By Greg Sparrow, Senior Vice President & General Manager, compliance point
The General Data Protection Regulation (“GDPR”) is currently one of the most important topics of conversation for U.S. companies. Since its inception, the GDPR has raised a number of questions as to whether businesses are prepared to comply with the new regulations. The GDPR was adopted on April 27th, 2016 and allotted a two- year post-adoption grace period for businesses to strategize and implement their own compliance. With less than one month left, it has been reported that an estimated 61% of U.S. businesses are still not ready for the regulation, and only 67% of European- based businesses have begun moving into the implementation phase of their GDPR compliance program. The potential fines have many concerned about compliance as the May 25th, 2018 date of enforcement approaches, but businesses struggle with fully understanding the regulation and thus fail to launch a comprehensive plan.
Turning our focus to the intelligence industry, several internet-based social websites and applications have displayed international influence and presence through international platform expansion and marketing efforts. One recent example includes the popular web-based platform Facebook and its acquisition of the messaging application “WhatsApp.” Whatsapp announced in August of 2016 that it would share user data with Facebook to improve its service, as well as to provide statistics and patterns to the social media giant. Facebook has significantly increased its marketing efforts in years past with suggestion capabilities to further promote products or services that may be of interest based on data collection for that individual. Since the acquisition, WhatsApp has expanded its application reach internationally to Brazil, India, and Europe- making the app at the forefront of data protection regulations. As of March 15, 2018, WhatsApp announced that they will no longer share user data with Facebook until they can assure UK users that they are compliant with the GDPR.
The GDPR places Facebook’s acquired Whatsapp partnership under the scope for not only its presence in the United Kingdom, but also due to its monitoring of European Union (“EU”) data subjects, and attempt to offer them goods and/or services based on that collected data. Facebook’s practices most likely include the use of automated individual decision making against EU data subjects, requiring a lawful basis such as explicit consent under the GDPR. Processing is broadly defined in the regulation to include most actions that can be performed with data and can specifically refer to collection and storage, which Facebook, in this case, would be doing. The website must, therefore, have processes in place to honor nine distinct rights awarded to EU data subjects, and be able to operate under the guiding privacy principles, defined within the GDPR.
The regulation further dictates appropriate security efforts around the protection of personal data, establishes breach reporting requirements, and increases the risk associated with vendors processing this data. These expansive requirements will make the process of marketing much more complex for the two tech companies.
Some smaller applications and web-based social sites may not be considering the new regulations as seriously as they should be, but past enforcement actions point to enforcement risk regardless. The GDPR states that non-compliant companies posing a risk to EU citizens and their privacy can be fined up to $20 million or 4% of their global turnover for the previous fiscal year, whichever is greatest. On top of this penalty, EU individuals also have the ability and right to receive compensation from the controller or processor for the damage suffered.
For a company like Facebook, with net revenue of around $18 billion in 2017, it could potentially face a fine of $720 million dollars. It is important to note that this fine would be per violation. It can certainly be assumed that larger repercussions would be imposed in this hypothetical case since case law suggests similar types of violations do not stand alone and typically occur with others.
There are several steps that related companies must immediately embark on to mitigate their exposure to risk. A solid start begins with understanding GDPR regulation applicability to various parts of the business and understanding each unit’s risk profile to establish priorities for the initiative. Once risk and priorities have been identified, it is critical for organizations to identify and establish their lawful basis for the processing of this data.
Every industry has its own unique risk and operational challenges, and every business within has its own maturity relative to industry peers. Using the trusted counsel of a compliance firm helps to quickly identify both industry and organizational risk that, as a non-biased third-party, are often otherwise overlooked. A risk management and compliance consulting firm can help organizations quickly identify risk, formulate a plan to mitigate this risk, and set up ongoing monitoring programs to maintain valuable records of compliance.
Some have suggested the GDPR will set the global precedent for data privacy and security regulations. Brazil and China have both showed interest in forming similar requirements to protect the privacy of its citizens’ personal information from businesses storing and transferring data across borders.
To adequately prepare for the GDPR and similar regulations likely to be introduced in the future, businesses must begin educating themselves on these regulations, and how they will choose to conquer the requirements. Applicable processes and procedures can obviously help minimize exposure to fines, but also provide an opportunity within the market to reassure customers and in return, earn their trust.
GDPR Survey Study Shows Majority of U.S. Business Aren’t Fully Prepared for the General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a European Union based regulation that requires businesses to protect the personal data and the privacy of any European Union (EU) natural persons when transactions occur within EU states. Data protected under the GDPR includes identifiable information (names, addresses, dates of births), web-based data, health and genetic data, and biometric data. These bylaws were officially enforceable as of May 25, 2018, and apply to all businesses interacting and performing marketing tasks to EU data subjects. The GDPR is based on the precedent that private information always is, or should be, private and that individuals have rights surrounding that data. The exact words according to the GDPR are that “data protection is a fundamental right.”
Despite a two-year grace window that companies were allotted to prepare for GDPR compliance when the regulation was first approved in 2016, a recent survey study titled “GDPR Readiness Survey” shows that very few are 100% compliant. The survey found that only 29% of the participants were actually aware of the GDPR, 44% said they were somewhat aware, and 29% said they were completely unaware. The survey also found that only 24% of businesses felt that they were prepared for the GDPR, and 31% felt they were somewhat prepared. This is compared to the 36% of business that said they did not feel prepared, and another 9% that said they were unsure. These numbers seem to be alarming simply due to the fact that one infraction can cost non-compliant business millions in revenue. It can be assumed that companies who are not fully aware or fully prepared face enormous risk when working with any customers who may be based in the EU.
Furthermore, the GDPR Readiness survey also found that 45.6% of businesses reported that they have not become compliant because they are waiting to see what enforcement comes from the regulation. However, as more companies see initial fines, this number will likely drop. The GDPR notes that, under certain circumstances, it is a requirement for companies practicing business in the EU to hire a Data Protection Officer (DPO) to ensure compliance with the regulation. The DPO serves to be responsible for informing and advising organizations of their obligations under the regulation, monitoring compliance with the regulation, responding to requests from data subjects and cooperating with the supervisory authorities, including reporting breaches that result in a risk to those affected within 72 hours as required by the GDPR. When a DPO is required, appointing someone to this position will be just a small aspect that 45.6 % of businesses will need to accomplish to become compliant with the requirements under the GDPR.
According to the GDPR website itself, fines administered for non-compliance and the amounts levied depend on 10 key criteria: the nature of the infringement, intention, mitigation, preventative measures, history of violations, level of cooperation with the supervisory authorities, data types, notification, data protection certifications, and other. Infractions that are considered “lower level” violations, such as not having data records in order, failing to notify the supervisory authority and data subject about a breach, or not conducting privacy impact assessments, are subject to up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher. Infractions that are considered “upper level” violations, such as violations of basic principles related to data security and conditions for consumer consent, violations of data subject rights, and transfers of personal data to third parties or international organizations that do not ensure an adequate level of data protection, are subject to up to €20 million penalty, or 4% of the worldwide annual revenue, whichever is higher.
In addition to the above findings, 39.7% of business responded that they lack regulatory understanding, which is holding them back from working towards meeting the data protection standards. The EU has yet to issue official assessment criteria and thus increases the difficulty for businesses to implement a solution when there is no telling how regulators will officially evaluate them. In the same survey, 36.8% of businesses said their lack of budget was a factor in compliance failure, while another 33.8% noted low brand visibility, concluding they feel safer as a small company that may not be targeted as easily. Additionally, 27.9% of businesses said they were unconcerned with being GDPR compliant. Respondents did not report whether they were unconcerned due to lack of understanding, lack of threat, or lack of business presence in the EU.
The topic of data privacy and protection is not a new one for those living within the EU. The GDPR actually replaces a similar directive that was put into effect in 1995 when the internet was gaining tremendous attention while increasing further in its consumer usability. Since then, the way that web giants such as Google and Amazon utilize their customer’s data has become so complex in nature that customers often times don’t realize what personal information has been stored. The GDPR differs from privacy regulations in the United States as the American approach to information privacy is comprehensive in nature.
For example, a hospital will store different information than a retail organization, and a retail organization will store different information than an online marketplace. The U.S. holds certain privacy protection acts and standards as implemented by HIPAA, PCI DSS, and other smaller bits of privacy; however, the GDPR keeps the issue or privacy extremely simple. It doesn’t matter if the data is regarding credit information, healthcare records, or simply an online social profile – it is all protected the same. Of the respondents polled in the GDPR survey, nearly half (48.5%) with knowledge of the GDPR said that the requirement they anticipated being the most challenging was
Supported by data collected from the U.S. Small Business Administration (SBA), the GDPR may certainly pose direct risks to U.S. businesses. According to the SBA, 98% of business export goods internationally, putting them within the jurisdiction of the GDPR. The first steps any company must consider to mitigate their exposure to fines or risk includes understanding the regulations and how data is used within the organization. Once risk and priorities have been identified, it is critical for organizations to identify and establish their lawful basis for the processing of personal data. Using the trusted counsel of a compliance firm can help organizations to quickly identify both industry and organizational risk that, as a non-biased third-party, are often otherwise overlooked. A risk management and compliance consulting firm can help organizations quickly identify risk, formulate a plan to mitigate this risk and set up ongoing monitoring programs to maintain valuable records of compliance.
To adequately become compliant with the GDPR and similar regulations, businesses must become educated on these regulations and determine how to conquer the requirements. Applicable data protection processes and procedures can help minimize exposure to fines, but also provide an opportunity within the market to reassure customers and earn their trust.
About the Author
Greg Sparrow, Senior Vice President & General Manager, compliance point Greg Sparrow has enjoyed over 17 years’ experience in Privacy, Information Security and Risk Management. Greg has had the pleasure of working on both US-based and international projects. He was responsible for the development and Implementation of the security program’s responsible for protecting billions of dollars in annual transaction volume. Greg’s most recent work includes security and certification work for Samsung Pay, enterprise risk management for multiple NFL and MLB sports teams and helping to secure critical infrastructure at some of the nation’s largest transit hubs. Greg holds multiple IT and security certifications covering the Healthcare Industry, Payment Card Industry, and federal banking standards.