: the greater of up to 20 million euros (approximately $24.8 million as of mid-April 2018) or 4% of the company’s prior-year revenue. In addition, slightly less punitive penalties — up to 10 million euros (approximately $12.4 million as of mid-April 2018) or 2% of prior-year revenue — can be imposed for companies that do not comply with data breach notification requirements.
Here are some of the key elements of the GDPR:
Processing responsibility and data protection impact assessments.
The data controller is responsible for determining and retaining records describing what data is to be collected and how it is to be processed and stored.
The data controller will also be required to conduct a data protection impact assessment when (1) new technologies are used to process EU citizen personal data and (2) there exists a high risk to the rights and freedoms of these citizens. Article 35 of the GDPR states the assessment must contain a description and purposes of the intended data processing, an assessment of risk to the rights and freedoms of EU citizens, and intended safeguards, security measures, and mechanisms to protect data. Examples of safeguards could include, among other things, encrypting data at-rest and in-transit.
- Data protection officer (DPO) appointment.
Certain companies, such as companies which process large amounts of data or special categories of data such as racial or ethnic origin, political opinions, etc. will be required to appoint a DPO, who will be responsible for monitoring and enforcing compliance with the GDPR. The DPO will also serve as the liaison between the company and regulatory bodies. Article 37 of the GDPR states the DPO must have expert knowledge of data protection law and practices.
- Data subject consent.
Consent from data subjects, EU citizens, is now required before their personal data can be processed unless certain conditions apply, such as data processing being compulsory to comply with a company’s legal obligation. Consent from the data subject must be clearly distinguishable and in an intelligible and easily accessible form, using clear and plain language. In addition, custodial consent must be obtained for all potential data subjects under 16 years old. Data subjects will also have the right to withdraw their consent to have their data processed at any time.
- 72-hour breach notification rule.
In light of the number of data breaches in the news recently, perhaps the most important element of the GDPR is the 72-hour rule, which states that data controllers must notify the appropriate supervisory authority of a data breach within 72 hours of becoming aware of said breach, unless the breach is unlikely to result in a risk to the rights and freedoms of EU citizens. If notification is not made within 72 hours of the data controller becoming aware of the breach, an explanation as to why must be offered.
This adds to the already complex breach notification rules faced by US companies, which, prior to GDPR, already had to comply with up to 48 different breach notification rules.
- Right to be forgotten and right to data portability.
In certain circumstances, EU citizens will now have the right to request their personal data be erased, if their data is no longer necessary in relation to the purposes for which it was collected. EU citizens can also withdraw their consent for having their data processed, which will result in the right to have their data erased.
EU citizens will also have the right to receive any data of theirs that has been provided to a company. The subject has the right to receive the data in a structured, commonly used and machine-readable format and will also have the right to transmit those data to another data controller without hindrance from the data controller who originally received the data.
Here are some ways that companies can prepare themselves for the GDPR to ensure compliance and avoid substantial financial penalties:
- Appoint a DPO.
Not all companies which process data of EU citizens will be required to appoint a DPO. For example, small, private companies that do not process data on a large scale will not be required to appoint a DPO. However, all companies that are required to appoint a DPO should do so and clearly define the job responsibilities to ensure compliance with GDPR.
- Review data policies and procedures.
It is absolutely critical that companies are aware of GDPR and the ramifications it will have on their operations. Companies should take the time to review their existing data policies and procedures to assess whether or not they are GDPR-compliant. This includes reviewing IT systems to ensure data privacy as well as reviewing data breach notification policies to ensure compliance with the 72-hour rule.
- Perform data mapping.
Companies should take the time to comprehensively document and detail data as it enters and flows through the organization. If companies process data for both EU citizens residing within EU states in addition to data subjects not meeting that criteria, such as U.S. citizens, the company should define and document the characteristics that are used to identify the EU citizens to assure compliance with the GDPR. An example of an identifying characteristic could be the data subject’s physical address.
How will EU regulators enforce the GDPR?
If the company has a physical location in the EU, it is at the discretion of the host member state to enforce the regulation. If the company does not have a physical location in the EU, the company will be required to appoint a representative, i.e. a proxy to interact with EU regulators. However, designating a representative does not apply to companies that have occasional data processing, small-scale data processing, or data processing that does not include processing of special categories of data (i.e. companies which process large amounts of data or special categories of data such as racial or ethnic origin) or processing of personal data relating to criminal convictions and offenses.
It should be noted that the GDPR guidance does not clearly define how much data can be processed by a company before compliance with GDPR is mandatory. Companies that fall close to this requirement should consider performing a cost-benefit analysis to determine whether or not the company should take the necessary steps to become compliant with GDPR.
The GDPR mandates cooperation between the lead supervisory authority and other supervisory authorities. Given the relationship between the EU and United States, this likely means EU regulators will not encounter much resistance enforcing the GDPR against companies physically domiciled in the United States.
Keiter has developed a GDPR-focused cybersecurity risk assessment program and can help benchmark your compliance and develop the policies and procedures your organization needs to comply. Interested in learning more about our assessment program? Contact our Cybersecurity Services team or Email | Call: 804.747.000
Additional Cybersecurity Resources
- Data Breach – It can happen to you!
- SOC for Cybersecurity: An Answer to Leadership’s Cybersecurity Responsibilities
- Five Reasons Why Your IT Outsourcer Isn’t Keeping You Cyber Secure (and neither is your internal IT team)
- Infosecstack: Your Collection of Free Cybersecurity Resources
- Cybersecurity: So You Think You Have A Breach
- Cybersecurity: Educate and Motivate Staff to Be Careful
- Access all of our Cybersecurity Resources
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.