As you know, unlike MFIDII or other pan-European regulations, the General Data Protection Regulation ( GDPR ) reaches beyond the EU and impacts those businesses that formerly thought they were safely ensconced in the U.S. For some, they are still wondering if they have to comply with it….I mean, shouldn’t they be getting a letter in the mail or something? But then, there are the rather large fines they might hear about…20MM EUD or $28MM USD depending on exchange rate and, all of a sudden, the veil of willful ignorance must lift and they must ask: What about us?
What is GDPR and why does it exist?
The short answer to that question is public concern over privacy. The EU has long had more stringent rules around how companies use the personal data of its citizens. In 1995, the EU enacted the Data Protection Directive. This was well before the Internet became the constant data marketplace that it is today. Consequently, the directive is outdated and does not address the many ways in which data is stored, collected and transferred today. Thus, the EU Parliament adopted the GDPR in April 2016, replacing the outdated data protection directive from 1995. GDPR consists of 11 chapters and 91 articles that outline the requirements and regulations required of businesses to protect the personal data and the privacy of EU citizens. GDPR also regulates the exportation of personal data outside the EU. The regulation is consistent across all 28 EU member states, which means that a company, thankfully, has just one standard to meet within the EU.
Foreign companies that collect data on European Union (EU) citizens must also comply with GDPR. More specifically, if a non-EU company processes any personal data from EU citizens, then the company must comply with the regulation because it is subject to the aforementioned fine. If your company is in the clear, then rejoice; but I still encourage you to continue reading because this will prepare you for that moment when your company works with EU customer data. For further consideration, if your company is U.S. based, with each Facebook debacle we are inching closer toward stricter data privacy regulation in the U.S.
Compliance with GDPR will cause some concerns and new expectations of your security team because the regulation takes a wide view of what constitutes personally identifiable information. Your company must utilize the same level of protection for data such as an individual’s IP address or cookie data as it does for name, address and Social Security number. Like any regulation, it is an inch deep and a mile wide with a lot to be desired in interpretation and candor. GDPR states that a company must provide a “reasonable” level of data control for personal data, but does not define what constitutes “reasonable”. This ambiguity gives EU’s GDPR governing body a lot of leeway when it comes to assessing fines for data breaches and non-compliance.
What types of data does the GDPR protect?
- Basic identity information such as name, address and unique ID numbers
- Internet data: GPS location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Kids are a special case. A company needs parental consent to process and store children’s data. A child is classified as anyone under 16, but EU member states can lower this to 13.
How does GDPR define “data control”?
- Only process data for authorized purposes
- Ensure data accuracy and integrity
- Minimize the exposure of a data subject’s identity
- Implement data security measures and “right to erasure”
GDPR states that data can’t be kept indefinitely. It requires a company to completely erase data when a data subject revokes its consent or a third-party requests data deletion or a third-party agreement comes to an end.
Which companies do GDPR affect?
The regulation affects any company that stores or processes personal information about EU citizens even if it does not have a business presence within the EU. Specific criteria is below:
- A presence in an EU country
- No presence in the EU, but it processes personal data of EU citizens
- More than 250 employees
- Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, or includes certain types of sensitive personal data
Come again? The last criteria effectively encompasses almost all companies with less than 250 employees because it’s interpreted as any company processing, storing and exchanging data points on EU citizens.
When does my company need to be in compliance?
By now, you should have a good inclination about your company’s requirement to comply with GDPR. Your company must be compliant with GDPR by May 25, 2018.
Who within my company is responsible for compliance?
The GDPR regulation defines several roles that are responsible for ensuring compliance:
- Data Controller: defines how personal data is processed and the purposes for which it is processed. It is also responsible for ensuring compliance by third party contractors.
- Data Processor: internal or external groups that maintain and process personal data.
- Data Protection Officer (DPO): oversees data security strategy and GDPR compliance
- GDPR simultaneously holds Data Processors liable for breaches or non-compliance. It’s entirely possible that both your company and processing partner such as a cloud provider will be liable for penalties even if the fault is entirely on the processing partner. Yes, GDPR just injected third-party risk to your data processing and storage strategies and ultimately changes your company’s third-party selection and business interactions.
How does the GDPR affect my company and its third-party service providers?
The GDPR regulation places equal liability on a Data Controller (a company that owns the data) and a Data Processor (third-parties that manage or interact with a Data Controller’s data). The regulation is interpreted as such that a third-party Data Processor not in compliance with GDPR equals your company isn’t in compliance.
This means that all existing and new agreements with third-party Data Processors (IE, cloud providers, SaaS vendors, or payroll service providers) must explicitly declare data responsibilities within the GDPR structure. Also, agreements must define data management and protection processes, and data breach reporting.
GDPR has strict rules for reporting breaches:
- Notify authorities within 72 hours
- Describe the consequences of the breach
- Communicate the breach directly to all affected subjects
Seemingly, GDPR should change the mindsets of your business and security teams toward data accumulation, management and usage. Your company probably views data and processes as assets, but GDPR regulation should shift that mindset.
What happens if my company isn’t in compliance with the GDPR?
GDPR allows for steep penalties ranging from 10-20MM EUD or 2-4% of global annual revenue for non-compliance. If your company isn’t compliant due to technical measures, the fine imposed may be up to 10MM EUD or 2% of global revenue from the prior year, whichever is greater. If not compliant due to key provisions of the GDPR, such as transferring data to third-parties with inadequate data protection measures, fines imposed may be up to 20MM EUD or 4% of global annual revenue from the prior year, whichever is greater.
What should my company do to prepare for the GDPR?
Conduct a risk assessment.
You want to know what data you store and process on EU citizens and understand the risks around it. Your risk assessment must outline measures taken to mitigate those risks.
Create a data protection and breach reporting plan.
Your company may already have a plan in place, but it must review and update it to ensure that it aligns with GDPR requirements. Data breach reporting is one of the trickiest areas of GDPR compliance, especially given the short timeframe of 72 hours because your company will still be trying to figure out the scope of a data breach and the appropriate response during that timeframe. Given the required rapid response, it’s best to have a preexisting relationship with the appropriate contact points.
Hire or appoint a Data Protection Officer (DPO).
GDPR doesn’t clearly state whether the DPO needs to be a discrete position, so presumably your company can appoint someone as long as that person can ensure the data protection with no conflict of interest. In practical terms, this means that your IT manager or director, CTO or security manager are bad choices for your DPO. Sensible options include your head of finance, risk or legal, while someone like your marketing manager may have a conflict of interest . Your DPO doesn’t need to be someone within your company and so it may be easier to appoint a lawyer or external expert. GDPR states that a DPO may work for multiple organizations, so even HLC could function in such a role.
Conduct privacy training.
When it comes to GDPR compliance, your legal or compliance departments can’t do it alone. Instead, any department or employee at your company with involvement in processing personal data must be involved and trained appropriately about the GDPR.
My company is a charity or not-for-profit.
The ability to collect personal data and contact individuals is the lifeblood of the charity and not-for-profit sectors. Under GDPR, any enterprise must be compliant with the rules, whether a for-profit or not-for-profit.
Work with a GDPR consultant.
Smaller companies will be affected by GDPR, some more significantly than others. If your company is small, then it may not have the resources necessary to meet GDPR’s requirements. HLC is available to provide advice and technical expertise to help you through the process and maximize internal resources.
GDPR isn’t a simple checklist or one size fits all framework, it speaks in terms of broad standards instead of specific rules, requiring your company to take measures for compliance. Those measures will vary from one company to another. GDPR is a comprehensive legal and regulatory framework that imposes complex initial requirements and ongoing duties upon your company. Compliance is a marathon, not a sprint.
HLC, LLC is a strategic partner of NCS Regulatory Compliance
Eric Hess has over fifteen years of experience acting as senior in-house counsel, general counsel or senior management for exchanges, broker dealers, and financial services technology providers. He has a proven track record of meeting business and legal goals, including creating legal, compliance and technology & operational risk management functions, designing compliant trading technology, advocating for regulatory change, closing transactions, navigating challenging issues, managing regulatory inquiries & investigations and facilitating company growth, both organically and through strategic transactions. Specialties: Equities, options, futures and cleared swaps regulation; hedge fund, broker dealer and markets regulation; technology and operations risk management; contract negotiation; technology transactions; regulatory examinations, inquiries & investigations; dispute resolution; corporate governance, mergers & acquisitions; intellectual property; lobbying; and financing transactions. Mr. Hess holds Series 7 and 24 licenses and is admitted to practice in the States of New York and New Jersey.