Data protection: what the US can learn from the EU’s GDPR
Written by: Lee Holcomb
Originally published in TLAW Fall Newsleter
Data breaches have been in the news recently, drawing attention to the importance of data protection and privacy. While protecting data is important for individual citizens, it's especially crucial for businesses that collect, store and process personally identifiable information. As an attorney, you need to be aware of regulations governing best practices to protect the confidential information that is collected, processed or stored by your firm. It is also likely that you will increasingly be asked to advise clients on current best practices for protecting private information that is collected in their daily business operations.
While the US may have once been the global leader in providing industry regulations to guide companies, that is arguably no longer the case. The US does not have a comprehensive single body of laws or regulations that govern data security and protection. Instead, businesses operating in the US have to look to both federal laws and regulations, state laws, and industry guidelines. This is not to say that the US does not provide guidance. The US has several acts and regulations related to the storage and use of personal data, including the Federal Trade Commission Act (FTC Act), and sector-specific acts such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Sarbanes-Oxley Act of 2002 (SOX).
The EU General Data Protection Regulation (GDPR) is raising the bar and taking the lead in setting global standards and guidelines to protect personally identifiable information in a more uniform manner. The provisions won’t go into full effect until next year, but businesses across the globe are already scrambling to prepare. Although you may not practice in the EU, the impact on US businesses will be significant and potentially far-reaching.
For US businesses directly affected by the GDPR, the transition to compliance will likely be costly, both in implementation and, potentially, fines if businesses are found to not be compliant with the requirements. But it is not all bad news, and US attorneys need to take note of the benefits of the GDPR and how it may affect US data protection standards moving forward—even if they don’t think that the guidelines will directly affect their practice. With the growing threat of data breaches, all organizations that collect, process or store personal data need to implement policies and procedures to protect data and respond if a breach occurs.
At its most basic level, the GDPR provisions require organizations to understand the type of data they are collecting, where they are storing it, and who has access to this information. Companies must also develop a plan to protect the information and deal with a breach if one occurs. These are arguably standards that should be in place for all businesses. Companies in Europe and international businesses are already starting to take steps to become compliant with the guidelines and the new mandatory provisions. As more breaches are reported on a daily basis, courts and attorneys in the US will likely look to stronger regulations and guidelines, such as those found in the GDPR, as a baseline for companies to protect personal data. Here are some things the US can learn from the GDPR.
How are US businesses affected by the GDPR?
Many international corporations will be required to comply, even if they don’t have an office in the EU. The GDPR will have a fairly broad application, applying to businesses physically located in the EU; businesses located in third party countries; businesses that are not established in the EU but are offering goods or services in the EU (including Internet services); and businesses with “establishments” in the EU. See Art. 3 of the GDPR.
What is the biggest impact of the GDPR?
It is important to point out that many of the privacy policies laid out in the GDPR have already been in place under preexisting business requirements for companies that are operating in Europe. However, there is one new and potentially costly requirement: many businesses will be required to have a designated data protection officer (DPO). This role has the responsibility and authority to protect personal data and make sure the organization is in compliance with GDPR obligations.
It is important to note that this position is different than a Chief Information Officer in several respects. One of the main differences is that the DPO may have ideas and recommendations that are more customer centric than other c-level positions in an organization. The DPO’s number one job is to protect customer data, not advance the business. Under the GDPR, the position is protected—a DPO cannot be dismissed for their recommendations.
Which businesses need to have a Data Protection Officer?
To be in compliance, you will need to have a DPO if your business involves any of the following, which are directly quoted from Article 37(1) of the GDPR:
the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offenses referred to in Article 10. See Art. 37(1) of the GDPR.
If your corporation falls into any of the above categories, it will be required to have a DPO or face potentially stiff monetary penalties. Since the regulations won’t be active until May 25, 2018, it is not entirely clear how the provisions will be applied and enforced. In order to assist organizations in becoming compliant with the GDPR, the EU drafted and adopted Article 29 Data Protection Working Party Guidelines. See Article 29 Data Protection Working Party, Guidelines on Data Protection Officers (‘DPOs”), Adopted on 13 December 2016 (as last revised and adopted on 5 April 2017). http://gdprandyou.ie/wp-content/uploads/2017/05/wp243_rev01_enpdf.pdf. These guidelines provide further clarity and examples to assist businesses in determining whether they are required to designate a DPO, as well as outlines the tasks of the position in order to be in compliance.
Some businesses may decide to appoint a DPO as a matter of good business practice, even if they are not required to do so. But beware: all DPOs will be required to comply with DPO obligations under Articles 37 – 39, even if they were voluntarily appointed. If you determine your business needs or wants a DPO, there are a couple different routes that you can take to fulfill the requirement. You can hire a person to work in-house, contract an external DPO, or if your business has several subsidiaries, you might even be able to have a single joint DPO. See Art. 37(2), (3) & (6) of the GDPR.
Who can be a DPO and what exactly will they do?
A DPO must be qualified to hold the position and should have an expertise in data security, specifically EU data protection. See Art. 37(5) of the GDPR. There is not a set standard or one-size-fits-all to this analysis—the qualifications and experience needed will vary depending on the type of data the organization possesses and the sensitivity of this data. In addition, the DPO will generally be responsible for overseeing the protection of data within an organization. See Art. 38 of the GDPR. The DPO will lead the plan for developing the policies and practices within the organization to protect personal customer data. They will be responsible for making sure the policies are being followed, as well as dealing with requests from the public regarding how data is being handled. In the instance of a breach, the person in this position will generally be expected to notify and educate both the internal team and the public about the occurrence.
Many of the requirements of the GDPR, including the addition of a DPO, likely sound ominous and costly. The GDPR will, in effect, force companies to go through the process of identifying:
where data is located
why the data is being maintained
how it is processed
what security features would lower risk
Attorneys should focus clients on the decided upswing of having a company infrastructure that is better positioned to protect company data and personal customer information. The appointment of a person who is designated to protect personal customer information within an organization will arguably hold a lot of weight in the courts and media. Organizations must fill this position with someone who has a background in technology and privacy to be compliant under the GDPR. It is also critical to have the necessary resources at the DPO’s disposal to know where customer data is located and take the steps needed to protect the data.
The Good News
There may be hidden benefits to bringing on a DPO and/or following these heightened standards for protecting data. One advantage is increased knowledge of what data is captured and maintained within an organization, which can help the company make better business decisions on how the data can be best utilized and/or protected. Yet another benefit is learning how to protect data, which can prevent a data breach crisis and marketing nightmare.
Imagine being able to prevent or contain a data breach incident because of new security features initiated by the DPO —rather than thousands or millions of people’s data hacked, your firm or client’s company would be heralded for protecting personal information. Wouldn’t that be a preferable news headline? Although the return on investment on these preventative measures is difficult to quantify, surely some breaches will be limited, or even prevented entirely, by the heightened protections. In a time when data breaches are occurring with growing regularity, it can only strengthen a company’s reputation if they are willing to go above and beyond to protect customers.