On May 28, 2018, new data protections laws and regulations go into effect for the European Union (“EU”). See recent news report here. The new regulations are called the General Data Protection Regulation (“GDPR”). See the full GDPR here.
The EU is getting serious about punishing companies that suffer data breaches. For the most serious breaches — like those recently allowed by Equifax — companies can be fined up to €20 million ($23 million) or 4% of global revenues for the preceding financial year, whichever is greater. For less severe breaches, authorities could impose fines of up to €10m or 2% of global revenues, whichever is greater. The new regulations are an expansion over the old framework which went into effect in 1990. The GDPR is, however, not just about security and preventing data breaches. The GDPR is also about regulating how data is processed, used, and stored.
The GDPR has some interesting lessons for US businesses struggling to deal with data hacks and cyber-security breaches. Among the more innovative concepts is the requirement that data protection officers be appointed.
Data Protection Officer
The GDPR carries forward from the old law a regulatory distinction between data “controllers” and data “processors.” In general, the “controller” is the entity that gathers, holds, and stores the data. On the controller are imposed all the obligations of obtaining consent and sending notification in the event of loss or theft of the personal data and information. As an analytic dichotomy, the distinction is useful for identifying risks and considering security needs and safeguards.
Under Article 37 of the new GDPR, both controllers and processors are required to appoint a data protection officer if there is any sort of large scale collection and processing of data. A data protection officer is required for all types of data collection and processing including for:
- Use in sales of goods and services
- Use by governmental officials for the purposes related to employment, social security, and social protection laws
- Use for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services
- Use for “legitimate activities” by a foundation, association, or any other not-for-profit body with a political, philosophical, religious, or trade union
- Use in legal proceedings
- Use when “processing is necessary for reasons of substantial public interest”(h)
- Use when “necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”
Article 37 also requires that the data protection officer be designated on the “basis of professional qualities and, in particular, expert knowledge of data protection law and practices.” Contact information for the data protection officer must be provided to the appropriate governmental authority (which in the EU might be a EU official or an official of the member State).
Article 39 mandates the following non-exhaustive list of duties for the data protection officer:
- Inform and advise what is required by the GDPR to management and the employees actually doing the data collection and processing
- Monitor compliance with the GDPR, with other EU and Member State data protection laws and with the company policies with respect to the protection of personal data
- Monitor and consult with respect to creation of company policies concerning the protection of personal data including the assignment of various responsibilities
- Monitor awareness-raising and training of staff
- Monitor compliance audits
- Provide advice where requested, and where needed, with respect to any “data protection impact reports” and monitor performance pursuant to any report guidelines — under some circumstances, the GDPR requires a “data protection impact report” (similar in concept to an environmental impact report)
- Cooperate with the governmental officials tasked with enforcing data protection laws
- Act as the contact point for the governmental authorities on issues relating to processing, breaches, and any other issue
The GDPR also requires that companies and governmental entities that appoint a data protection officer must ensure that officer is involved in all issues which relate to the protection of personal data. Involvement must be timely and must involve access to the relevant data and processing operations and to the relevant employees. The data protection officer must also be supported with sufficient resources to do his or her job and to maintain his or her expert knowledge.
The data protection officer must also be given a free hand and is protected by the GDPR from retaliation.
The GDPR also states: “Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.”
Lessons for US Businesses
It is unlikely that US businesses will be legally mandated to hire data protection officers anytime soon. However, it is worth seriously considering designating a person to handle and to be an expert on issues related to data security. A single guiding vision can be invaluable because data security covers a very large landscape.
Data security begins when data is collected at the first interface with the customer. What a company is allowed to do with data often depends on whether the customer consented to give the data and ALSO consented to the use, storage, transmission and manipulation of the data. A data protection officer can help establish effective company protocols for tracking consent.
In May 2018, the GDPR will move to a very strict regime of explicit consent. Browsewrap and clickwrap are no longer going to be legally sufficient in the EU. If you use clickwrap or browsewrap agreements, those need to be reviewed and updated. Moreover, the GDPR will in soon mandate that entities provide an easy method of withdrawing consent. Thus, new policies are going to be needed to track, record, and organize the consents and withdrawals of consent via e-signatures, screenshots, email confirmations, etc. A data protection officer can be essential in establishing such policies.
A data protection officer is also in the best position to see the differing security needs of differing aspects of your company’s computer and data processing systems. This is why the distinction between “controller” and “processor” is useful: Each has its own unique type and level of security. Of course, protecting data processing and storage is related to but very different than protecting the integrity of email systems, money processing, file storage, security trade secret procedures, etc.
Finally, having a data protection officer is potentially invaluable from a public relations and a governmental relations perspective. Long before a breach occurs, the company has established the person, and that person has built up experience and expertise, to step in front of the microphone and take questions from reporters. The company has a person to meet with federal and local law enforcement, as well.
We have written previously on the high cost of data breaches, not only from fines for non-compliance, but through the loss of customer confidence in your business after a data breach. US businesses are unlikely to be legally mandated to hire data protection officers anytime soon. However, it is worth seriously considering designating a person to handle and to be an expert on issues related to data security in your business.
Contact Revision Legal Today
The data breach lawyers at Revision Legal understand the dynamic nature of cybersecurity. Revision Legal has worked with businesses of all sizes to assess data retention risks, implement reforms, put procedures in place to identify antiquated programming and equipment and, when necessary, provide counsel on breach notifications in all 50 states.
If your business has suffered a breach, contact us as soon as possible. Some frank discussions may be needed and those should be cloaked in the attorney-client privilege. Civil fines can be imposed in some states for a failure to notify those affected by breaches in a timely fashion. Federal investigations can be instituted by the Federal Trade Commission. If a breach has occurred, you need the an experienced and dedicated legal team. Call or write Revision Legal today. We can be reached by email or by calling us at 855-473-8474.
You Might Also Like: