GDPR: Will Your Company Be Fine or Fined?

Mayday, mayday” is a standard international distress signal. With the European Union’s General Data Protection Regulation (GDPR) going live on May 25, 2018, the phrase seems particularly apt.

What is the GDPR? Weighing in at over 50,000 words, the GDPR revises a decades-old EU privacy directive that harkens back to 1995, a time when there was more postal mail than email. The GDPR restricts how organizations can collect, use and retain personal data, and provides Europeans with certain rights to halt collection, and to obtain copies, correction and, at times, destruction of their data.

How does it impact U.S. businesses? The EU seeks to apply the GDPR to all companies regardless of location if they collect personal data from individuals in the EU, such as through websites targeting EU consumers with goods or services (whether paid or unpaid), or by monitoring the behavior of people in the EU. The GDPR also applies to vendors (and corporate partners and affiliates) who end up storing, transferring, processing or using EU personal data even though another company initially collected it.

What are the Cybersecurity Requirements? Companies must implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk.” Doing so requires an organization to evaluate “the state of the art” of security; the costs of implementation; the nature, scope, context and purposes of processing the personal data; and the risks to individual rights and freedoms. Data protection must be implemented “by design and by default.”

Are there breach notification requirements? Yes. If a data breach is likely to result in “a risk” to an individual’s rights and freedoms, the company must notify the supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it. When the breach is likely to result in a “high risk” to rights and freedoms, notifications also must be made without undue delay to the affected individuals.

Can we get ready in a few weeks? It is unlikely. The EU gave companies two years. Still, achieving compliance may be more straightforward for organizations that do not collect sensitive categories of personal data (race, ethnicity, health, sex life, sexual orientation, criminal history, trade union membership, political/religious/philosophical beliefs, genetics or biometrics) and whose activities are unlikely to result in high risks to individual rights and freedoms (such as through large-scale data processing, new technologies or systematic monitoring, profiling and automated decision-making).

What if we are not prepared, but say we are? A lot can go wrong. The GDPR itself places a strong emphasis on public enforcement. Penalties can range from a simple reprimand all the way to a fine equaling the greater of 20 million Euros or 4 percent of the company’s global annual turnover.

How can we find out more? Check out the UK Information Commissioner’s Office website at ico.org.uk, with its free GDPR self-assessment tool, suggested courses of action, and detailed guidance. Appropriately, they promise to process your information in a way which does not identify you.

Steven Chabinsky is global chair of the Data, Privacy, and Cyber Security practice at White & Case LLP, an international law firm. He previously served as a member of the President’s Commission on Enhancing National Cybersecurity, the General Counsel and Chief Risk Officer of CrowdStrike, and Deputy Assistant Director of the FBI Cyber Division. He can be reached at chabinsky@whitecase.com.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

Employees don’t feel prepared to navigate an increasingly dangerous world, and they expect their employers to not only care about their personal safety, but to actively keep them safe.