By Don Aplin
Privacy & Data Security News
Companies doing business in the European Union should act now to carefully benchmark their changing data security obligations across the bloc and for the individual EU countries where they collect and handle information. Corporate compliance officers need to understand that the EU risk profile is set to jump dramatically in the next year.
Financial sanctions under a new EU-wide privacy law set to take effect in May 2018, the EU General Data Protection Regulation (GDPR), are eye-popping. The GDPR allows for massive fines of up to 20 million euros ($21.2 million) or up to 4 percent of a company’s global revenue, whichever is higher. By way of illustration, Google had $60.6 billion in global revenues in fiscal year 2015, Bloomberg data show, so a fine of 4 percent would mean EU privacy regulators could fine Google some $2.4 billion for one violation.
Data security obligations play a prominent role in GDPR. The law places stricter obligations on companies that collect and use personal data in the EU and for the first time mandates that all covered companies notify privacy offices and affected individuals about certain data breaches.
Compliance officers seeking to minimize the risk exposure of their companies should look to the present oversight and enforcement regimes of the 28 countries in the EU—27 after the U.K.’s Brexit—to see side-by-side how regulators from different EU countries will act when enforcing the GDPR’s data security and breach notice requirements.
They need to gather comparative risk intelligence on the various EU privacy regulators with whom their companies will interact so that they may better work with legal, information technology and privacy teams to lower risk.
Data Security Obligations
Companies that use personal information collected in the EU must implement “appropriate technical and organizational measures” to secure personal information. Technical measures may include encryption and anonymization depending on the sensitivity of the information at issue. Organizational measures may include policies on limiting access to stored data or policies on documenting the destruction of data when it is no longer needed.
Previously, companies that collected, stored and decided how personal information would be processed--known as data controllers in the EU—bore the burden of data security. Data controllers are typically companies that collect data, such as client, customer or user information.
The GDPR will now extend the data security obligations to companies that process personal data on behalf of a data controller, such as payroll companies, accountants, market research companies and most cloud service providers.
That opens up a new universe of companies to significant EU data security compliance obligations for the first time.
Mandatory Data Breach Notice
Companies will have only 72 hours after discovery of a data breach to begin the notification process.
Unlike most U.S. state data breach notice laws, the GDPR doesn’t have a risk of harm threshold, such as the chances that a breach will result in fraud or identity theft, to trigger the notification obligation. Under the GDPR, any “accidental or unlawful destruction, loss, alteration, unauthorized disclosure” of personal data will require notification.
The bottom line is that the looming new EU privacy regime’s stricter rules means that companies must assess compliance risks now. It is only a little over a year until they will face new data security and data breach notice requirements in May 2018. Compliance officers can help prepare by comparing data security and privacy requirements and enforcement risks across the bloc and in the EU member countries where their companies do business.
Donald G. Aplin, Bloomberg Law Managing Editor of Privacy and Data Security News, has covered the privacy and security beat for over a decade at BBNA and has been a legal editor at BBNA for 18 years. Before joining Bloomberg Law, Don practiced law for 13 years representing plaintiffs in EEO cases and whistle-blowers at the Government Accountability Project. Don is in his 30th year as an Adjunct Professor of Legal Rhetoric and Writing at the Washington College of Law at American University. Don has a B.A. in Government from Pomona College and a J.D. from the Antioch School of Law.