In May, Europe ushered in a new normal for online privacy by enforcing the General Data Protection Regulation (GDPR). Noncompliance penalties at a rate of 4 percent of annual revenue or 20 million euros, whichever is higher, motivated companies worldwide to reevaluate their data privacy and data security programs. Your company may have achieved its strategic compliance goals by the deadline, but the GDPR is the new normal and requires a shift in the corporate mindset and associated budgets.
The GDPR pushed U.S. businesses to roll out global privacy programs. The regulation, along with Facebook’s data-sharing practices, as linked to Cambridge Analytica, inspired statutory innovation in the United States. In June, California passed its own GDPR-esque statute, which global companies must address in order to continue to do business in California. Japan and Argentina have also overhauled their domestic rules to comply with the GDPR, and other countries are likely to follow suit.
The California Consumer Privacy Act, which comes into force on Jan. 1, 2020, defines personal information broadly and grants California residents rights to request from covered entities detailed information about how their information is disclosed, shared and sold. California is the first to provide individuals a right to obtain information about how a business sells consumer data, including the categories of third parties to whom data is sold. California residents will also have rights to object to the sale of their personal information, data portability, data deletion and data access, among others.
Routinely update Article 30 documentation
Ensure your internal process permits regular updates upon a change in data flow, data retention or engagement of a new third party vendor who may have access to company data. These documents will permit your company to answer questions from consumers and regulators and to prove public representations concerning data collection practices and uses.
Data subject request management
The company may soon receive its first EU data subject request. Train personnel how to recognize a data subject request from all possible sources (e.g., via email or social media message.) In order to effectuate your response within the 30 day deadline:
(1) draft language for your personnel to use when responding to a data subject’s request, and include the expected timeline for carrying out the request;
(2) Designate personnel to perform the required function (e.g., data rectification, data deletion, data portability);
(3) know ahead of time whether you must send a request to a third party service provider and identify the key contractual provisions and contact at that provider; and
(4) prepare language certifying that the company has carried out the request, keeping in mind that a regulator may scrutinize the certification.
- Third party service providers: Your company likely entrusts consumer personal data to business partners. Consider whether your contractual agreements obligate those partners to also comply with the GDPR where they process EU personal data. If not, consult legal counsel on the appropriate data processing addendum to propose to third parties.
- Third Party Service Provider Audit: If you obligated a third party service provider to a data privacy and data security contract addendum, you likely included a right to audit its regulatory functions. Designate personnel within your company who will inspect, test and audit those functions. Determine how often you will request evidence of compliance or an on-site audit in order to fulfill your obligations under the Regulation and your representations to customers and/or consumers.
- Prepare for enterprise customer requests and audits: If your company provides services, or functions as a data processor, you may be subject to heightened scrutiny by your customers, particularly if you agreed to a data privacy and data security addendum. Most addenda permit customers to request documentation regarding your GDPR compliance and conduct an on-site audit. Customers may also request a list of your sub-processors or object to certain subprocessors, therefore requiring you to maintain a varied list of suppliers and to prefer subprocessors who can attest to GDPR compliance. Customers will also seek assistance from you in the event of a security incident or data subject request related to data you have processed on the customer’s behalf.
Max Schrems, the Austrian lawyer who won the landmark European court ruling in 2015 that invalidated the “safe harbor” agreement that allowed firms to transfer personal data from the EU to the United States, and his organization, noyb-European Center for Digital Rights, wasted no time in filing complaints against the most visible global tech companies.
Finally, no longer expect guidance from the Article 29 Working Party. Upon enactment of GDPR, the European Data Protection Board (EDPB) replaced the Working Party. On May 25, during its first meeting, EDPB adopted the final version of the Guidelines on derogations applicable to international transfers (GDPR Article 49) and has endorsed guidelines previously issued by the article 29 Working Party. Any further guidance on the GDPR will be issued from this board.
Bess Hinson is chair of the Cybersecurity & Privacy Practice at Morris, Manning & Martin.