Just Another Day: May 25 Arrives and GDPR Goes Live—What to Do About It

Just Another Day: May 25 Arrives and GDPR Goes Live—What to Do About It

By Stephen A. Riga, Attorney, Ogletree Deakins

On May 25, 2018, enforcement of the European Union’s (EU) General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) began, and its threat is now real: those organizations found to be non-compliant face fines of up to 20 million euros or 4 percent of the company’s worldwide revenue, whichever is greater. Recent press has made much of this number, but while the risk of penalties is real, the reality of the GDPR is more complex.

What is the GDPR?

The GDPR is a “regulation,” applying to all 28 countries directly. In contrast, the 1995 Data Protection Directive (Directive) (Directive 95/46/EC), which the GDPR replaces, gave direction to member states but left them to implement its provisions through their own legislation. GDPR requirements build off of those established by the Directive, expanding rules concerning notice, establishing data breach notification requirements, developing new and more specific consent rules, and fleshing out previously established individual rights to control their personal data.

The GDPR has considerable reach. It not only applies to companies based in the EU or with EU operations, it also governs those activities in which U.S. and other non-EU companies engage that target EU residents or that monitor the activities of EU residents. Given modern technology, it is quite easy for U.S. companies to become subject to the GDPR, and some may have little awareness of the rules.

For companies with a history of operating within the EU, the GDPR will often feel quite familiar, as they work under rules quite similar to those in place prior to May 25, 2018. Beyond the considerable heft of the stick of EU’s new penalties, though, GDPR is built to establish means for Supervisory Authorities (SAs) to verify actual compliance. To achieve this, the GDPR introduces extensive documentation rules, which necessitate a comprehensive survey of the data companies hold, careful and comprehensive analysis and communication of how that data is processed and for what reason, and establishment of a culture of privacy, both by design and by default.

Compliance with GDPR for Customer Data is Challenging . . .

Fundamental to the design of the GDPR is its emphasis on transparency. For consumer data, where customer consent is generally the lynchpin of most companies’ compliance strategies, the GDPR requires that companies obtain consent based on the informed and freely given affirmative action by the individual. To be valid, the consent must be clear and expressed in plain language, and the individual must have the ability to withdraw consent at any time. For the consent to be considered informed, the company must give notice to the individual of how, and under what basis, it will use or share any information. In addition, the notice must be written in a manner that is clear and understandable.  EU authorities have made clear that the stereotypical 30-page privacy policy written in complex legalese will not be sufficient, suggesting instead a layered approach, offering progressively more robust explanations to those who decide to learn more about a company’s policies.

To be able to provide such notice, companies must know what data is collected, where it is stored, how it is used, and with whom it is shared. Companies also must determine and communicate the legal basis for processing data.  Companies must respect and promptly honor (generally within 30 days) an individual’s rights to access, modify, and even erase data upon request. The GDPR also requires companies to identify risks and establish safeguards to address those risks.  In short, the notice must reflect a robust set of data practices built to address each of the many requirements the GDPR imposes.

To build the necessary structures requires buy-in from the top levels of management, a significant allocation of resources, and a team with sufficient knowledge of the law, technology, and business operations—and, in many cases, a data protection officer to monitor and assess GDPR compliance. Companies must document how personal data flows throughout its organization, and this map of data will allow careful assessment of what compliance gaps exist and what risks must be addressed in order to protect the personal information the company holds. Where these flows result in activities that qualify as high risk for the privacy rights and freedoms of the individuals whose information is involved, companies must conduct a data protection impact assessment to determine if risks can be addressed. In circumstances in which companies cannot reduce a high risk, they must consult with their SAs before they implement the process.

. . . And Compliance with GDPR for EU Employee Data Is Worse . . .

Customer data management under the GDPR is challenging, but compliance with the GDPR for companies with EU-based operations is more difficult. EU guidance has made clear that consent is almost never a valid basis for processing employee data. The leverage an employer has, in the form of an employee’s continued employment, makes most employee consents less than voluntary.

With consent off the table, companies with EU employees must find other valid means for processing data for their employment functions. The GDPR permits both processing to fulfill an employee “contract,” i.e., to ensure the terms of employment are met, or to address EU laws, but SAs are likely to narrowly interpret each of these bases for processing data. Many employment functions will require a different basis, the legitimate interests of the employer, to process the data. To justifiably rely on this basis, the employer must weigh its interest in processing the information against the privacy interest of the employee and find that its interest outweighs that of its employee.  Companies must document and communicate (via a notice to the employee) whichever bases it uses for processing employee information.

The legal landscape is also considerably more varied. While the GDPR is intended to establish uniform rules for data protection, it is not intended to create uniform employment rules in the EU’s member states.  The GDPR expressly provides that individual EU member states may enact laws specific to the processing of employee data when they implement the GDPR. The GDPR also does not supersede existing employment and labor laws of the member states, and many member states’ laws impact and further limit collection and use of employee information. Companies will want to analyze and follow the data protection and employment requirements of each EU member state in which they have employees.

 . . . So What to Do?

With the enforcement date passed, and the GDPR fully operational, the temptation may be to look for a quiet place to hide. Wherever a company is on its journey to compliance, there remain actions it can take to address the GDPR going forward:

  • For companies that have a full GDPR compliance program in place and operational: take a bow for a job well done. The challenge will be maintaining compliance, as the GDPR expects documentation to remain current, and ensuring that all analyses and notices reflect current practice.
  • For companies in the process of implementing a GDPR program: take time now to map out your current status, identifying remaining compliance gaps. A starting point would be to create a remediation plan for those gaps identified, including a clear timeline for the steps necessary to reach compliance. Several representatives of member state SAs have emphasized that such awareness and plans will go a long way to mollify enforcement authorities should they come knocking before the company reaches full compliance. But, in order to benefit from these steps, it will be critical to monitor progress and ensure good faith efforts to meet the plan and its schedule.
  • For companies that have yet to grapple with GDPR compliance, whatever their cause for delay prior to May 25: focus on these issues now. As with companies whose efforts are incomplete, crafting an analysis and a remediation plan is crucial for reducing the risk of penalties. Should an SA receive a complaint and initiate an investigation, a company without a GDPR program in place likely will be unable to address even the most basic requests. Authorities have indicated that the risk of penalties is highest for those companies that fail to make a good faith effort to comply with the new rules.

GDPR compliance is not a one-and-done effort, but a change in process and culture, particularly for companies that are accustomed to more lax controls under U.S. laws. Getting GDPR compliance right, however, offers not just an opportunity to do business in the EU without the shadow of SAs and penalties but can also be attractive to privacy- and security-conscious customers, wherever they reside.  In the longer term, the considerable costs of achieving compliance can be offset by the competitive advantage of compliance that can improve the company’s bottom line.