You recently received a flurry of emails from various websites about changes in their privacy policies. You may have wondered why you were receiving these notices. The answer is simple: On May 25, the European Union’s new General Data Protection Regulation went into effect.
GDPR is the EU’s new regulation aimed at protecting personal data and enhancing the privacy of its citizens online. Among other things, GDPR:
• Gives its citizens more say over how and when their personal information is collected, used, analyzed and stored.
• Sets limits on the processing of personal data to specific and legitimate business purposes.
• Gives citizens the right to obtain any data businesses have gathered about them and to demand they fix any inaccuracies or even erase the data.
• Requires businesses to use adequate security measures to protect this data and promptly notify users of any breaches.
GDPR will be enforced by national regulators in the EU who will have the authority to assess enormous fines for violations (i.e., the greater of 4 percent of a company’s annual revenue or approximately $24 million).
If a business obtains or uses personal data of any EU citizen, then GDPR likely applies to that business, regardless of where it is located. Although it remains to be seen how the EU’s regulators will seek to enforce the GDPR against American companies, given the close working and trade relationship between the United States and the EU, international law will likely extend to many American-based companies.
Indeed, on the first day GDPR went live, a consumer activist filed a GDPR-based action against Facebook and Google, subjecting them to a potential $8.8 billion liability if the activist’s GDPR claims succeed. It is still too early to tell how these enforcement actions will play out, but businesses (and investors) dislike uncertainty, and the potential effects and impact of GDPR are wildly uncertain as of this writing. GDPR is a regulation with no court decisions interpreting it and virtually no guidance on what companies need to do to comply. Rather, it’s written in sometimes technical and overly broad terms, which often raise more questions than provide answers.
It’s impossible to lay out all the steps to ensure GDPR compliance in an article, however businesses should consider:
First: A company’s ownership or senior management should be made aware of GDPR’s existence and its implementation.
Second: A company should assemble a GDPR task force consisting of senior management members, legal counsel, the company’s information technology professionals and perhaps the head of marketing. The purpose of the task force would be to conduct a company-wide data audit, think through how the company’s data practices are impacted and what the company needs to change.
Third: A company may need the service of a cybersecurity consultant to assist with the data mapping audit or assess the company’s systems to better understand how it tracks and stores data.
Finally: A company should ask its insurance broker about the possibility of purchasing coverage for GDPR events and enforcement actions. It seems the insurance market is in a great state of flux/uncertainty on this issue, most likely because of the staggering amount of financial exposure under the GDPR. Current cybersecurity insurance policies are likely not broad enough to cover GDPR-related losses and fines.
Anecdotally, it appears only a small percentage of American businesses are prepared for GDPR’s implementation and potential impacts.
Editor’s note: This is the first of an occasional series on the European Union’s new General Data Protection Regulation.
Brian J. Lamoureux is a partner at Pannone Lopes Devereaux & O’Gara LLC in Johnston.