If you are in compliance or regulations and haven't heard of GDPR by now...you are behind the powercurve greatly.
First a little history. GDPR was enacted on 25May2016 and will be fully enforced on 25May2018. The two years in between are designed to help various companies worldwide become compliant and plan for the impact that GDPR will make. Consider GDPR an massive improvement on PII (Personally Identifiable Information) protection as well as the definition of what is considered PII under GDPR guidelines. The first thing you need to know is that the "G" in GDPR stands for General however, the way the regulation is written the "G" impacts Globally. This means that if you are dealing with any GDPR information for an EU or UK citizen regardless of where you are in the world then you fall under GDPR and possible penalties. Additionally, if you are located in the EU and process data from non-EU persons then it still applies to you. GDPR Penalties are nothing to laugh at either given that the fines are up to $26MM or 4% of your organizations global gross revenue...which ever is greater and based on how bad your company screwed up.
So, to make it easier to understand, if you deal with EU data then GDPR would apply to you. If you are in the EU and process data from outside the EU then GDPR applies to you.
If you deal with regulations then you know very well how much fun it is to read hundreds of pages of boring content. To make it easier, I refer people to gdpr-info.eu for an easier way of reading and understanding. This website takes the regulation and breaks it down for easier searching and referencing.
Having said that, GDPR can be complex! Data Controllers have quite a bit of responsibilities and an obligation to ensure processors are following the rules as well. Take a look at the below image that shows just some of the complexities of a controller.
In a nutshell though, what is GDPR? Well, GDPR takes all the current PII definitions and expands on it. The short story is that if you have any sort of personal information that can be attached to a name so you can determine who that person was then you have a GDPR situation. So, say I have the name "Tom Jones" (not the famous singer) and I happen to have the email address of "[email protected]" then I would have a situation where I could attach the name with an email address and would be under GDPR. This would mean that I would have to be able to prove a few things: 1. how I got the information, 2. why I have the information, 3. what am I going to do with the information, 4. how I protected the information, 5. If I gave the information to anyone or not, 6. how I destroyed the information, 7. all aspects of how I processed the information. To put it very subtlety, this is HUGE!!!
The above scenario would also apply in a variety of ways such as having, or having knowledge of, a persons:
You will also need to understand three main classification of entities. The first is the data subject and that is the human that the information is attached to. The second is the controller. A controller is the entity that receives the sensitive information from the data subject for processing and the processing should be in line with the consent form filled out by the data subject. The last is the role of processor. A processor is an entity that performs a task(s) on behalf of a controller(s) and is under contract by the controller to perform those tasks as well as protect the data to the same, or better, standards. It should be understood that some controllers can also be processors. So, for example, ADP (the payroll company) probably doesn't outsource payroll to another company so that would make ADP a controller and a processor. Conversely, any company that outsourced payroll to ADP would mean that the company was a controller and ADP would be a processor for that company.
So, what do you or your company have to do to become compliant or get closer to compliancy? Quite a few requirements have become mandatory based on the language as well as the penalties.
At the time of this writing, 70-80% of USA based business and over 50% EU/UK businesses are not ready. Those that are the most ready have been preparing for over 2 years. This means that the potential for fines and penalties (including confinement) are possible. You will see companies going on a massive spending spree for more security related appliances and services. The GDPR regulatory bodies are designed to be self funding in that they will survive based off of fines, this means that there will be an active search for GDPR violators.
You should also understand that GDPR is an overlay regulation. This means that you could be finded under GDPR and then recieve more stringent country fines.
So, should you be concerned, knowing that funding is based off of fines, yes...ABSOLUTELY! The cost of compliance is far cheaper than dealing with the costs associated due to sanctions. For example, we have already discussed how GDPR could impose up to $26MM or 4% of global gross revenue (which ever is higher) as a fine. To add to that, could be possible country/state/province laws that could be possibly more stringent and include criminal charges. For example, GDPR requires breach notification within 72 hours, however Belgium requires within 24 hours. GDPR indicates, 30 days to respond to a data subject request, however Ireland indicates 21 days. Belgium has an additional 800,000 Euro fine for failing to register as a controller (Germany is a 50,000 Euro fine and Ireland is a 100,000 Euro fine). GDPR doesn't necesarily indicate a statute of limitations however Ireland does. GDPR indicates tough cookie or spam requirements, and they can only get tougher with an extra 800,000 Euro fine from Belgium if you are located there. UK requires a warrant to enter premises under the aspects of investigating a data protection incident, yet GDPR doesn't indicate you need one and Germany and Ireland specifically DON'T need a warrant provided it is during business hours.
What happens if you get caught? Natually you should immediately show an "attitude of compliance" and offer your complete support in their investigation. Even if this results in temporary downtime or loss of productivity you should show that you are "very concerned" and want to offer any support needed to help the speedy closure to the investigation. Remember that the Supervisory Authority needs to conform to timelines as well and if you slow down the investigators then they will have to deal with that and likely to increase the level of discomfort of the investigation greatly. The short story is provide the absolute best example of compliance and cooperation possible. Hold nothing back and keep no secrets from the investigators. Lets not forget that you should also immediately alert your legal team.
You should also honestly ask yourself if you deserved to get caught. Did you prepare for GDPR? Did you even attempt to conform with GDPR in a timely manner or did you start to care 3-4 months before 25May2018? Do you honestly know you have areas needing improvement but you just "haven't gotten around to it"? Can you effectively demonstrate that you truly care about protecting data and the lawful processing of that data? If you didn't make any attempts and simply hoped that the regulators would never find you, then you truly deserved to get caught. The protection of data should never be taken in any other way other than extreme seriousness. The cost of compliance will always be less than the cost of sanctions. Think of it this way, if you leave your house unlocked and you get robbed, the police or insurance will probably not look favorably on your lack of caring about protecting your own valuables.
What happens if you receive sanctions? Well, first, the sanctions can be "up to" $26MM or 4% of the global gross revenue (whichever is greater), however that doesn't mean that they will immediately jump up to $26MM. For smaller companies, $26MM simply not be possible and put the company out of business. This means that jobs will be lost and possibly families will be at risk. Aside from a situation where it is safer for the public that the company is literally put out of business, it seems counterproductive for a government organization to make the unemployment numbers worse. This doesn't mean that sanctions won't occur, just that the sanctions may be of such a nature that the message of why the sanctions occurred was effectively delivered without destroying the entire company. Your company should also consider negotiations and usage of any appeal process that may be possible to help reduce the sanctions or propose the possibilities of paying any fines or penalties over time rather than all at once. Assuming none of that works, then you should figure out how you are going to pay those fines. The end result is that if you don't pay the fine, and are in the EU, then you will be prohibited from running your business. If you are outside the EU, then you can be prohibited from processing any EU data at all which possibly may be more of an impact on your company than just paying the fine. Additionally, you will also have to deal with the reputational and political risk dealing with customer trust. You will likely want to connect with a professional PR firm that specifically deals with reducing the potential damage. What you absolutely should not do, is portray anything less than truthful with your customers. GDPR and various country laws will require disclosure to affected individuals however you should consider being proactively upfront pertaining to the situation and that you are dealing with the issue in a positive, proactive, and honest manner. The end result is that if you are not willing to sacrifice all business opportunites with numerous first world, industrialized, and wealthy countries you should figure out how you are going to pay that fine. You should also understand any localized country laws that you may be in violation of that could lead to criminal extradition proceedings or to simply know what countries you should avoid during vacation. Having said that, the EU is cooperative so deciding not to go to Belgium, for example, due to criminal data protection laws being violated...may also put you in a position where you simply don't want to visit the EU at all for fear of being arrested in Spain and then sent to Belgium.
This article doesn't cover all aspects of GDPR, just the highlights. If you even suspect that you may have GDPR data, then you are encouraged to contact us. Arrakis has experience bringing companies closer to GDPR compliance and can help you resolve your GDPR issues before they become a serious issue. Arrakis has provided GDPR consultation to numerous Fortune 500 companies to help achieve this goal. Contact us today so we can help you help yourself!
Hear the GDPR interview with priceofbusiness.com here.
Read the GDPR interview with www.paymentssource.com here.