GDPR: What Businesses (and Consumers) Need to Know:

The European Union’s sweeping new privacy regulation General Data Protection Regulation (GDPR) just went into effect, May 25, 2018.

Considered by many to be the most important development in data privacy in decades, GDPR heightens and standardizes data protection requirements across all EU member states applying to anyone doing business in the EU involving using or sharing personal data of any EU resident.  This new law has been several years in the making and provides far-stricter rules on protecting personal information (PI and PII) than any of its American counterparts such as HIPAA, GLB, SOX or other U.S. data protection laws that typically regulate “industry specific data” such as patient information or financial data rather than one very broad law applying to all residents.

While this new law doesn’t “technically” regulate activities with U.S. consumers, everyone in the U.S. is expected to benefit from these sweeping new regulations imposed on global providers such as Facebook, Google, Twitter and many other, well-known and lesser-known businesses that use, access or share personal data of anyone residing in one of the EU’s 28-member states – that covers a whole lot of businesses and business activities here and abroad.  Many of these types of more comprehensive data protection laws have been circulating around D.C. for years without adoption and a number of U.S. states have taken the initiative to enact tougher privacy, security and data breach notification laws than some of their federal counterparts. This new E.U. law is expected to provide better data protection and transparency across the globe.

As a result of this new law, decision-makers, C-suites and board of directors across America and the globe have been evaluating and putting into place required new privacy policies for better security, transparency and accountability, including provisions allowing consumers to choose how their personal information is or is not used or shared.   We’ve all been seeing our inboxes filling up lately with notices from all the big providers like Google, Facebook, Twitter and others with a global presence updating their privacy policies.   This isn’t due to the big Facebook Cambridge Analytica debacle, them trying to save face or generate goodwill –  for them it’s required by GDPR and the recent Facebook situation certainly highlighted the need for change.

Any businesses with strict, robust HIPAA compliance programs protecting regulated patient data (or similar compliance programs) already in place will be steps ahead of their counterparts in meeting the sweeping, new compliance requirements for any EU activities.  In the area of data security and compliance it’s always a pay-now or pay-later situation.

Businesses that haven’t yet fully-complied with data protection requirements risk significant consequences.  For those of us who work in their field, we know and often say “It’s not a question of IF – It’s a question of WHEN” a data security incident or comprise may occur – even for those who have fully-complied with data protection laws.  And it’s critically important for businesses to meet all the requirements, not skip steps, or delay completing the requirements, as non-compliance or partial compliance is what gets most into trouble.  There are just too many bad things out there on the Internet with new variants popping up every day for anyone think they can’t be compromised.  And the consequences of non-compliance with this new EU law are significant – far more significant than their U.S. counterparts – allowing regulators to impose fines of 4% of worldwide revenue, or 20 million dollars, whichever is greater, unlike the now more reasonable-seeming penalties for non-compliance under HIPAA, which depending upon culpability, are up to 1.5 million, per violation.

A few other important, distinguishing features of this new law, include the obligation to appoint a Data Protection Officer, who must be an expert in knowledge of data protection law.  HIPAA and other similar U.S. regulations have similar concepts requiring the appointment of compliance officers to ensure compliance and security. The new EU law also specifically allows affected individuals to make claims directly against providers, which is not the case under many U.S. federal regulations.  An extremely important difference in this EU law is also the far-stricter breach notification standards of 72 hours, as opposed to the general concept under many U.S. laws requiring breach notification within a “reasonable time” often interpreted to mean 30-60 days depending upon the situation and jurisdiction and varies widely state to state.

Data protection is one of the single, most urgent challenges facing businesses here and across the globe.  According to a recent report by Reuters, many U.S. businesses are still struggling to understand the implications of their data privacy and protection obligations.  This isn’t necessary and it’s not difficult, it just requires the time and commitment to understand the rules and put the right resources in place.  Those who don’t protect customer data sufficiently will not only jeopardize their reputations, these high levels of fines are designed to send a message, a strong message, some businesses will not survive.  Those who aren’t get up to speed with implementing the requirements of GDPR, or who fail to fully-comply with other data protection laws here in the U.S., will learn pretty quickly the true costs and consequences of putting it off for another day.

The most effective strategy for protecting personal information and combating cyberattack is understanding the rules that apply to your organization, and then implementing and enforcing the required policies and procedures.  The bad guys are just one untrained, gullible user away from a full-on, all-out intrusion.  And these laws aren’t really as much about technology as how the technology is used and require adequate, additional protections to be in place – physical, administrative and organization-wide, in addition to sufficient technology safeguards.

Many U.S. data protection regulations, such as HIPAA, have other, additional important requirements like security awareness training for all workforce members, as failing to train employees and test their understanding and knowledge of vulnerabilities and threats is cited as the single biggest factor in most, successful data intrusions.  Hospitals, banks and other highly-regulated business are among favorites for hackers for their treasure troves of valuable PII and PHI – so any business entity using, storing, transmitting or using this type of highly-protected information needs to take the All the required actions – and take them seriously, as penalties for skipping steps are costly and often lead to problems.  Costly, completely avoidable problems.

For American businesses, this is an excellent opportunity to evaluate what’s needed to protect yourself and your customers and stay a step or two ahead of the bad guys.  Consumers around the globe are expected to benefit from GDPR.  And many more comprehensive data protection laws should be forthcoming here and abroad.  All businesses large and small, have the obligation to protect personal data and must take adequate steps.  There’s too much at stake. One wrong click is all it takes.

______________________________________________________________________

Disclaimer.   While Attorney Tegan Blackburn frequently acts as counsel and compliance officer to a number of highly-regulated entities, this article is intended to provide a broad-overview of the topic only, is not legal advice and is not a replacement for advice from qualified legal counsel.  ______________________________________________________________________

All Rights Reserved.  Tegan Blackburn LLC ©