GDPR (the EU’s General Data Protection Regulation, if you live under a rock) is in effect. Word is that very few businesses are compliant. According to Jan Philipp Albrecht, who oversaw the passage of the GDPR through the European parliament, the first cases under the new regulation will likely be bigger cases. He also said that he did not believe that small or medium size businesses would be sanctioned first. Nevertheless, Andrea Jelinek, who is in charge of the GDPR policy, said on May 24, “If there are reasons to warn, we will warn, if there are reasons to reprimand, we will do that, and if we have reasons to fine, we are going to fine.”
Albrecht’s statements do not mean a business, even a small business, that has a data breach or receives complaints from users or others might not draw the attention of the regulators. Complaints were filed almost immediately after the effective date. The first complaint was filed early on the day that the regulation took effect alleging that Facebook was breaching the new law by making use of the services it offered conditioned on users’ consent to processing their personal data. This complaint and others were filed in several jurisdictions as well as against Google by the privacy group “None of Your Business” or noyb.eu.
No one really knows how compliance with, and enforcement under, the GDPR will work, how large fines will be, or in what circumstance fines will be imposed. One helpful comment from Albrecht, at least for some businesses, is his assessment that if smaller companies are trying in good faith to comply, sanctions would be disproportionate and assistance and monitoring for ultimate compliance would be more likely than sanction.
GDPR compliance is more a process than a static state and that may be the point. It seems the focus of the GDPR may be to engender more thoughtful and deliberate behavior. So what should you do?
- Assess your situation – What information are you collecting? What information do you need to collect? Where is it stored and for how long? Can you minimize data collected and collect only what you need?
- Create a plan – What compliance requirements apply to you? Are your disclosures relating to data collected accurate and up to date? Do you transfer information to others for processing, and are your agreements with such data processors sufficient?
- Review compliance with data subject rights in mind – Do you inform data subjects of their rights and of your use of their data? Is your privacy policy up to date? Do your procedures allow for the right of individuals to access, correct and delete (“right to be forgotten”) their data? Do you have a process in place to comply with notification requirements in the event of a breach (all 50 states have data breach notification requirements as does the GDPR which is 72 hours)?
Many of these rights or obligations are already required under state laws such as the state of California. California is considering additional requirements with the California Consumer Privacy Act of 2018 that would include financial penalties. Canada also has significant requirements and has recently adopted new guidance documents on inappropriate data practices (effective this July) and on meaningful consent to data use (effective 1/1/19).
General wisdom is that working in good faith to comply with the GDPR will go a long way to prevent significant enforcement fines, but to show this you must at least start the process and try.
-Published, InsiderLouisville, June 2, 2018.