The General Data Protection Regulation has 88 pages, 99 articles and a greater impact on U.S.-based businesses than you might think.
It’s the biggest overhaul of Europe’s data security rules in two decades, and when it takes effect May 25, companies worldwide will be impacted by a web of stringent rules covering consumer consent, data processing and breach reporting.
It also brings steep fines for noncompliance — up to €20 million or 4 percent of worldwide annual turnover, whichever is higher. And the idea that you don’t have to worry unless your company is a multinational is wrong, says Shawn Murray, president and chief academic officer for Springs-based Murray Security Services.
Any company that stores or processes the personal data of EU citizens living in the EU (not EU citizens within the United States) must comply with the GDPR, even if they do not have a business presence within the EU.
“It’s not till people start getting burned and having to pay fines that they’re going to have to start adjusting their position on how to approach it,” Murray said. “And that’s going to be tough in the United States because it comes down to specifically [requirements] that we’re not used to.”
An example: Americans tend to think of the need for data privacy in limited terms — Social Security numbers, bank account information, drivers license details. In fact, Colorado defines personally identifiable information “as any information that’s collected about an individual that also includes their Social Security number,” Murray said. “So if you’ve got my name, address and phone number and my age, it’s not considered PII because all of that information can be obtained online.”
However, the EU sees personal data (its term for PII) much more broadly, and will enforce its regulations accordingly. It considers private data to include name, home address, email address, ID numbers, location data, IP addresses and cookie data.
“Sensitive” data requires even greater protection and includes racial or ethnic origin, political opinions, religious or philosophical beliefs, processing of genetic data, trade union membership, biometric data, health data and sexual orientation.
The EU considers personal data protection to be a fundamental right, and has long had tighter restrictions on how personal data can be used or shared. These were spelled out in the Data Protection Directive in 1995. The GDPR further tightens data management requirements for businesses and gives greater data protections and rights to individuals.
And, Murray says, it’s designed “to hold people accountable, organizations accountable, at the very top.
“That means the CEO, the board of directors — there are criminal penalties and there are monetary penalties for organizations that do not want to comply with GDPR or are not taking it seriously.
“Depending on the level of breach or the level of noncompliance, that organization is going to pay some huge fines. … That’s what’s getting everybody’s attention.
“And as a CEO you can’t say, ‘Well, I didn’t know, I don’t work in that department — I’m the CEO,’” he added. “You’re responsible for the strategy in your organization. So if you process, transmit, collect or store PII on European citizens, you’re going to be held accountable.”
Murray said after May 25, industry insiders expect the EU to make an example out of several big companies — “and the big discussion is, Facebook is probably going to be one of the first ones.
“[The EU is] going to have to go after somebody, we’ll have to see what the fallout is — they’re very lax on their privacy details associated with how they manage information and it’s been a concern for years,” he said.
Kendall Utz, director of customer success for Springs-based fusesport, said the company has been preparing for GDPR for the past year as it pursues further expansion in Europe. The company provides the platform used by some of the world’s leading sports organizations and major sporting events to plan, manage and analyze their events, and collects personal data as part of those operations.
“[T]he most challenging part is being absolutely clear on the requirements and abiding to the new regulations,” Utz said in an email. “It certainly makes us look at what information is being collected about individuals in order to create a profile but also recognizing some of that information may need to be stripped out.”
She gave an example: “[Y]ou can basically say that you have a male athlete within an age range and possibly the sport they’re in, but you can’t give any specifics about that individual, so it does really strip out the data that we normally collect.”
Utz said fusesport had transitioned to a new database hosting system that allows the company to host information in different parts of the globe.
“So, as opposed to strictly hosting in Denver, we now can use the cloud to store data by country,” she said. “We also are increasing our internal records of data-handling processes.”
While fusesport is already accustomed to strict regulations with the EU’s Data Protection Directive, “we certainly are being pushed to understand the GDPR in depth both internally and externally,” Utz said. “The European customer base seems to be very aware of this new initiative and are holding us accountable to following the new policy. There seems to be much more stress around the topic now than I have seen in the past couple of years.”
Murray said the biggest challenge for most organizations is fully understanding what information and data they have, and how they process, transmit and store it. In addition, the GDPR only authorizes an organization to collect data that’s been approved by the individual for a specific purpose.
“Say you and I work for the same company, you work in insurance claims division and I work in system processing — just because you have a person’s claim data doesn’t necessarily mean that you’re allowed to share that information with me even though we work for the same company,” he said. “You have to only use that information or that data for what you articulated the intended purpose of that data was.”
New rules on consent
Approval is strictly defined as well. Reams of vague legalese attached to “I Agree” buttons are unacceptable — and Murray says that will force U.S. businesses to change the way they get consent from EU citizens.
“If you’re a United States company doing business with the EU using those privacy disclosures that nobody reads — they just click ‘OK’ — no,” he said. “GDPR says you have to tell the citizen or the client specifically what you’re collecting, why you’re collecting it, what it’s going to be used for, and then you have to protect it, and you have to explain how you’re going to protect it. And then when you no longer need it, you have to get rid of that data and you have to tell the individual how you’re going to do that.”
As well as new rules for consent, detailed new regulations surround data breach notification requirements, lawful basis for processing, citizens’ rights to access to their personal data, citizens’ rights to request erasure of personal data on various grounds, records of processing activities, data portability, and “data protection by design and default” — which requires all privacy settings to be set at a high level by default, and includes obligations regarding encrypting, decrypting and data storage.
Plenty of smaller companies probably feel they don’t need to be concerned by what is happening in the EU, Utz said. “However, with the tech industry, a global market is so much easier to achieve and therefore it would be wise to look into the regulations and attempt to abide in order to be prepared for what is coming.”
It’s a big task for small- and medium-sized businesses, Murray acknowledged.
“But there’s only one way to eat an elephant and that’s one bite at a time,” he said. “You have to start somewhere.”
Identify the information that you’re processing, transmitting and storing first, he said. Start mapping and categorizing the data that you have in your organization. Work out what protection mechanisms you have in place for each category.
“If it’s overwhelming, hire a reputable organization and let them help you through it. It doesn’t have to cost an exorbitant amount of money,” he said. “And then watch the news, because after May 25, you’ll start seeing companies getting hit with [penalties] and it’ll be lessons learned for everybody as we progress.
“If you don’t have anything in place and you’re not moving forward — those are the ones that are going to be paying the big fines. So come up with a strategy and start doing something now.”