Managing Director of CyZen, Jacob Lehmann, sat with Co-Founder and Managing Partner at XPAN Law Group, Jordan Fischer, to dive into the details of the EU General Data Protection Regulation (GDPR)—the most important change in data privacy regulation in decades. Read on to make sure you’re on the right side of the law of this seismic shift.
JACOB LEHMANN (JL):
WHAT IS THE GDPR AND WHO DOES IT AFFECT?
Jordan Fischer (JF): The GDPR is a European Union-wide set of legal guidelines that regulate the collection and processing of individuals’ personal information. Unlike prior legislation from the EU, the GDPR contains a strong extraterritorial effect. So any processing of EU-related personal information, regardless of geographic location, must comply with its requirements.
JL: HOW DOES THIS IMPACT BUSINESSES AND PEOPLE IN THE UNITED STATES, INCLUDING LARGE BUSINESSES AND SMALL TO MEDIUM SIZED BUSINESSES?
JF: The GDPR affects both companies established within the EU and companies outside of the EU. Specifically, companies who are “offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or monitoring of their behaviour as far as their behaviour takes place within the Union.” Art. 3(2). There is no restriction on the size of the entity. The GDPR applies if you are processing personal data related to a natural person in the EU.
JL: WHAT ARE THE FINANCIAL AND LEGAL RAMIFICATIONS IF A BUSINESS FAILS TO FOLLOW THE REGULATIONS STATED BY THE GDPR?
JF: Anyone who is noncompliant can face potentially astronomical financial penalties. The highest fine is 20 million € or 4% of global net income, whichever is higher. Also, the GDPR allows for a private right of action by data subjects. This means companies could face litigation across Europe for failures to comply with the GDPR
JL: WHEN WILL THE EU BEGIN AUDITING BUSINESSES TO ENSURE THEY ARE COMPLIANT?
JF: At this point, it is unclear how quickly the supervisory authorities of each Member State charged with enforcing the GDPR will begin to assess companies under the GDPR. Each supervisory authority will determine its own processes to audit companies and impose sanctions within the GDPR framework.
JL: WHAT IS GDPR’S DEFINITION OF PERSONAL DATA?
JF: The GDPR defines personal data very broadly. “Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” Art. 4(1).
In addition to the express definition within the GDPR, agencies and courts developed legal frameworks, which further illuminate potentially “personal data.” A prime example of “personal data’s” broad interpretation in Europe is the Court of Justice of the European Union’s (“CJEU”) judgment in Scarlet Extended SA v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM), C-70/10. In Scarlet, the CJEU addressed whether, under EU law, a Member State national court can order an Internet Service Provider (ISP) to use preventative measures to filter electronic communications to identify and prevent illegal file downloads. The CJEU ultimately decided that IP addresses are personal data. This reiterates the broader interpretation of personal information within the EU.
JL: WHAT STEPS CAN SOMEONE WHO IS CONCERNED WITH HOW THEIR PERSONAL DATA IS BEING HANDLED TAKE? ALSO, WHAT RIGHTS DO INDIVIDUALS HAVE TO PROTECT THEIR PRIVACY AND PERSONAL INFORMATION?
JF: For transparency, the GDPR outlines data subject rights regarding how an individual’s data is being used. One of the most discussed rights is the “right to be forgotten;” or the right to request that an organization delete your personal data. This can be a powerful tool for individuals to dictate how long their data is maintained and how data is processed. In addition to the rights outlined under the GDPR, the Regulation also provides for individuals to bring private lawsuits against companies for violations of the GDPR. This could potentially create a very strong “sword” for individuals to use against entities and the use of personal data.
JL: WITH SO MANY REQUIREMENTS, WHAT IS A GOOD STARTING POINT FOR A COMPANY?
JF: The ideal starting point for most companies is to conduct an initial GDPR assessment. Companies may already be compliant in some ways with the GDPR. Doing an initial gap analysis of where a company stands viz-a-viz the GDPR will allow a company to harness its existing processes and move towards GDPR compliance.
JL: IF A COMPANY HAS MINIMAL USE POLICIES IN PLACE, WHAT ARE THE MOST CRITICAL ONES TO GET THEM ON TRACK TO BE COMPLIANT WITH GDPR?
JF: The administrative component of the GDPR, for example policies, procedures, and guidelines, are important in creating an ongoing system of GDPR compliance. For entities that currently operate with minimal use policies, it is important to focus on key areas of sensitive data initially. This includes, human resource data, financial data, and biometric data. Once a company develops policies and critical data is addressed, then they can move to less critical data to ensure that it is also being maintained and processed in a compliant manner.
JL: WHAT TYPES OF SERVICES CAN PEOPLE UTILIZE TO ENSURE THEY ARE COMPLIANT?
JF: GDPR compliance requires an interdisciplinary approach to create a robust, ongoing compliance process. There are a number of administrative, technical, and legal requirements that must work together to ensure complete compliance.
JL: WHAT DOES GDPR DICTATE COMPANIES SHOULD DO REGULARLY TO COMBAT PHISHING?
JF: While the GDPR does not expressly require measures to combat phishing, it does dictate implementing certain general security measures. “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.” Art. 32(1). Using measures to regularly combat phishing equates to good cyber security best practices. This would likely meet the requirements of implementing general security measures to protect personal data under the GDPR.
JL: WHAT ARE SOME THINGS COMPANIES MAY CURRENTLY HAVE IN PLACE THAT HELP THEM ABIDE BY GDPR?
JF: An initial assessment to determine GDPR readiness is a great step towards compliance with the GDPR. There are numerous areas that companies can leverage in order to comply with the GDPR. This includes current internal processes, technologies and administrative procedures. For companies that already operate in regulated industries, for example healthcare, financial, etc., there may be areas of overlap or similarities that can be used to efficiently comply with the GDPR. In essence, the GDPR incorporates principles of privacy design and architecture within its requirements. To the extent that an organization maintains a robust and comprehensive information governance program, the GDPR may just require “tweaks” or modifications to ensure compliance.
JL: HOW CAN COMPANIES DILIGENTLY UTILIZE THIRD PARTY VENDORS WHEN IT COMES TO PERSONAL DATA?
JF: The GDPR creates an express requirement of third-party/vendor due diligence to ensure that those parties are complying with the GDPR. Companies must create robust and ongoing systems and procedures to conduct the appropriate due diligence on a third-party/vendor before entering into an agreement. Then establish a mechanism to audit that vendor annually.
JL: ARE THERE ANY MANDATORY ROLES IN GDPR? IF SO, WHAT ARE THE FUNCTIONS?
JF: The GDPR requires that a company designate a Data Protection Officer ("DPO"), depending on the processing activities undertaken by the controller or processor. These processing activities include:
- where the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations. Their scope and/or their purposes require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor, which consist of processing on a large scale of special categories of data, pursuant to Article 9, and personal data relating to criminal convictions and offences referred to in Article 10. Article 37.
If a DPO is required, she or he is required to inform the organization of the requirements of the GDPR and monitor compliance with the Regulation. Art. 39. Further, the DPO is charged with being the contact person for any supervisory authority on issues related to the GDPR.
JL: ARE THERE ANY WAYS TO DEMONSTRATE GDPR COMPLIANCE?
JF: Demonstrating GDPR compliance is a key component of being GDPR compliant. There are various ways for an entity to demonstrate compliance. On a base level, this should include:
- Maintaining the appropriate records of processing under Article 30;
- Conducting appropriate data impact assessments under Article 35;
- Maintaining records related to the data subject rights under Chapter III, and
- Ensuring all contracts and/or agreements with third-parties (i.e., processors, sub-processors, joint-controllers, controllers, etc.) include the required terms and provisions.
Each of these areas requires an analysis to determine what is appropriate for the types of processing an entity is conducting.
JL: DO YOU HAVE ANY RECOMMENDATIONS FOR COMPANIES THAT FEEL LOST WHEN IT COMES TO BUILDING A ROADMAP FOR COMPLIANCE?
JF: The Working Party on the Protection of Individuals with regard to the Processing of Personal Data, generally known as Article 29 Working Party (WP29), is the independent European Union Advisory Body on Data Protection and Privacy. This organization is composed of representatives from each of the EU Member States, the European Data Protection Supervisor and the representative of the European Commission. The WP29 created a number of guidelines or opinions to address key areas under the GDPR. In addition to obtaining legal counsel or technological consulting guidance, the WP29 documents are a good starting point.
We're Here to Help
For more information on GDPR compliance to avoid hefty fines, contact your legal advisor or the cybersecurity advisors of CyZen.
Message Us 212.842.7000
Sign up for Our Blog!
* All fields are required