On the 25th of May 2018, the General Data Protection Regulation (GDPR) began enforcement on regulations that were deliberated for more than four years, and officially enacted in April 2016. The primary aim of the new regulations was to return control of Personally Identifiable (PI) data to the individual and simplifying the legislation surrounding data management and processing. It also governs the export of data outside the European Union (EU) and European Economic Area (EEA). Unlike preceding acts, GDPR applies to all companies, even if they maintain no physical presence in the European Union (EU), who process the data of any EU citizen or conduct business within the EEA.
What has happened this year?
Since its introduction, GDPR has been the focus of intense scrutiny across all industries, perhaps unsurprising given the unprecedented scale of the fines and enforcement announced as part of the regulation. The expectation is that this will continue as GDPR continues to be refined in line with ever faster global communications and bulk data processing. Cross-industry focus groups, especially in the EMEA global region, have been sharing compliance best practices and beginning to speculate on what the next phase of GDPR will entail and its subsequent business impacts. From focus groups to dedicated GDPR global conferences, this pan-industry focus underscores the importance of GDPR and the dramatic impact it has had on the global business landscape.
As we move into the second year of GDPR, we expect to see greater numbers of penalties and fines as more companies are reported and investigated. An article by FCPA, titled GDPR Enforcement Report (May 2019) references four major cases where companies have been fined between $5,400 up to $56 million within the last year for non-compliance to GDPR. While the actual number of enforcement cases is still relatively low, the Report also states that
- The UK DPA received 6,281 complaints between May 25, 2018 and July 3, 2018, a 160 percent rise on the same period in 2017.
- In the first five months after GDPR’s entry into effect, there were 6,555 complaints to Data Protection Authorities in Germany, 2,547 complaints in Italy, and 3,767 complaints in France
- There were 1,831 data breach notifications submitted to Polish Data Protection Authorities by businesses or other organizations.
- Multiple GDPR-related cases sit with the European Court of Justice (ECJ) with a decision yet to be reached.
Fines will be administered by individual member state supervisory authorities, utilizing the following 10 criteria to determine the amount of the fine on a non-compliant firm:
- Nature of infringement: number of people affected, damaged they suffered, duration of infringement, and purpose of processing
- Intention: whether the infringement is intentional or negligent
- Mitigation: actions taken to mitigate damage to data subjects
- Preventative measures: how much technical and organizational preparation the firm had previously implemented to prevent non-compliance
- History: past relevant infringements, which may be interpreted to include infringements under the Data Protection Directive and not just the GDPR, and (83.2i) past administrative corrective actions under the GDPR, from warnings to bans on processing and fines
- Cooperation: how cooperative the firm has been with the supervisory authority to remedy the infringement
- Data type: what types of data the infringement impacts
- Notification: whether the infringement was proactively reported to the supervisory authority by the firm itself or a third party
- Certification: whether the firm had qualified under approved certifications or adhered to approved codes of conduct
- Other: other aggravating or mitigating factors may include financial impact on the firm from the infringement
Impact of GDPR
A rather startling realization from the wider rollout of GDRP has been the challenges faced with becoming compliant initially, then retaining compliance. Ongoing compliance has shown that in order to keep pace with both the requirements of GDPR and maintain a proactive approach to the protection of personal data, a state of vigilance is needed; embedded into the culture of how companies operating in 2019 approach data from day zero. While the assignment of a Data Protection Officer is now required for companies of a certain size, the wider impact is seen across personnel and operational arenas – with cyber-security and GDPR compliance now warranting their own specialist staff. This in turn represents a potentially large operational cost impact which companies will now have to take on at the risk of being fined for GDPR breaches – although worth it when compared to the cost of the fines, and the possible loss of business. Arguably, data security is now being viewed more widely as a specialist discipline which needs to be invested in and developed the same way as any other core business function such as Human Resources or Finance. Specialist data protection and security awareness courses are appearing across many industries, but the skillsets will take time to disseminate across the wider business environment. This marks a significant mindset shift away from previous data protection legislation which had been, in some cases, viewed more as a ‘tick box’ exercise as opposed to an ingrained function.
However, the challenge for all industries will be in keeping GDPR in focus as time moves on. With a relatively gentle start to GDPR, the major enforcement actions have made significant headlines and forced GDPR back into the collective business mindset. It is expected that the enforcement will need to continue to be widely published to ensure the consequences of failure to meet GDPR obligations are both real and tangible for companies of all sizes; something certain opinion points have suggested is behind the security placed on major technology and data processors such as Google and Facebook. Unquestionably it has demonstrated that the consequences can be made tangible for groups of that size and as such, can apply to anyone. As 2019 progresses, the expectation is to see further enforcement action taken and well- documented, with rising awareness of GDPR being reflected in the fundamental manner under which companies process data and engage in business within the EU.
One clear area that we do see growing from GDPR is the level to which it has resonated internationally; inspiring worldwide legislation aimed at protecting the same basic rights in line with local laws and prevailing conditions. (See examples in the section below). With many varying legislations rising which share intent but with different thresholds for compliance, local legislative expertise is key – either in-country partners or local offices – to educate and advise on prevailing local conditions and ensure that compliance is maintained.
What to expect moving forward
It is apparent that enforcement of GDPR will continue, so first, if you are not compliant, get there. While fines and penalties are certainly of great concern, companies also need to recognize that non-compliance could also impact customer trust, and therefore overall business growth or decline. So far, apart from some large cases, authorities have been relatively lenient, issuing warnings in some cases and allowing the company to get into compliance. But as time goes on, there will be a greater expectation that companies have already taken the appropriate actions to ensure compliance, and the authorities will likely not be as lenient. What will that do to your business? If your organization has not been compliant with the regulations and is fined for not doing so, your customers are likely to pull their business while you get your company up to speed. This could have a serious impact on your bottom-line and therefore your entire organization.
As enforcements occur, however slowly, they will set precedents for future decisions by regulators who were hesitant to penalize or fine an organization. Moving forward, we should expect to see these regulators become more confident in their decisions to enforce the GDPR regulations.
Data processes and ethics
Companies will need to engage more with their data through governance and data mapping practices to be more aware of what data they store and process. If the data is not essential to the work being performed, the data must be anonymized, and this was not the case prior to GDPR. In addition to ensuring compliance, there is an ethical standard to follow these regulations in order to keep the data secure.
Additional Privacy Laws
It’s important to remember that GDPR is not the first privacy law to be in effect, and so we should not expect it to be the last. In fact, more than 80 countries around the world have developed or enacted privacy laws, in addition to certain smaller territories like US states. For example, the California Consumer Privacy Act of 2018 (CCPA) goes into effect on the first day of 2020, and GDPR compliance will not be enough. Some ways that the CCPA will differ for companies who store or process data on California residents are:
- Companies will be required to set up specific communication channels for California residents to request their data
- Household items and data from internet-connected devices will be included in the definition of PII
- Requirements for deleting data will be different
- Requirements will change for companies selling data for commercial purposes
Brazil is enacting their own General Protection Law (LGPD) on August 15, 2020. Passed by The National Congress of Brazil on August 1, 2018, the legislation puts new restrictions on the use of data processed or stored on Brazil residents. We also know that the EU is updating its ePrivacy regulations related to elements such as the consent for cookie use and the treatment of electronic communications, including internet-based voice and messaging apps.
What to do now
We’ve discussed the purpose of GDPR and how its enforcement is impacting organizations, as well as what we expect to see over the coming years. Based on the number of complaints the authorities are receiving, it’s obvious that there are still many organizations that may not be fully compliant with GDPR yet. If that’s the case for your organization, your company is at significant risk of penalties and fines related to non-compliance. See below for some quick tips to help you get, and stay, compliant.
- Make it a priority! Risk management comes from the top and it’s imperative for executive management to lead the charge for cyber security preparedness.
- Hire or appoint a Data Protection Officer (DPO) if you haven’t already: Depending on your organizational complexities and size, you may be able to name someone in your organization, or you may need to hire someone – either full or part time. There is also the option for a virtual DPO who works as a consultant for several organizations.
- Involve all the appropriate people. While IT will have the responsibility of ensuring technology meets the requirements, IT often will not have all the information or know who in the company is collecting what information. Be sure to include Finance, Operations, Marketing, Sales, Payroll, HR—any group within the organization that collects, analyzes, or otherwise makes use of Personally Identifiable Information (PII) – so that they can share information with the IT personnel about required changes.
- Update your data protection plan: Most companies already have a plan in place, based on prior standards (if you don’t, create one asap), but it is essential that it is regularly reviewed against the GDPR requirements to ensure compliance.
- Run risk assessments regularly: The data you store will change over time and it is important to be aware of what information you are holding on EU citizens and the risks of storing that information. Be sure to outline the steps you take to reduce or mitigate that risk for documentation purposes. A commonly overlooked segment (and one of the greatest compliance risks) is around Shadow IT, so it is essential for your team to uncover any Shadow It that may be collecting and holding PII.
- Document your GDPR compliance progress: As mentioned about documenting the steps taken to reduce risk, it is also important to track and document your processes and progress with GDPR compliance. There is a “Record of Processing Activities” (ROPA) as part of the regulation and organizations should be able to show progress with completing this documentation if they are reported and investigated.
- Control mobile access: If your employees are accessing and storing PII through apps on their mobile phones or personal devices, you are faced with a unique set of risks, as it is also required to be in compliant manner. Controlling that can be tough and it’s recommended that this not be allowed.
In the payroll field, it’s essential we think about all the forms of PII we receive and handle. From the interview process to hiring, and through promotions or moves, all the way to when the person leaves the organization, we are collecting data. Any and all of that data falls under the GDPR regulations and is data that an employee could request to see – at any time. We must treat the data like we would want our data treated – with the utmost care and security.