If you have EU customers and you're uncertain how GDPR impacts you, stop reading this and hire a lawyer. Now.
This is not legal advice. If you have EU-resident customers, hire a lawyer. Now.
I work for All Around The World, a consulting firm based in France. Not only have we been impacted by the General Data Protection Regulation (GDPR) law, our clients have as well. What we have seen is that there's often a lack of understanding of the consequences of GDPR and companies with EU customers face bankruptcy if they fall afoul of this legislation. The GDPR essentially forces companies to take security, privacy, and record keeping seriously. GDPR fines for non-compliance are designed to be severely punitive, up to and including driving companies into bankruptcy.
You do not need to suffer a data breach to be hit with these fines; if you regularly handle data on EU customers and you're found to not be complying with GDPR regulations, you may be sanctioned. What's worse is that local laws, such as the US CLOUD Act, are sometimes in conflict with the GDPR, meaning that you can be caught between contradictory legal requirements. You need a lawyer.
The EU worked for years on the law, finally adopting it on April 14th, 2016. It become enforceable on May 25, 2018. Companies had two years to get ready, so non-compliance is not tolerated. The Cambridge Analytica scandal has made the situation even worse. Though Facebook was fined £500,000 for misusing customer data, there's anger that this paltry amount was the maximum fine that could be levied at the time. Had GDPR been in effect at the time, Facebook could have been fined up to $1.8 billion. While "good faith" efforts to comply with the law will be taken into account, if the EU desires to make an example of a company (and they will), a US company taking money out of the EU will be a much more desirable target than bankrupting an EU company keeping money in the EU. You need a lawyer.
There is a strict requirement that you make a "good faith" effort to achieve GDPR compliance. Before anything else, you must realize that GDPR-compliance is a legal issue, not a technical one. If you simply instruct your IT staff to make it easy to report and purge personal data, you're well on your way to bankruptcy. This is not a good faith effort because it demonstrates a lack of knowledge of GDPR regulations.
If you are found to be non-compliant, there are two levels of fines:
- Up to the greater of 4% of global annual turnover or €20 million for the most serious failures, such as insufficient customer consent.
- Up to the greater of 2% of global annual turnover or €10 million for the other failures, such as not having a Data Protection Office (if required), failure to report breaches, or not conducting an impact assessment.
In other words, you face bankruptcy if you get this wrong. This is serious enough that many US-based Web sites are no longer available here in Europe. Complying with GDPR can be costly if your IT staff are inexperienced. Not to put too fine a point on it: the strong worldwide demand for software developers has led many companies to hire inexperienced developers. Even expert developers often build poor systems when faced with significant budget or time constraints. Companies rush build software to solve problems now with little thought to the long-term consequences of poorly-built software. GDPR isn't going to improve this situation, but it's going to severely punish companies who get this wrong.
In order to achieve GDPR compliance, you need to, at minimum, do the following, keeping in mind that there are major caveats to each of these:
- Request consent from your customers to track their data.
- Appoint a Data Protection Officer, if required.
- Create a Data Protection Impact Assessment (DPIA).
- Maintain records of all personal data processing activities.
- Notify EU authories of data breaches with 72 hours.
- Understand the "right to be forgotten."
- Provide customers with information on how you use their data.
How these issues are applied will vary company to company. However, keep in mind that you generally do not have the right to deny services to customers if they fail to give consent to having their data tracked. There are exceptions to consent, such as the processing of personal data for reasons of public interest, such as in the health sector. And yes, this also applies to your EU-resident employees, not just customers.
In short: if you handle personal information on a large scale or regularly monitor data subjects, you need a Data Protection Officer (DPO). Keep in mind that Recital 30 of the GDPR clarifies that IP addresses are personal information. Examples of companies requiring a DPO include:
- Any government body (except courts) or public authority
- E-commerce companies tracking customer purchases
- Hospitals and clinics
- Advertising firms targeting personal data
- Telephone or internet providers
- Virtually any company offering financial or insurance services
- Geo-location services used for statistical purposes
- Recruiters who store candidate information
- Security firms monitoring public spaces
Small scale tracking of personal data, such as a individual doctors or lawyers, generally do not need a DPO.
Of course, the above list is not exhaustive. If you're not sure, consult a lawyer.
If you require a DPO, the following conditions apply:
- They must not have a conflict of interesting (controllers, IT directors, CEOs, etc.)
- They must have sufficient budget and personnel to perform their task
- They report directly to top management and must not have a supervisor
- They may be an outside consultant or firm, but they must not have a short or fixed-term contract
- Their term must be between two to five years, but may be extended up to ten years
- They must be knowledgeable in both GDPR-compliance and your internal systems (it's understood that the latter will take time)
- To protect against retaliatory dismissal, they can only be dismissed with the consent of the European Data Protection Supervisor (EDPS)
- They must have full power to investigate and correct GDPR compliance within the organization
- They must notify the EDPS of any data processing activity that is likely to present significant risk "to the rights and freedoms of data subjects".
The above list, of course, is not exhaustive.
Now, and only now, do we begin to touch on the IT considerations. The above was merely to give you a sense of the scale of the GDPR directives. This section is intentionally left short because it should not be viewed as a checklist to becoming GDPR-compliant. If in doubt, consult a lawyer.
The legal implications must be addressed first. One you have a DPO (if needed), and have drafted a comprehensive plan to protect your customer's data, you can start work on how to implement this. Implementing GDPR requirements without fully understanding them risks wasting money and time developing systems that are not fit for purpose. Once you have a strong understanding, however, you can begin to address the following:
- Asking for consent in a clear, intelligible manner that gives consumer full control over how their data is managed
- Develop reporting to track usage of all personal data
- Respond to consumer requests for your usage of their personal information
- Respond to consumer requests for the "right to be forgotten"
- Ensure that disaster recovery and data backups do not restore "forgotten" information
- Restrict internal access to sensitive data
- Hire a reputable, external company to do a security audit and have developers fix discovered issues
The security assessment is critical: all the "good faith" in the world isn't going to protect you if you have a Experian-style data breach. The EU wants to show that the GDPR has real teeth and you don't want to be the example.