By Joshua Mooney, White and Williams LLP
On May 25 2018, the European Union General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR), took effect across the European Union, implementing one of the most significant regulatory changes in data protection in more than 20 years. The foundational principle of GDPR is that individuals have a fundamental human right to the protection of “personal data.” The regulation has a far-reaching effect in terms of both the vast amounts of information it regulates and the legislation’s extra-jurisdictional, global reach.
For many in Pennsylvania, GDPR may seem like a distant squall of intense European regulatory requirements and privacy concerns. Don’t be fooled, and don’t be caught by surprise. GDPR can have a significant impact on companies in Pennsylvania, even small and mid-sized ones. It’s never too late to have a GDPR discussion.
What is GDPR?
In its most fundamental terms, GDPR applies to the collection, protection, and retention of “personal data” of EU citizens. It provides lawful bases for “processing” “personal data,” and specifies procedures and specific timeframes for notification of data breaches. It also has stiff penalties that may reach €20 million, or 4 percent of worldwide corporate revenue, for those who violate the regulation.
In its most basic terms, GDPR regulates the “processing” of “personal data.” Article 4(1) defines “personal data” in broad terms as:
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Thus, any piece of information that can be used to directly or indirectly identify a person is deemed “personal data.” The definition extends far beyond names, addresses, biometrics, or other identifiers deemed “personal information” under U.S. law. Under GDPR, email addresses, computer IP addresses, cookies, GPS data all may be deemed as “personal data” and fall within the regulation. A data breach involving personal data, defined as a breach in security “leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to” personal data can trigger notification requirements with deadlines of 72 hours or less.
Article 4(2) of GDPR defines “processing” in very broad terms to mean:
any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
By expressly including any collection, recording, organization, storage, use, disclosure or destruction of personal data, the definition is intended to cover any operation or interaction with such data. In other words, if a company touches personal data, it “processes” it.
Notably, neither the definition for processing or personal data has a geographical limit. Therefore, a company need not be located within the EU to be governed by GDPR. If an organization outside the EU stores personal data, monitors the behavior of, or offer goods or services to EU residents, regardless of whether those residents are customers, consumers, employees, partners, business contacts, or vendors, GDPR applies.
Why a discussion about GDPR is important.
Whether GDPR applies to a company, and if so, the risk of exposure for noncompliance, depends on that company’s business operations. Even for those companies that fall within GDPR, the risk of exposure that the regulation presents may vary. Yet, even companies with little or no perceived GDPR exposure should still understand GDPR’s scope and applicability. Here are three reasons why:
Better Security, Better Business. According to a recent Ponemon Institute report, the cost of data breaches has increased another 8 percent, with the average total cost of a sustained data breach at $8 million. The best and most effective way to mitigate the risk (and cost) of a cybersecurity incident, including a data breach, is to have an effective, written data security program with effective elements for early detection, mitigation and recovery. GDPR provides a good opportunity to revisit the state of a company’s data security program. If no program exists, developing and implementing one should be an immediate priority.
U.S. Data Privacy Laws. There are no U.S. laws as comprehensive as GDPR, but that does not mean the U.S. lacks in significant data privacy and security laws.
Last spring, California enacted the Consumer Privacy Act, which introduces significant new requirements on any business that collects and sells personal information of California residents. The legislation expands the definition of personal information in GDPR-like fashion to include “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,” and it imposes many GDPR-like disclosure requirements. A recent Ohio law creates a safe harbor from liability for an effective data security program. In fact, since GDPR’s effective date, over 13 states have enacted data privacy and security legislation.
Significant data security laws were enacted prior to this year. New York enacted cyber regulations that provide strict requirements for data security, including the implementation of cybersecurity programs based on annual risk assessments, and topping off by requiring the personal certification of regulatory compliance by a senior officer of the company. The NAIC passed a model law on data security. And don’t forget federal laws like HIPAA, the HI-TECH Act, and GLBA. Even if GDPR does not apply to a company’s operations, other regulations might.
Business Relationships. Sometimes a company’s client or business partner, who must comply with GDPR, may try to impose contractual requirements to adhere to GDPR. New business opportunities may create compliance requirements where none existed before. Assessing GDPR compliance issues now can place a company in a better positon to acquiesce to such requirements. On the other hand, understanding GDPR also can place a company in a better position to persuasively negotiate non-applicable or overzealous GDPR compliance requirements out of the terms of a contract.
While GDPR has been in effect for nearly four months, it’s not too late to begin a discussion about GDPR. Companies should conduct an information assessment to examine whether GDPR applies to their operations, and if so, whether compliance is feasible. When is the last time your company has conducted a risk assessment? If it has conducted a risk assessment, was the GDPR or the general concept of privacy and security a weighted risk? These questions can be the start of a critical evaluation and a necessary discussion.
Joshua Mooney is a partner at White and Williams LLP in Philadelphia. He is co-chair of the firm’s Cyber Law and Data Protection Group.