The new General Data Protection Regulation (GDPR) is now less than five months from going into effect and still, I’m not sure we all know what exactly that means. As of May 25th, the current EU Data Directive, as well as the directives in all EU member states, will be replaced by this new regulation and some serious consequences will then be able to be imposed.
The GDPR introduces a single privacy framework that applies across all EU member states, as opposed to the current 28 or so policies that currently exist for each EU country. The idea is that having a single and consistent set of data protection compliance obligations across the EU will make it easier for European citizen’s data to be safeguarded. The reality is that having a regulation rather than a directive allows for heavy penalties and all of a sudden the many various ways we were getting by before on protecting data are no longer good enough.
For me, working oversees, I was most accustomed to complying with the EU Data Directive 95 but I also often had to concern myself with the data privacy guidelines in Italy, Germany and France since those were other countries which seemed to have a lot of data and very strict privacy policies.
So, what specifically is different with the GDPR than in other EU privacy rules? These are the big differences, in my opinion:
- Expanded territorial scope, including EU based as well as non-EU based companies
- Expanded rights of individuals
- Right to obtain a copy of data
- Right to be forgotten
- Imposable high fines and a broader range of powers for data protection authorities
- Stricter rules for acquiring and retracting an individual’s consent
- Stricter breach notification rules
Let’s start with the penalties for non-compliance to the GDPR as those fees are terrifyingly high. As of May, failure to properly protect (‘properly’ according to the new rules of the GDPR) EU citizen’s personal data could result in fines up to 4% of the company’s annual earnings or 20 million euros – whichever is higher. What? Yep, whichever is higher.
Any violations relating to internal tracking or records management, data processor contract issues (like failure to have a contract), lack of received citizen consent, data security and breach notification delays or failures, lack of an appointed data protection officers, failure to make citizens data accessible to the citizens themselves, and many other potential failures could result in a claim against the company which will be thoroughly investigated. And then the company could get fined. Millions of dollars. Per violation. 20 custodians/citizens could conceivably mean 20 fines. But let’s hope it doesn’t come to that, right?
Another key change is how we acquire and manage consent for collecting, using and storing EU citizens’ personal data. The GDPR stats that data subjects must give consent in all cases by
“A clear affirmative action establishing a freely given, specific, informed and unambiguous indication of the individual’s agreement to their personal data being processed, such as by a written statement.”
Be warned, if you try to read the GDPRs outright, all the language is as wordy as that.
Going forward, companies collecting personal data will bear the burden of proof that they received consent, which will likely mean new and improved tracking and data management policies for those companies. Failure to produce this proof of consent can result in penalties. The GDPR also states that if data is collected or used for multiple purposes, there must also be multiple consents received.
As with receiving confirmed consent, another important change to note is that once consent is given, there must also be an easy way to remove that consent. I may change my mind and I have the right to do that. Well, not me, I’m a US citizen, but you know what I mean. So this will mean a change not only to the way that we collect consent – we also now need to create a way for people to change their minds.
Personal & Sensitive Data
The GDPR has a new definition for personal data and it is more expansive than the other 28 privacy policies combined. The definition will be: any information relating to an identified or identifiable natural person. Huh, well that’s vague.
Actually, not really. The GDPR goes on to fully define what is now considered collectable personal data. The below categories are now defined as personal information:
- Identification number (SS#, driver’s license, school id, etc.)
- Location data (home address)
- Online identifier (e-mail address, screen name, IP address, device IDs)
- Pseudonymous data (using a key to identify individuals – if this, then that that can be tracked back to a person)
- Genetic data (biological samples like DNA or key markers)
- Biometric data (fingerprints, facial recognition, retinol scans)
The genetic data one reminds of a CSI episode and the last one feels like doing discovery in a James Bond movie, but they are real and with medical and pharma data being so sensitive, the GDPR is ensuring that this information is also protected.
An important emphasis here is that companies need to not only understand how the GDPR defines personal data but they also need to understand how those definitions relate to data that they collect and store.
In addition to the genetic and biometric data being newly called out as personal, the GDPR ensures the definition clearly identifies online identifiers and location data as personal. These were issues many people felt were unclear in the EU Data Protection Directive.
Sensitive personal data revealing racial or ethnic origins, religious beliefs, sexual orientation, political opinions, or health information (what we traditionally called personal) are now elevated to sensitive personal data and in the GDPR these items now require even more explicit or overt consent to collect or use.
Controller and Processor
For eDiscovery providers, like myself, one of the biggest changes in the GDPR is in regards to data controllers and processors. Having worked in the UK for several years, I always considered the client the data controller and my company as data processor. With this consideration, I had certain obligations to protect the data being processed (encrypted data transfer, encryption at rest, access/right management, breach alerts and notifications, etc.) but ultimately I was just processing data, I didn’t bear the full brunt of data protection responsibilities as the controller did and I wasn’t liable for data directive levied penalties. Now I am.
To define the terms, a data controller determines the purposes and means of processing the data and a data processor processes that data on behalf of a controller.
Under the GDPR, I, as a data processor, now have increased compliance obligations and as of May 25th, 2018 am now subject to fines and other penalties. As a data processor, this will definitely impact the way I do business and will likely change the contracts I have with some of my multi-national clients and partners.
These new compliance obligations will ensure I exercise a greater interest in ensuring that the scope of my client’s (controller’s) instructions is clear and that they met their own obligations under the regulations. I will need to know that they know what data they are sending me and that they received proper consent from citizens to send me the data. While I have had to ask about the data coming out of the EU before, I did not have to ask too many questions about how they acquired that data.
This will also mean more internal auditing at my company to ensure that if we get personal data from the EU that we can secure it, maintain it, define how we’ll use it, grant access if requested and remove it under direction. I imagine that this may mean eDiscovery vendors are more selective in which data they are willing to work with and at the very least, it may result in higher eDiscovery fees as the effort to process this data is now much more specific and the penalties for failing to meet those levels are super high. It’ll be interesting to see how we, in eDiscovery, manage this going forward.
So, the idea was to simplify data privacy, but it definitely seems really complicated for eDiscovery. Especially the expanded definitions of what constitutes personal data. I mean, email addresses? That seems like a lot. It makes sense, it does identify someone, but does that mean we have to anonymize or redact every email address going forward. Does it count for work email addresses? Where exactly is the line and how do we navigate these new rules?
Going forward, we know that we have to better partner with our clients to help them answer some very basic GDPR questions on the data we receive. Having these answers will help us ensure that they, and we, are GDPR compliant.
- Discover—identify what personal data you have and where it resides
- Manage—put rules in place to govern how personal data is used and accessed – including consent requests and storage
- Protect—establish security controls to prevent, detect, and respond to vulnerabilities and data breaches
- Report—execute on data requests, report data breaches, and keep required documentation accessible at all time
With these 4 strategies/data points at the ready, my hope is that the GDPR, while it may be tougher for our clients and for ourselves, that it will still be manageable.
5 months and counting.