The proposed General Data Protection Regulation recently passed a key legislative hurdle in the European Union,...
and enterprise compliance teams are watching carefully as the regulation nears expected adoption in early 2016. Once passed, organizations doing business in the EU will have a two-year grace period to become compliant with the regulation before facing steep fines for noncompliance.
What is the EU General Data Protection Regulation?
Under the EU General Data Protection Regulation, the EU seeks to implement a single set of data privacy rules that apply across all EU member states. It expands many of the provisions of the 1995 EU Data Protection Directive and applies to organizations that previously fell outside the scope of EU regulation due to their geographic location. The EU General Data Protection Regulation includes notice and consent provisions similar to those found in the 1995 regulation with some enhancements, including disclosure of the retention time for personal information, and parental consent requirements for children under the age of 13.
The much-touted "right to be forgotten" that was present in original drafts of the General Data Protection Regulation was replaced by a so-called right to erasure. This provision allows the subject of personal information records to request data controllers erase personal data related to the individual when the information is no longer needed for the purpose it was collected, the individual withdraws consent or the storage of the information is otherwise illegal.
The General Data Protection Regulation will also require many organizations appoint a semi-independent Data Protection Officer, or DPO. In an arrangement unique to EU law, the DPO will report to regulatory authorities and not to the organization employing the DPO. DPOs will be required to report data breaches to government regulators as soon as they learn of the breach, and individuals must be notified of the breach if they will be adversely affected.
One of the key provisions of the new regulation is a vastly expanded scope over prior EU privacy regulations. The EU General Data Protection Regulation applies to any instance where either the organization handling the data or the data subject is based in the EU. It applies worldwide to the personal information of European Union residents. This means companies based entirely in the United States must now comply with EU privacy regulations or potentially face significant fines. This jurisdictional claim will undoubtedly face challenges in the courts, but businesses outside the EU should pay close attention to this regulation as it develops.
Controlling compliance costs
There are tremendous compliance costs associated with the proposed EU General Data Protection Regulation. These come in the form of potential sanctions that regulators may apply to organizations which fail to comply with the regulation's provisions. Notably, organizations violating the General Data Protection Regulation are subject to enormous fines that are unprecedented in the world of privacy law. Fines for egregious violations may be assessed at the rate of 20 million Euros or 4% of a firm's worldwide revenue, whichever is higher. To put that in context, this means Google could be fined over $2.6 billion for an egregious violation. Walmart, the U.S. company with the highest worldwide revenue of $485 billion in 2015, could potentially face a fine of over $19 billion. By way of comparison, that is more than the $12 billion annual revenue of Facebook.
The best way organizations can control their compliance costs is to start planning now for the likely implementation of this law in 2018. Depending upon an organization's line of business, implementing the right to erasure, data breach notification, DPO role and other requirements may require an investment of time and financial resources. But that investment pales in comparison to the potential fines associated with an egregious breach that violates the EU General Data Protection Regulation.
Find out how the GDPR will affect U.S. industries.
Learn how the Trans-Pacific Partnership agreement will affect security
Check out the effects of CISA on enterprise security