May 25 has passed and no one has knocked on my door asking about my GDPR compliance. In fact, I know many companies worldwide who have yet to begin working towards GDPR compliance. So if nothing has happened to them or me, why should I care now?
This is the question on the minds of many companies all over the world. Leading up to the implementation of the regulation, the General Data Protection Regulation (GDPR) loomed with the threat of hefty fines, but now that it is law, we have yet to hear about significant action being taken against non-compliant companies (as of the publication date of this article). While some of these companies are in a lower-risk scenario as they do not have European Union (EU)-based employees nor do they directly market to EU persons, anyone with personally identifiable information (PII) of EU-based individuals has some level of risk exposure.
So how do you, as an organization, understand what your risk exposure is? To understand that question, you have to start with understanding how GDPR enforcement works.
Unlike the legacy Privacy Directive, which required organizations to register their data collection and processing activities with the Data Protection Authorities (DPAs), GDPR does not require registration. Rather, according to Article 31, Data Controllers and Processors, as defined by the regulation, are required to keep self-maintained data processing records. With this change, the regulatory agency must employ different methods to track compliance, which are more reactive than proactive.
There are three main areas expected to drive enforcement of GDPR.
The first is an internal risk from your own employees, both past and present. With the level of media exposure that GDPR has been given, awareness is at an all-time high. Where historically Europeans were primarily familiar with the requirements, now numerous countries are considering its applicability to their own laws. Your employees have a vested interest in their own personal data and direct visibility into how you are handling GDPR compliance. So, while a loyal employee is not likely to police your overall compliance, they are likely to act in their own best interest. Privacy law is designed to protect them, and non-compliance could appear to them as their rights are not being respected. That can turn even the best employee against the organization. Further, in a termination situation, a begrudged former employee may be inclined to report an organization for lack of compliance as a method of retaliation.
The second is related to external exposure, which can take many different forms depending on the nature of the business. A cornerstone of GDPR is the rights it provides to the individuals of which data is collected and processed on through Articles 12 to 23. While a majority of these rights are continuances of the historical Privacy Directive, which most EU residents have been aware of for the better part of 20 years, GDPR has expanded some of these and also added new rights. Residents are aware that organizations have one month to respond to subject requests, therefore organizations need to seriously consider what could reasonably be requested of them and their capability of responding. Failure to do so is the most likely way of exposing your business to enforcement.
There is also concern, in the privacy professional space, for malicious parties who will deliberately look to report businesses for non-compliance. This could be for self-gain or for a competitive business to gain the upper hand. If a covered person receives marketing material that they know is not based on the lawful attributes of consent, they could report the offending organization to a Data Protection Authority (DPA) and request monetary damages. Similarly, if a competing business was able to determine non-compliance, they could report it in an effort to negatively affect the originating organization's performance and reputation.
Fines are a serious concern for organizations, and the DPA has said the harshest action will be taken against companies who cannot provide the ability to those from whom they have collected data to exercise their rights to privacy. It should also be noted that an individual doesn't have to provide notice they are reporting you, and under European law, they also are not required to oblige by an arbitration clause. Examples of this have happened under previous regulations, and while the law has recently gone into effect, we can be certain that this scenario will be the most costly to non-compliant organizations.
The third primary risk of exposure to GDPR non-compliance comes if your organization suffers a data breach. Articles 33 and 34 outline the obligation of an organization to communicate a breach to the applicable DPA, and potentially the covered subjects themselves, when a breach of GDPR-covered data occurs. Per the definition in Article 4, a breach is not just defined as stolen data, but is further defined as an "accidental or unlawful destruction, loss, alteration, unauthorized disclosure of" it. One of the first challenges in meeting this requirement is being able to identify, triage, and communicate a breach within an organization, let alone communicating it to the applicable DPA, during the 72-hour window allotted. This is further complicated if you outsource to a Data Processor who is breached, and who then needs to communicate it to the Data Controller. While the DPA has said that good-faith efforts made to meet this obligation will be considered when non-compliance fines are being determined, an investigation into why the 72-hour reporting window couldn't be met will likely occur. This could expose a company to broader non-compliance risk.
If an organization considers not reporting a breach to avoid a deeper investigation, they need to be aware that third parties frequently monitor for the results of a data breach, and these could come to light through other means. Investigations are frequently launched when multiple identity thefts point back to a vendor or service in common. Intentional negligence in not reporting a breach will result in higher fines and reputational harm for a company.
While these are the three major risks of being exposed for non-compliance, there are a plethora of other risks not covered in this article. GDPR compliance is still very important and should be taken seriously.
What Should You Do Now?
And don't forget that help is available. CBIZ assists companies in meeting their compliance obligations, including offering partnerships with law firms who also play an important role in compliance.
If you have specific comments, questions, or concerns about GDPR, or would like to learn more about our GDPR compliance services at CBIZ, please don't hesitate to contact a member of our IT Risk & Security management team.
Published on June 25, 2018