8.15.19 | Client Alert
The General Data Protection Regulation (GDPR) of the European Union (EU) has been in effect for a little over a year — enforcement began on May 25, 2018 — and the impact is already being keenly felt.
Enforcement action has been taken against Google, which incurred a hefty €5om fine1, and Facebook has already been tapped for 11 investigations.2 While most fines have been small3, there have been nearly 200,000 investigations with about 64,000 being upheld. It’s clear that GDPR is makings its presence known. It is important to note that each country’s GDPR supervisory body has the authority to determine how strictly the law will be interpreted and enforced—providing sole discretion to each country regarding the severity of the penalties and sanctions implemented in its jurisdiction.
If your business operates completely or in part in the EU and uses or collects data on EU citizens and residents, you need to comply with GDPR. Such data includes names, addresses, photos, and extends to IP addresses, genetic data, and biometric data. If you offer goods and services to EU customers and use or collect their personal data, you must comply—even if you do not have a physical presence in the EU. GDPR also applies to businesses that monitor an individuals’ behavior in the EU—as when developing a profile or gauging the individual’s preferences.
GDPR requires organizations to report to the relevant supervisory authority certain types of data breaches which involve unauthorized access to or loss of personal data. This might include informing individuals affected by the breach. The breach notification must be delivered directly to the victims and may not be communicated solely via a press release, social media, or on a website. The breach must be reported to the relevant authority within 72 hours of the organization first becoming aware of it.
Fines and Penalties for Non-compliance
Failure to comply with GDPR can trigger fines ranging from 10 million euros to 4% of the company’s annual global turnover. The fines will depend on the severity of the data breach and will factor in whether it is determined that the company took GDPR compliance and security regulations seriously. There is a maximum fine of 20 million euros or 4% of worldwide annual turnover for infringements of the rights of the data subjects, unauthorized international transfer of personal data, and failure to put GDPR procedures in place.
Do You Need a DPO?
If your organization carries out large-scale processing of special categories of data, engages in large scale monitoring of individuals, such as behavior tracking, or is a public authority, GDPR requires that you appoint a Data Protection Officer (DPO). If you do not fall into these categories, a DPO is not mandatory. However, you still need to have both the staff and skills necessary for GDPR compliance.
An Expanding Picture – US Data Protection is on the Horizon
While GDPR compliance is clearly imperative for U.S.-based organizations, with or without an EU presence, who collect or use data on EU citizens, there is more to come and prepare for, as U.S. state regulations and, potentially, federal laws on data privacy have become real possibilities.
For instance, the California Consumer Privacy Act (CCPA)4 to help protect California residents’ personal information becomes effective on January 1, 2020. The Act is intended to provide state residents with the right to:
- Know what personal information is being collected about them
- Know whether their personal information is sold or disclosed and to whom
- Say no to the sale of personal information
- Access their personal information
- Equal service and price, even if they exercise their privacy rights
Massachusetts and Texas, among other states, have also put data privacy protections in place and New York’s Privacy Act5, now under consideration, would give residents more control over their data than in any other state.
With stories of data breaches and the collection and sale of personal data by major organizations continuing to make headlines, public pressure is expected to continue to mount for stronger U.S. data privacy laws at both the state and federal levels.6
Moving Forward Making Compliance a Priority
Whether an organization has already begun to address GDPR or is just starting to prepare for the inevitable U.S. and state data security standards to come, it is essential to have a comprehensive understanding of the regulations and requirements. Performing a gap assessment can help companies identify areas of potential exposure and develop plans to ensure compliance going forward.
If you do not have the internal experience to effectively address the new and coming data privacy regulations, get a third-party perspective to guide you toward compliance. This advisor should understand the complexities and nuances within the regulations and help you evaluate your controls and gaps to develop a robust compliance program.
Questions? If you have questions or need advice on your GDPR preparation and obligations, contact Alexander Moshinsky at 212.331.7448 | firstname.lastname@example.org.