Preparing for the EU General Data Protection Regulation

About a month back, I listened in on a TRUSTe webinar entitled Preparing for the EU Data Protection Regulation. The event was meant to provide advice to global organizations to help them ready themselves for changes to the European Union’s privacy regulations. The EU General Data Protection Regulation, or “GDPR” as its called, is expected to become law in late 2015 or early 2016. It is meant to modernize the personal data protection rules across the EU’s 28 member countries. Reportedly, it will address current topics like social networking, cloud services, globalization, and much more.

Should you care? The GDPR will impact any organization that gathers, processes and stores the personal data of EU residents. It most affects entities operating in the EU, non-EU entities doing business with an organization operating in the EU, and entities that store personal data in EU member countries. Breaches will have to be reported to the proper authority within 72 hours and sanctions for non-compliance can reach between 2 and 5 percent of global revenue. The most surprising take-away for me came from a webinar speaker who said that the GDPR is applicable to any US-based business that collects personal data from an EU resident visiting their website. While that may be true, the regulation is essentially unenforceable for entities with no EU presence.

The effect on the US/EU Safe Harbor program is unclear. The European Commission approved the Safe Harbor program in 2000 as a means to allow US companies to voluntarily abide by a set of principles protecting data belonging to EU residents. Under Safe Harbor, US companies have a presumption of adequacy before the EU, and data transfers from the European Community to them may continue. The Safe Harbor however falls under the EU’s Directive on Data Protection, which became effective in 1998. When the EU GDPR becomes effective two years after passage (i.e., 2018), it might render the Safe Harbor program defunct given that “regulations” trump “directives” in the EU.

While unresolved issues abound, the speakers argued that there is no reason to delay “getting your house in order.” Three points were made within this context:

• Consent as a processing basis is heading for an uncertain future. Per the regulation, valid consent must be explicit for data collected and purposes data used. Speakers advised:
  • Review your consent processes today. Once the regulation is law, enforcers will not care how and when you got your consent if it is non-compliant.
  • Seek alternative processing basis such as “necessary for performance of a contract” or “legal claim” which will both likely survive in the regulation.
• Territorial Application – As previously noted, the regulation applies to more than just EU-based entities. It also applies to the processing of personal data of individuals residing in the EU by an entity not established in the EU, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment by the individual is required, to such individuals in the EU; or (b) the monitoring of their behavior as far as their behavior takes place within the EU. Speakers advised:
  • Prepare to be affected by the global reach of the regulation if your customer database contains personal data of EU residents.
• Third Country Transfers – The transfer of the personal data of EU residents out of the EU is one area where the current rules are likely to remain largely unchanged. However, it is an area of focus from EU data protection authorities post-Snowden. Its not just a compliance issue, it is also a key part of risk management to “know where your data is” (trade secrets, vulnerabilities etc.). Speakers advised:
  • Make sure the use of European Commission model contract clauses and other grounds for transferring data out of the EU is fully compliant, understood by the organization and implemented in practice.
  • Cloud computing will continue to raise risks even as market is entering what can be termed a more “mature” phase in regard to understanding data protection compliance requirements.