Effective May 18, 2018, the General Data Protection Regulation (GDPR) is going to become effective and is now at the two years’ transition mark. Changes to the way EU-based personal data is retained, maintained, disposed of, and processed. The requirements show a cultural difference: while many EU businesses already comply with the requirements, U.S. based companies may not be properly positioned to address them.
This analysis is not forthcoming with solutions because such implementations are different between entities and the nature of each business. However, U.S.-based companies should consult with advisors on how to properly comply with GDPR, and how to avoid the unforgiving regulatory territory of EU enforcement of individual privacy.
Detailed risk analysis for U.S.-based Companies
The GDPR was adopted in April 2016 and is effective as of May 25, 2018—with a two year transition period. It is enforceable in the EU as of this day. This regulation affects any company (Organization) that controls or processes data that is “based” in the EU. Broadly speaking, any “personal data”, i.e. information about a natural person is considered private.
Effect on U.S. based organizations subject to the GDPR:
Below is a brief introduction to the requirements of GDPR, and a summary of risks to U.S.-based entities that operate or own EU-based entities.
Responsibility and accountability – expanded provisions that allow now person to challenge handling of their personal data, even if it is done on a purely “algorithmic” basis, such as credit reports, background check, or eligibility for a certain job application filtering.
Privacy by Design – the covered Organizations have to demonstrate that their systems are designed to have privacy from the “ground up”, and not as an add-on.
- Risk: the definition of how to demonstrate a security design choice is not clearly defined.
Data Protection Impact Risk analysis must be conducted. The good news is that many U.S.-based regulations already require this (e.g. HIPAA) but not all U.S.-based organizations have such a procedure. This is applicable for entities with “large scale” of personal data.
- Risk 1: “Large Scale” is not defined and is subjective. Organizations that do not consider themselves “large scale” may be faced with a challenge by GDPR authorities. The two years transition may clarify this term.
- Risk 2: Absent an impact risk analysis U.S. based companies may be in violation of GDPR.
A Data Protection Officer is required to be assigned. Although this may appear as a formality, the GDPR requires direct reporting to the fiduciaries (Board), having “adequate” staff, and being proficient in Information Technologies.
- Risk: U.S. Companies who appoint a DPO may do so haphazardly and without proper compliance with the spirit of the regulation.
Data Breaches are to be reported “without delay” without any de-minimis exemption. The maximum time for notification is 72 hours.
Sanctions (fines) are prescriptive.
- Risk 1: Sanctions are fines which makes them not tax-deductible.
- Risk 2: Sanctions are prescriptive so there is little or no room for adjustment based on facts and circumstances.
Right to erasure a/k/a “right to be forgotten” – personal data must be erased on request under GDPR.
- Risk 1: U.S. entities, big on saving data may not have procedures in place to effectively remove personal information. Example: backup media.
- Risk 2: Erasure of information may contradict with existing U.S. regulation. Example: payroll records must be retained under IRS rules.
Data Portability – a common format must be used when data is transferred between entities. This is done to enable a person to request their personal data be moved between custodians of data.
For more information regarding the General Data Protection Regulation (GDPR), contact Yigal Rechtman, Forensic Principal of Grassi & Co., at email@example.com.