Is GDPR compliance essential?

Ignoring the EU’s new online privacy rules could be a big gamble
Robert Baker,

In recent weeks, you may have noticed an increase in the amount of emails you received from various internet services, such as your social media accounts. If you read the update, you might also have noticed how many of the emails began with “We take your online privacy very seriously.”

A more accurate statement might be: “We take the GDPR and its fines very seriously.”

The General Data Protection Regulation, or GDPR, swept into effect on May 25. The GDPR is essentially a European Union consumer protection law that requires anyone or any organization based in the EU, with few exceptions, to adhere to nearly 100 “articles” laying out precisely what may and may not be done with personal information provided to them.

Article 3 has caught the attention of many American companies. It states that companies based outside the EU, but which collect personal information from people in the EU (“data subjects”), may also be subject to the GDPR. Fines for noncompliance fall into two tiers: on the upper end, an eye-watering $24 million or 4 percent of global revenue may be levied against a violating company. Lower-tiered offenses may carry fines of up to $12 million or 2 percent of global revenue.

The requirements of the GDPR are extensive, and member state-specific guidance is yet to come. Some of the larger themes are:

 • Data protection by design, not as an after-thought

 • Affirmative obligations by companies which decide to collect data (“controllers”) and process the data (“processors”) to protect personal information and take action when that information is compromised

 • An extensive list of data subject “rights,” about which the data subject may inquire of any company to which he or she has submitted information.

A quick glance through these requirements tells us that GDPR compliance demands a good understanding of your company’s own information technology governance. That is, of course, if you intend on being GDPR-compliant.

When it comes to the GDPR, two questions immediately come to a business owner’s mind: Is my company subject to the GDPR, and if developing a GDPR compliance plan is not financially tenable, should I risk noncompliance?

Both questions require a discussion with your law firm and information technology professionals. The short answer to the first question is that the GDPR casts a very wide net, and the threshold requirements for falling under its scope are low. The regulation does not have an apparent carve-out for only minimal collection of data — whether a company falls within its scope will be determined in many cases only by enforcement actions. In that respect, it is disproportionately applicable both to huge, Fortune 100 companies and small startups alike.

Concerning the second question, one could make the argument that, no matter the cost or inconvenience, for most small companies, developing IT solutions that meet the spirit and intent of the GDPR will probably never exceed the penalties of noncompliance. However, ignoring the GDPR as a preoccupation of privacy-obsessed European regulators may be tempting.

After all, what is the likelihood that an EU member state’s GDPR enforcement arm — called a “supervisory authority” — or a private EU citizen will successfully enforce a judgment across the Atlantic? Facebook and Google may be wondering the same thing: Both companies recently had private-action lawsuits filed against them for a collective $8.8 billion in alleged GDPR violations.

Some consider the lawsuits to be more news fodder than a legitimate legal threat to the companies, but one thing is clear: While there currently does not appear to be a robust framework in place for international enforcement, ignoring the GDPR indefinitely would be a significant gamble.

There is at least some cooperation which already exists between U.S. and EU regulators: the Data Privacy Shield is a voluntary certification process which designates a company’s privacy policy as containing an appropriate level of attention and detail, and is administered by the U.S. Department of Commerce. Although certification is voluntary, those that do certify are then held accountable for adherence to their own policies. The Data Privacy Shield applies to a narrow but critical aspect of the GDPR — data transfer — and is expected to be indicative of compliance with the data transfer portion of the GDPR by companies that are certified.

As the international business community waits for the first casualty of GDPR enforcement, it may be time to consider how you can take steps toward developing a GDPR-compliant data protection framework for your business.

Robert E. Baker, an attorney with Cook, Little, Rosenblatt & Manson in Manchester, can be reached at 603-621-7105 or r.baker@clrm.com.

Categories: Legal Advice

More news from NHBR: