On the two-year anniversary of the EU’s GDPR I thought it would be timely to post an excerpt from the 2nd edition of my Cybersecurity Law, Standards and Regulations book published earlier this year.
The European Union (EU) General Data Protection Regulation (GDPR) was approved by the EU parliament on April 14, 2016 and became effective May 25, 2018. The GDPR replaces the EU Data Protection Directive and is designed to:
• Standardize disparate data privacy laws throughout Europe.
• Protect EU citizen privacy.
• Harmonize EU data protection and privacy safeguards.
• Encourage compliance through meaningful fines and sanctions.
• Put EU citizens back in charge of their personal data.
GDPR applies to organizations located within the EU as well as organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, the EU data subjects. GDPR applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. Figure 3-1 provides a model of how GDPR is designed.
Figure 3-1. EU GDPR Model.
The GDPR differs from the EU Data Protection Directive in the following ways:
• Directive vs. Regulation – GDPR carries more clout and removes the discretionary language that comes with a directive. The GDPR applies to all member states of the EU and removes data protection inconsistencies of member states.
• Jurisdiction Expansion – The coverage of GDPR is expanded past European boundaries and extends compliance to any organization that houses or processes EU citizen information regardless of location.
• Citizen Consent and Rights – Organizations can no longer use ambiguous terminology or confusing legalese to define or secure consent. Organizations must clearly define the terms of consent and how data will be used in plain language. Citizens also have the right to access (right to access) and receive (data portability) their own data as well as have it erased (right to be forgotten) on demand.
• Privacy Safeguards – Privacy is now a legal requirement where privacy protection must be designed in systems and processes to meet the requirements of GDPR.
• Enforcement – The GDPR is similarly enforced through courts, with penal and administrative sanctions in addition to civil remedies. What has changed is the amount of the fines a court can levy for a violation. Fines can go as high as EUR 20 million or four percent of an organization’s turnover or annual sales.
• Breach Notifications – Under GDPR it is no longer necessary to submit breach notifications to each local privacy authority. A Data Protection Officer (DPO), which is a mandatory appointment would make the notification to a single and relevant authority.
2019 is the year when GDPR enforcement ramped up. I believe that for every data breach experienced here in the US, a parallel GDPR enforcement in cases EU citizens are impacted will be launched. Table 3-9 provides a summary of the some of the initial fines levied under GDPR.
Table 3-9. Largest GDPR Fines
The companies fined above are just the beginning with U.K. Data Protection Authority the Information Commissioner’s Office announcing in July of 2019 intends to fine British Airways and Marriott International for violating the GDPR $228 million and $124 million respectively in July 2019 (Davies, 2019).
TIP: Create a GDPR impact statement based on four percent of your organization’s annual turnover as well as covert EUR $20 million to determine total fine exposure.
GDPR compliance still requires work world-wide. A report by Thompson Reuters released approximately one year to the day that GDPR took affect states that:
• More companies are failing to meet global data privacy regulations.
• Many companies have found GDPR compliance more difficult than expected.
• Half of companies are at risk of falling further behind.
• An increasing number of companies have now been subject to enforcement actions.
• Companies are becoming less open and pro-active with consumers.
• Board and C-suite concern and engagement on data privacy issues is falling.
• GDPR is now consuming a greater proportion of data privacy budgets (Thomson Reuters, 2019).
Keep regular tabs on this site for the most current information on GDPR.