Tic toc, tic toc—back and forth swings the privacy pendulum. While we in the U.S. continue to regress on issues of data privacy, the European Union (EU) is proceeding with bold steps to protect the privacy of its citizens. On May 25, 2018, the General Data Protection Regulation (GDPR) becomes the law of the land in the EU. It applies to any company that processes or holds data on EU residents, regardless of where it is located in the world. Popular applications such as Facebook, Twitter, and Airbnb are among the companies that will be directly impacted by this law. If you do business with EU residents, regardless of geographic locality, this law directly applies to you.
Penalties of Up to 4% Annual Worldwide Revenue
Violators of GDPR may expose the offending entity to fines of up to 4% of worldwide revenue or 20 million euros, whichever is greater. Larger organizations have a lot to lose, so it is of paramount importance that they start preparing for these new requirements.
GDPR law will apply to both the company that holds the actual personal data and the company that processes an EU resident’s data. A company cannot simply transfer the obligation of the data protection to a third-party vendor and “wash its hands” of responsibility. To quote the regulation, “when entrusting a processor… sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation” must be attained. Simply not having your records in order could expose your organization to substantial fines.
Breach Notification Within 72 Hours
The regulation language is clear that within 72 hours of the legally responsible party initially becoming aware of a personal data breach, all affected customers must be notified without delay. Companies choosing to delay notification until they determine how to position the incident or “spin” the message about the breach publicly will be violating the intent and possibly the letter of the regulation.
In October 2016, according to an article on decisionmarketing.co.uk, TalkTalk a U.K. mobile/cell operator was fined 400,000 pounds for violations related to a data breach. The fine was levied by the Information Commissioner’s Office (ICO), an independent U.K. authority dedicated “to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.” An article on the ICO website quoted ICO commissioner Elizabeth Denham as saying, “Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.” Under the EU’s new regulation, this fine could have been 70 million pounds.
Under GDPR, the required level of care in notification itself is significantly raised also. The nature of the breach must be described in detail to each individual potentially affected. In addition, recommendations on how each individual can mitigate the adverse effects of the breach must be included in the communications.
Right to Be Forgotten
Article 17 of the GDPR gives EU residents the right to wield a personal “eraser” by requesting that their data be removed from third-party systems. This requirement for “eraser” capability is also triggered when a customer has withdrawn consent to the data. Without undue delay, the corporate entity is obligated, with a few exceptions, to honor this request to be forgotten. The responsibility to remove data obligates firms to notify third parties—who may have received the now-withdrawn data—to work in collaboration to remove the resident’s data. The legal responsibility continues and applies to the “public interest.” When fulfilling an eraser request, the company must also consider the individual’s rights to be forgotten against the rights of the public to have access to this data. Legal scholars will be arguing the predominant rights of public access versus the “right to be forgotten” for the indefinite future.
Consent
When obtaining consent for collecting personal data, obscuring terms and conditions within a complicated legal disclaimer clause will no longer be acceptable or legal. Websites have long employed the approach of requiring users to “click” a box at the bottom of the screen to exonerate themselves from any apparent legal exposure, but this paradigm will no longer work. The GDPR regulation specifies that when people are granting consent for their data to be collected, it must be clear and distinct they are giving such consent and what they are giving consent for. It must be equally easy for the individual to rescind the consent as it was to grant it initially.
Full Transparency (Data Minimization)
Under the GDPR regulation, individuals have a right to know who is processing their information, where it is being processed, and why it was needed. Just as you can order a free credit report under the law in the U.S., U.K. citizens are entitled to a free electronic report of the personal data being collected. Under the law, companies are only allowed to collect the information they absolutely need to fulfill the service being rendered. To quote the law: “Those safeguards shall ensure that technical and organizational measures are in place in particular in order to ensure respect for the principle of data minimization.” No longer can the company ask you for data it does not need to fulfill the service it is providing.
Built With a Foundation of Privacy
The GDPR approach now requires that when building applications, data protection and privacy are incorporated into the very design of the application. Even the default settings of the application should be set to the most secure and private settings. Customers have to overtly choose to make it less private. When processing, a system should only process the data that is required (data minimization) to fulfill the service. In addition, access to that data is only provided to the processors which need that data to accomplish the stated and required task.
Data Portability
In the U.S. today, cellphone numbers can be transferred to any service provider at anytime. Under the GDPR, European residents now have a right to receive their data in a machine-readable form and send it to another controller if they choose to. The bottom line is that the data is owned by the individual, and this individual can transport that data at his or her discretion.
Hire/Lease a Data Protection Officer
Under certain circumstances it will be mandatory for an organization to hire or lease a data protection officer. Based on the potential for fines as a percentage of worldwide revenues, it is prudent for any organization that processes or holds information on EU residents to obtain the services of a professional and experienced data protection officer. There is no clear direction on potential certifications for this new profession.
What Does the Future Hold for GDPR and the U.S.?
As more and more of our personal lives are being captured by the pervasive applications we regularly use, it is inevitable that U.S. laws will adopt some of the approaches which emphasize individual privacy and personal data ownership pioneered in Europe. The U.S. will eventually take more stringent steps to protect the privacy of its citizens as business in the cloud becomes more ubiquitous. The concept of data collection being limited to only the data which is necessary to fulfill a transaction will soon garner support.
This approach of “data minimization” is one of the tenets of the new GDPR, and the U.S. would be wise to consider adoption of similar legislation. In the short term, it is incumbent on companies that routinely conduct business in the cloud to start taking inventory of where and how that business in the cloud is conducted. With fines of up to 4% of global revenue, the GDPR sends a strong message that personal privacy is of paramount importance. Moving forward, it will be prudent for all companies and their respective cloud vendors to prepare to meet the requirements of the new GDPR and the changes that are sure to follow in the U.S. as a direct result of these new regulations.