The grace period is winding down on a massive data security regulation that is front-of-mind for many U.S. in-house counsel.
The European Union’s General Data Protection Regulation, or GDPR, is a broad slate of requirements on how entities must handle EU citizens’ personal data, including breach notification requirements, data protection standards and user consent. The GDPR will become enforceable May 25, ending a two-year compliance period for data-handling organizations to get up to speed.
Even at this late stage, there’s still much that companies can accomplish in complying with the GDPR, including developing plans on how they will respond in case of a data breach involving EU citizens’ personal information.
U.S. companies that do business in Europe, or process data for companies that do, are likely subject to the GDPR and its range of regulations. The cost of noncompliance can be staggering. “Upper-level” GDPR infringements carry a maximum penalty of EUR 20 million ($23.6 million) or 4 percent of the company’s global revenue from the previous year, whichever is higher.
Deborah Shinbein Howitt, a director at Lewis Bess Williams & Weese in Denver who focuses on data privacy and security, said that some smaller companies are just now learning that the GDPR applies to them — either as “controllers” who directly collect EU user data or “processors” who receive it as a third party. Other companies have been working toward compliance for much of the two-year grace period, but “now they’re realizing that they still have a lot to do.” For example, amending agreements with their vendors is taking longer than many companies expected, she said.
The mood among many legal departments is a bit tense as the deadline approaches.
“I would say folks are pretty anxious,” said Liz Harding, a data security and privacy attorney who is a partner at Holland & Hart’s Boulder office. She said companies seem to fall into two main camps when it comes to GDPR compliance: those that are doing everything they can to get ready, and others that are following what she calls “the ostrich school of life management” and waiting until fines get handed out before making any adjustments.
Even with a little over a month to go, there’s still time for companies to line up their incident response plans with the GDPR. The plan might require adjustments to what companies already have in compliance with state laws and HIPAA, if only because under the GDPR, “the definition of a breach is certainly a lot broader,” Shinbein Howitt noted.
The EU has released guidance saying that under the GDPR, personal data “can be anything from a name, a photo, an email address, bank details, your posts on social networking websites, your medical information, or your computer’s IP address.”
Most state laws consider a data breach to be the loss or exposure of some combination of personal identifying information, such as customer names paired with their email addresses or Social Security numbers. But under the GDPR, any of those PII categories by themselves would constitute an actionable breach if compromised.
“The big difference is that the breach notification under GDPR really applies to any breach of personal data,” Harding said. “There doesn’t have to be a specific combination that triggers it.”
Also, a breach under the GDPR includes “loss of access” — i.e., if data subjects are unable to access their own personal data for a period of time. Distributed denial of service, or DDoS, attacks that disable a company’s website could fall under this definition, Shinbein Howitt noted.
When a controller discovers a potential breach of EU data, it must notify its lead supervisory authority, or the main regulator it deals with on GDPR matters, within 72 hours. That alone will force companies to have a clear procedure in place to discover and analyze a potential breach in such a small window.
“I think if a company doesn’t have an incident response plan they’ve tested and walked through with [its various teams], I just don’t know how they would make that 72-hour requirement,” Shinbein Howitt said.
The second prong of the notification requirements is for the EU customers, or “data subjects.” If the breach presents “a high risk to the rights and freedoms” of data subjects, the controller must then notify those individuals “without undue delay.”
But each set of notifications — and whether the company ought to make them in the first place — requires a complex analysis of the situation.
There is good reason why a company would decide against notifying EU regulators of a breach if it didn’t truly have to. The typical U.S. company is “low-risk from a GDPR perspective,” and the regulator is unlikely to randomly come knocking on the door to see if the company appointed a data protection officer or installed other GDPR requirements, Harding said. But if the company rings the bell on a breach, it invites inquiry into all of the other measures that authorities might want to look at.
“If you think there’s a reasonable chance there has been a compromise of personal data, even if you don’t know the full circumstances, then you should notify unless you can justify that there’s not a risk,” Harding said. Companies that choose not to notify had better be able to back up their reasoning with documentation, she added.
The company can mitigate the need to notify the individuals if the compromised data is encrypted, or if the company has otherwise taken measures after the breach to ensure that the risk to the individuals’ privacy is “no longer likely to materialise,” according to Article 34 of the GDPR. For example, the company might not be obligated to notify them if their data was on a laptop that was lost or stolen, but the company quickly wiped the device.
Processors must notify controllers of any breach also “without undue delay,” but it’s the controller that is on the hook for the specific 72-hour window to tell the supervisory authority. So they can ensure they will learn about a breach in time to notify the supervisory authority, some controllers are revising their agreements with processors to include a 24-hour deadline for breach notification, Shinbein Howitt said. Those agreements should also specify whom the processor will notify in the event of a breach, and that the processor will promptly investigate the breach using a reputable data forensics provider, she added.
As for the breach notification itself, the GDPR lacks thorough guidance so far on what makes a company’s communication adequate as it sends out emails and letters to individuals potentially affected. The customer communication must in “clear and plain language” explain “the likely consequences” of the breach and the measures the company is taking to address it. It must also provide the recipients with point of contact, who will likely be the company’s data protection officer — if it has one.
To satisfy the GDPR in this regard, companies can follow the standards they already use in their state law-compliant notifications, and in many cases they might be able to use their U.S. letters with a few tweaks on the language, Harding said.
— Doug Chartier