There has been a fair amount of chatter about the General Data Protection Regulation (“GDPR”), which took effect last May and allows fines up to $22.6 million or more, depending on the company’s revenue. Companies are struggling with understanding whether the GDPR applies to them, and if it does, how to comply. And while the potential fines may be quite large, companies should consider GDPR compliance within the same risk matrix as other activities.
First, organizations should determine whether the GDPR applies to their organization, and document their analysis. For most organizations, this analysis is not difficult. Article 3 outlines the territorial scope of the GDPR for those organization within the EU, and those operating outside of the EU. The European Data Protection Board (“EDPB”) recently issued draft guidelines on the territorial scope of the GDPR, which is helpful to companies as they conduct their analysis.
Once an organization determines that it is subject to the GDPR, it needs to understand and analyze its compliance requirements. Organizations must recognize that compliance with GDPR in 24-hours is not possible. Nor is “check-in-the-box” compliance going to work. GDPR is intended to get companies to understand and be transparent about how they collect, use, maintain, and share personal information. The change in mindset was recently demonstrated viscerally in Dublin at an international trade event at which the CEO of an international airline based outside of the EU referenced a desire over the next year or two to start trying to monetize the vast customer database the airline had built up over the years; the gasp in the room was audible and was proof positive that even after a short time, GDPR has begun to have the intended effect.
Keeping these tenets in mind as you move through the compliance process will assist with identifying key areas of risk. But it is also important to put this into perspective. Organizations whose primary business functions do not involve the collections, use, maintenance, and sharing of personal information will have less compliance obligations than companies who interface primarily with consumers. Companies also need to keep up-to-date on security threats, and evolving technology that helps them protect their systems and their data.
The GDPR provides instructions on when companies are required to report a data breach. Not every data breach causes a risk to the rights and freedoms of an individual. The subjectivity of factors triggering a reporting obligation result in most prudent advisors suggesting that “if in doubt, report” is the safest route to take. In Ireland, the Office of the Data Protection Commissioner, primarily responsible for enforcement of GDPR with companies such as Facebook, Linkedin and Google, has had over 3,200 data breaches reported to it from the introduction of GDPR on May 25th2018 to the end of that year. Across the EEA, almost 60,000 breaches were reported from May 2018 to February 2019. It is telling that arising from those, fewer than 100 fines have been issued by regulators.
A bit like the boy who cried wolf, in some respects over-notification to individuals causes more harm than good. People start to get “data breach fatigue” and ignore communications about another incident, causing them to miss notice of an incident that truly causes a risk. While reporting data breaches involving personal information is relatively new to the EU, other countries, such as the US, have had reporting regimes in place for over 15 years. There are information, reports, and studies publicly available that provide guidance on the risk of harm related to the disclosure of certain information.
As recent activity by the supervisory authorities has shown, a company’s efforts to comply with the GDPR and their cooperation with the supervisory authority will be taken into consideration during any investigation. Compliance – true compliance – does not happen overnight.