Headlines have been popping up lately around Europe’s latest proposed rules to address data privacy. While the focus of the media seems to be mostly on how it’s bad news for big tech companies such as Google and Facebook—which will likely have even more complicated data privacy waters to navigate in Europe—there is likely a much broader impact as a result of the General Data Protection Regulation (GDRP) than we’re seeing in the news.
GDRP in a Nutshell
The GDRP, if it becomes law, would impact any company that gathers, processes or stores data from individuals in the European Union—that is, virtually every company that does business in the EU. It is meant to modernize data protection laws across the 28 EU countries and standardize the protection of personal data—particularly to address those ambiguities that have arisen out of the growth of social media companies and cloud computing services in the past decade or two since the original EU Data Protection Directive was issued in 1995.
To help achieve this goal, the regulation in part creates the concept of a “one-stop-shop” allowing Europeans to complain to data privacy regulators in their own countries if they are unhappy with the way a company is handling or using their data. Previously, to file complaints individuals had to contact authorities in countries where those organizations have European headquarters. The result is that complaints can go to a regulator that takes a more hard line approach than regulators in another country and giving those regulators more of a role in oversight of the data concerns of EU citizens.
The regulation is also likely to implicate the “right to be forgotten” existing under EU law, which is often troublesome to tech companies based in the US and it remains to be seen how and whether the EU/US Safe Harbor will be implicated by the GDRP.
The Complexities of Compliance
If a company outsources its IT outside company walls, under the GDRP, compliance is solely the responsibility of the company itself. As an example, according to the regulation, “The data controller has to notify the DPA without undue delay and, where feasible, not later than 72 hours after having become aware of the data breach (Article 31). Individuals have to be notified if adverse impact is determined (Article 32).”
With such stringent obligations on the horizon, companies should take steps now to prepare for the passage of the regulation, which is currently expected by the end of 2015.
As a result, now is the time to get your privacy house in order. Take a look at your business to see how data from the EU may make its way into your business. The most thorough way to do this is to undertake a privacy audit and construct a data map—see what data you have and how you are using it. You can then develop internal privacy policies on how the business collects and uses data and the security used to protect that data.
Once the GDRP passes, there will be some period of time before it comes into effect. However, having privacy policies and a written information security program in advance will help give you the tools to implement compliance with the GDRP more efficiently and perhaps lessen any pain of doing so.