The European Union’s new General Data Protection Regulation (GDPR) is nearly upon us, and it will become law on May 25, 2018. Put simply, the aim of the GDPR is to protect all EU residents from privacy and data breaches in a data world that is vastly different from the time when legislation was originally established in 1995 (you can learn more about the background of data privacy in Europe here.)
The GDPR will be immediately enforceable as law in all EU Member States simultaneously. It’s a piece of legislation that has been needed for some time now, especially with the worldwide proliferation of data breaches in recent years.
Crucially, the GDPR applies worldwide. Companies not established in the EU but who offer goods or services within the EU or collect, process or maintain personal data (anywhere) about EU residents (not just citizens) or monitor the behavior of EU data subjects are required to comply.
Any company that fails to comply with the Regulation faces a two-tier fine structure of up to 4% of annual global turnover or €20M – whichever is greater. Although maximum fines will clearly be the exception, the GDPR and its financial and reputational ‘teeth’ should not be underestimated.
There’s no question that the GDPR will have wide ranging-consequences for compliance and ethics, and compliance and ethics officers. This is true almost regardless of the specifics of individual roles.
At a time when compliance and ethics is likely to be in the forefront of GDPR-related debate, it’s more important than ever to continue highlighting some of those potential consequences, both major and minor.
GDPR and Third-Party Compliance
Many people think of third-parties as being only vendors and suppliers, with the procurement team neatly responsible for those relationships. However, vendors are suppliers are known as “upstream” third parties, and they represent just one quadrant of a company’s third-party relationships. That also means they only represent one quadrant of risk, too.
The remaining quadrants include ‘downstream’ third-parties (such as agents and resellers), ‘service’ third-parties (such as accountants and law firms), and ‘other’ third-party relationships, with Joint Ventures being a typical example.
The problem is compounded by the fact that whilst procurement might act as the focal point for upstream relationships, other third-party relationships may be spread across a range of company functions and geographies. As a result, it becomes near-impossible to readily identify all the third-party relationships, and hence risks, that a company may have.
So, while your company may have undertaken extensive work to achieve GDPR compliance, just getting your own house in order simply isn’t enough. Under the GDPR your company is likely to have direct and legal obligations regarding the compliance of its third-parties. If they are involved in data processing then that obligation is, arguably, more obvious. But remember: Third-parties can be involved in a host of activities that involve the use of your data, which means that your company has responsibilities. Given that third-parties are reportedly implicated in 63% of data breaches, the associated risks are very real.
When considering a new relationship, or reviewing an existing one, it is essential not to assume that third-parties take compliance and ethics seriously and are both GDPR-aware and compliant. GDPR compliance assurance requires ongoing and regular audit-type activity, particularly around processes and controls. Moreover, whilst the GDPR is clearly a key element, the overall EU data protection regime also includes rules and structure around transferring data outside the EU, including the EU-US Privacy Shield.
GDPR and the Ethical Use of Data
Companies often hold a vast array of data, gathered over many years from a range of sources often lost in the mists of time. Often, companies don’t know what data they have, why they’ve got it, who uses it and for what reason. This adds to the risk (and therefore consequences) of a data loss or data breach, which could impact thousands, if not several millions, of people. Given this, the GDPR provides stronger legislation around the responsibilities associated with both data ownership and processing.
Companies can leverage their vast array of customer interaction data to deliver greater business development, sales, and revenues, but it’s also crucial that that data is protected and secure, which is clearly a key focus of the GDPR. When considered objectively, the GDPR essentially requires all companies to be ethical in the way they collect, manage, store and use personal data of all types.
The GDPR incorporates a host of rights that are either enhanced or new. These include:
- The right be informed
- Rights of access
- The right to be forgotten
- The right to restrict processing
- The right to rectify data
- The right of data portability
- Other associated rights
Crucially, many companies do not have policies, procedures, or training around the ethical use of data, and this is a key compliance and ethics area that must be considered under the new regime.
GDPR and Marketing
The potential perceived effect of the GDPR on marketing is one of the most hotly-debated areas around the new legislation and, as a consequence, is almost certain to involve compliance and ethics input. The debate largely centers on assumptions like, “The GDPR means I won’t be able to send my newsletter out anymore,” or, “The GDPR means I’ll need to get fresh consent for everything I do!”
However, these are myths.
For example, Steve Wood, the UK’s Deputy Information Commissioner, has categorically stated that the above thinking is incorrect, as is the main myth that, “We have to get fresh consent from all our customers to comply with the GDPR!”
Put simply, for processing to be lawful under the GDPR, a lawful basis needs to be identified. There are six lawful bases available to choose from and no single basis is ’better’ or more important than the others. Which one is most appropriate will depend on the company’s purpose and relationship with the individual.
The role of compliance and ethics in achieving (and sustaining) lawful processing in line with both the letter and spirit of the GDPR cannot be underestimated
Reporting Issues and Managing Incidents Under the GDPR
Companies such as Yahoo, eBay, Equifax, Target, Uber, JP Morgan Chase, Home Depot, and Talk Talk have all experienced data protection issues, with predominantly common consequences that include:
- Large numbers of accounts compromised
- Lack of notifications about the problem
- Lack of consumer awareness
- Reputational backlash
Not surprisingly, therefore, the GDPR introduces a duty on all companies to report certain types of personal data breaches to the relevant supervisory authority. This must be done within 72 hours of becoming aware of the breach, where feasible. If the breach results in a high risk of adversely affecting individuals’ rights and freedoms, those individuals must also be informed without undue delay.
Data breach reporting clearly makes sense under the new legislation, since it’s focused on giving consumers more control over their data and increasing the accountability of companies. It’s also not unusual: Almost all States in the US, some Canadian jurisdictions, and Australia have successfully tightened breach reporting as part of their legal frameworks.
The crucial question for compliance and ethics officers is simple: How would your company comply with these requirements, and who is responsible for discharging those responsibilities?
Again, this is a key area that must be considered under the new legislation. For example, over the coming months the UK ICO will be introducing a new phone reporting service that helps companies report breaches. This feature will be coupled with a web reporting form. These tools will provide companies with a quicker and easier way of reporting to the ICO, enabling them to receive immediate advice.
The GDPR, Whistleblower Hotlines, & Case Management
Where whistleblower hotlines are concerned, the impact of the GDPR can’t be underestimated.
This includes the experience of whistleblowers, and also on the management and administration of a whistleblowing service. It’s essential that a hotline provider can both reassure and demonstrate on what they have done to be GDPR compliant. This includes reassurances regarding the system and associated processes, such as call centre scripts, Terms & Conditions, Data Privacy Notices, and so on
Clearly, the GDPR changes are aimed at protecting an individual’s personal data – a key issue when the potential ramifications of a data breach for a whistleblower are considered. Much of the GDPR centers around ‘data minimization’ in all its facets, and this includes data deletion and redaction such that data is not kept for longer than is necessary for the purposes for which it was processed
However, issues such as retaliation — which could mean that whistleblower report data is deleted in line with the GDPR, but before a report of retaliation is made — may compromise a company’s ability to discharge their Duty of Care as an employer, and this could become a potentially complex and finely-balanced compliance and ethics issue.
Challenges and Opportunities
The GDPR represents a major, demanding and complex change in the EU data protection regime. The consequences of those changes will be significant, not only for EU companies, but also for non-EU companies with operations and activities (of all types) within the EU.
The consequences of the GDPR for compliance and ethics covered above are just a ‘snapshot’ of some examples. However, they do show that compliance and ethics officers will need to consider the wider ramifications of the GDPR for their company, based on geographies, operations, marketing, and related considerations. The GDPR will also go directly to the center of a number of compliance and ethics activities that include Whistleblower Hotlines, Case Management, HR systems, and the associated employee data.
It’s a lot to prepare for, but within these challenges there are also many opportunities for compliance and ethics officers to spearhead the movement toward more robust personal protections. You aren’t in this alone, either. Many organizations around the world are preparing for GDPR compliance right alongside you, including Convercent.