GDPR

- In 2016, the European Parliament, which is the legislative body of the European Union, enacted a sweeping data privacy law called the General Data Protection Regulation, or GDPR. Since the 1990s, the European Union has made it clear that privacy is a fundamental right for people in Europe. In fact, unlike our US law, which as you recall, approaches privacy by regulating access and management of personal data by sector, such as health data, or financial data, or student data, the European Union has taken a very expansive approach. Prior to the GDPR, the EU had implemented a Privacy Directive in 1994. That directive covered all personal data in the EU and had clear requirements. So why did the European Parliament pass a new data protection law, you might ask. Well, the GDPR permits regulators to fine corporations for noncompliance, in excess of 20 million euros, or 23 million US dollars, or 4% of global revenue, whichever is greater. That's a huge number, and a lot more than what was allowed under the previous law, the Privacy Directive. What's more, companies without a physical presence in the European Union may be subject to regulation and liability. We learned about the term extraterritorial in Mod 1. The GDPR is extraterritorial to the extent it is regulating companies and processes that occur outside of the physical territory of the European Union. The concern of the EU seems to really be with respect to personal data transfers outside of the EU. The EU does not trust that other jurisdictions, like the United States, will regulate data as protectively as it does. Past attempts to reach agreements on ways to protect data flows outside of the European Union have been invalidated by the European Union Court of Justice, because those agreements failed to adequately protect EU citizen rights. So what do businesses need to know about the GDPR? First, it applies to more businesses than the EU Privacy Directive. That is because it applies to all data processors, those who collect data, and everyone in the chain of service distribution that handles it, regardless of where the business is actually located. So a company processing in India information about individuals from France for purposes of predicting their credit worthiness score would be subject to the reach of the new law and need to comply with its rules and regulations or face high financial penalties. Second, the definition of personal data has been expanded to include a person's name, location data, online identifiers, and genetic information. Third, there are severe penalties for noncompliance, as I've said, 4% of a company's gross worldwide revenue, or 20 million euros, whichever is greater. Factors considered in fining include whether the company acted negligently or intentionally. We learned about those theories in Mod 2. Remember, intentional behavior is purposeful, and negligence is carelessness. Finally, data controllers must notify supervisory authorities with 72 hours of discovering a data breach. That's a short window of time. In addition, the GDPR has additional technical and process requirements, which have many corporations vested right now, preparing for implementation of the law in the spring of 2018. For example, there are new specific record-keeping requirements, and records must be produced for supervisory authorities on demand. With respect to individual consent, consent given by data subjects must be clear, freely given, informed, and specific, and can be withdrawn at any time without consequences. The good news is that unlike the Privacy Directive, the GDPR is a regulation. The Privacy Directive, as a directive, had to be implemented by every member country in the EU into its national law, which meant that there were as many variations of the directive as member countries. Since the GDPR is a regulation, there will only be one version of it, and if in compliance with its rules, companies will be in compliance in all of the member states. What steps should companies take to prepare for the GDPR's effective date? Louis Dejoie and Thomas Markey of the firm McNees Wallace & Nurick recommend that companies ask the following questions as they audit their data operations. One, what personal data does my company collect and store, and how is it used? Two, do our activities fall within the scope of the GDPR? Three, do we meet the definition of a data processor or a data controller? Four, do we have high-level employee responsibility for data security? And five, have we developed a data breach response plan? These are good questions for any company engaged in data management and processing. For companies using analytics and artificial intelligence, there are some pronounced issues based on the nature of the big data and the sheer volume and variety. Companies can't assume that tools like anonymization of data will suffice. The EU will require that, in that case, there's a thorough assessment of any risk of re-identification. Also, privacy by design, an approach we've been talking about since Mod 2, must be considered. Under the GDPR, it is called Data Protection by Design, or by Default, and according to some authorities, it will become a legal requirement. In our next video, I will highlight summary challenges of adapting data analytics and artificial intelligence to the GDPR.