Six months have now passed since the implementation of the EU General Data Protection Regulation (GDPR). The GDPR has raised awareness of the importance of personal privacy as a fundamental right and placed data protection high on the agenda of many management boards, both within and outside the European Union (EU). In particular, the GDPR’s significant extra-territorial scope and its headline fines of up to four percent of global revenue have prompted U.S. organizations without a presence in the EU to assess their exposure to its rules. U.S. businesses with EU subsidiaries, branches or other arrangements are finding that compliance with local EU laws requires much greater efforts.
Facing a seemingly rigid compliance deadline and no formal grace period, many organizations focused their attentions on making changes to public-facing privacy policies in the run-up to the May 25, 2018 GDPR implementation date. They frequently set out — in much more granular detail than had previously been the case — the nature and purposes of, and legal bases for, the processing of personal data, while also publicizing clearer policies on data retention and sharing with third parties. For many organizations, the last six months have been spent aligning the public commitments made in external privacy policies with their internal processes and procedures.
The GDPR introduced some new and enhanced rights and principles which require changes to internal procedures and systems. While many of the rights (such as the right to access and right to erasure) are easy to state in outline, understanding their true nature, scope and practical business impact is a much more engaged process. Technology changes, coupled with detailed record-keeping and internal audit trails, are time-consuming and expensive to implement and maintain — and, consequently, companies tend to overlook them. While many aspects of GDPR compliance have taken the form of a “re-papering” exercise, the challenges in becoming compliant are generally much deeper. After six months, businesses need to move towards thoroughly operationalizing GDPR and creating a GDPR compliance culture.
Even organizations with relatively well-developed internal policies and procedures have found integrating those policies to be challenging. It is often difficult to simultaneously address changes to policies aimed at customers or employees to those governing internal data handling and retention. Moreover, in many organizations, particularly those which operate in multiple jurisdictions (and languages), such policies are under the purview of different business units — such as IT, security, finance, operations and HR — which may not be aligned to one overall privacy compliance project. Therefore, finding a common language (in more than one sense) for the policies is often difficult.
Where Are the Fines?
It is still too early to gauge regulatory appetite for the top-tier fines of up to four percent of global revenue. In the coming months (and certainly by the GDPR’s one-year anniversary), the results of investigations and enforcement actions will start becoming clear. The fact that large fines have not yet been issued should not be regarded as indicative of limited regulatory appetite. It was always unrealistic to expect fines to be issued immediately. Non-compliance needs to be reported (typically because of a data breach or customer complaint); regulators need to carry out their investigations and provide, where appropriate, an opportunity for organizations to implement the required remedial steps and/or make representations to the regulators on the appropriate sanctions. These processes are still working their way through the system.
Key Stress Tests in Coming Months
Many businesses in the U.S. and in the EU have already been exposed to significant stress tests in a number of areas.
Data Subject Rights Requests
Upon the GDPR’s implementation, many organizations received an influx of data subject rights requests from present and former employees and customers. Many organizations do not possess the level of granular details about their processing operations — including the nature, location, security requirements and, most fundamentally, the business drivers and legal grounds for collecting and processing personal data — they need to respond accurately or efficiently.
Organizations which have only made superficial policy changes will lack the deeper understanding of both the internal business processes and the grounds for processing underlying these requests. This has made responding to such requests much more time-consuming, and in certain cases has led organizations to fulfill requests by default to save administrative burden. This is far from ideal, since some data categories processed about an individual are likely to be outside the scope of certain rights, notably the right to erasure. Moreover, there may be legitimate business reasons for retaining such data. Relatively simple rights requests can quickly expose deficiencies in (or the complete absence of) data retention policies required under the GDPR. Where the subject access requests are made as a precursor to, or in parallel with, litigation, the stakes can get significantly higher. The internal and external resource costs in carefully responding to such requests can be significant.
The harshest spotlight on data privacy compliance efforts is a data breach. Media attention is often focused on large-scale breaches involving millions of records containing financial and sensitive personal data. However, the GDPR defines a data breach extremely broadly, and practically any unauthorized access to personal data (including within an organization) can amount to a notifiable breach under the GDPR. As a result, the last six months has seen a significant number of reported breaches, with some European regulators handling between six and twelve breach notifications each day. The GDPR imposes a well-publicized default period of 72 hours during which the appropriate regulatory authority must be notified. This frequently exposes, in real time, knowledge gaps within an organization in a number of areas. These can include fundamental data management issues, such as the nature and location of the personal data held and processed, security arrangements and internal processes. They can also include issues which have been overlooked or have not been sufficiently thought through, such as:
- the location of the main establishment of a business which operates in multiple EU jurisdictions (critical in determining which national regulator to notify).
- the requirement to appoint a representative in the EU (which is required for organizations which are not established in the EU, but are within the GDPR’s extra-territorial scope under the “offering goods or services” or “monitoring behaviour” tests).
- the availability of suitable local forensic experts and legal counsel, along with implementation of the requisite data transfer agreements for the transfer of personal data for analysis outside the EEA.
Many businesses have found it difficult to paper over some of the internal compliance gaps during the breach response process. Records of processing activities (required under Article 30(1)) are often overlooked and typically need to be produced in very short order in response to queries from regulators. There are some areas (for example, staff training on data handling and breach response) which simply cannot be papered over.
More broadly, a breach will often expose gaps in a data controller’s knowledge relating to its processors and/or contracts which may not comply with the GDPR’s prescriptive requirements under Article 28 or appropriately document the nature and scope of the processing activities. While a relatively small minority of organizations have fully developed and tested incident response plans, a far greater number find themselves putting these procedures in place in near real time.
The lack of timely, concrete guidance from regulators in the run up to the GDPR’s implementation date has resulted in inadequate (or unnecessary) implementation for many businesses. This has been especially true in respect of the uncertainties regarding the GDPR’s extra-territorial scope.
Some organizations have (mistakenly) assumed that any personal data about EU individuals is subject to the GDPR, leading, in some cases, to unnecessary restrictions. To avoid undertaking unnecessary (or over-broad) compliance burdens, organizations should invest the time to understand where their business processing operations fit within the GDPR’s three-limbed territorial applicability test.
Other organizations have dismissed the need for compliance on the basis that they do not have a subsidiary in the EU, without fully appreciating that the notion of “establishment” is much wider. After some delay, the European Data Protection Board has finally published its draft guidance on the territorial scope of the GDPR, which is out for public consultation. The guidance highlights the basic point that the GDPR cannot be the single reference point or ‘how to’ guide for EU data privacy compliance. It needs to be understood in the broader context of EU law concepts and how they have been interpreted by the Court of Justice of the European Union — particularly relevant in understanding the scope of EU establishments and the “targeting” criterion. We will publish our summary of this guidance separately.
National vs. Cross-Border Privacy Compliance
Businesses could be forgiven for thinking that one of the virtues of the GDPR was that it harmonized data protection standards across the EU, even if those standards were more onerous. While this is certainly true in many respects, businesses must not lose sight of the areas in which EU member states retain the freedom to set their own rules, not least because this intends to involve more sensitive data processing.
All businesses will process the personal data of their employees and workers, yet this is one of the areas in which there are likely to be a significant number of local law requirements which modify or supplement the GDPR’s general rules. The GDPR expressly provides that the lawfulness of conducting data processing relating to criminal background checks (which are generally less common in the EU than the U.S.) must be set out by member states. Other areas in which cross-border businesses should be vigilant of local law requirements are in appointing a data protection officer and in the exemptions and derogations to complying with data subject rights requests.
The Other Half of Privacy Compliance — Cookies and Consent
Market practice is (for good reasons) moving towards providing website visitors (or app users) with more sophisticated and granular controls over cookie consents. Many websites are starting to make use of modal dialog controls (often provided by external providers) which allow users to toggle consent to performance, functional and advertising cookies. Moreover, many businesses are providing greater transparency on their use of third party cookies by setting out which third party cookies they allow on their site, with links to these organizations’ privacy policies and opt-out mechanisms. These trends are likely to be motivated in part by legal requirements (i.e., higher consent standards), but also the EU’s ePrivacy Regulation, which may well make such controls mandatory for all websites and platforms. Again, GDPR compliance has required many organizations to go beyond the text of the GDPR and understand the interplay with other EU laws and their local implementing legislation.
On the Horizon – Beyond GDPR
Implementing GDPR compliance initiatives is time-consuming, costly and (despite the punitive headline fines for non-compliance) often does not get prioritized appropriately by many businesses. However, there are longer-term benefits to this short- to mid-term burden, most obviously around reducing the risk of enforcement action, protecting brand value and reputation, and meeting customer and client expectations.
More broadly, we are seeing gradual harmonization upwards towards EU privacy standards across the world. For example, Japan has harmonized its laws to EU standards and forthcoming changes in the United States – currently the state of California, but potentially at a federal level — also reflect a move towards GDPR standards. Identifying the appropriate compliance strategy requires a delicate balancing of strict legal compliance and the need for flexibility and freedom in processing operations in multiple jurisdictions. During the next sixth months, U.S. businesses will need to look beyond the GDPR’s rules and monitor EU regulatory enforcement activities, local implementing legislation and emerging market practice in determining the appropriate balance.