The data compliance stakes are about to get much higher with the new proposed EU General Data Protection Regulation (GDPR) (pdf). Data compliance is vital for a modern company’s survival, and most multinational companies will have to change how they do business when the proposed GDPR goes into effect (possibly in 2017). Companies based outside of the EU are not necessarily exempted — all companies who handle the data of EU citizens will be forced to comply or suffer serious financial consequences.
The current EU Protection Directive (1995) is failing to promote economic expansion and protect consumers. It does not consider globalization and the modern digital economy and the EU government has proposed the GDPR as a consequence. The GDPR's goal is to protect EU citizens from personal data abuse and ensure that companies protect their data. This will go into effect for all 28 EU member states. Since it is a regulation and not a directive, no legislation is required by national governments and there is guaranteed continuity between member countries.
Who Needs to be Concerned
Companies currently using the data of EU citizens for their business will need to pay attention to the elements of this regulation and modify their practices as necessary. Data must be collected only if it is necessary for business purposes and must be promptly deleted once it is no longer needed. According to the regulation, data can mean personal or professional data in private or public. It includes, but is not limited to: email addresses, financial information, posts on websites like social media or chat boards, medical information, photos or a computer’s IP address. A unique component of the regulation called the “Right to Be Forgotten” requires companies to erase data when a formal petition has been submitted by an individual whose data was collected.
Multinational companies with more than 250 employees are required to appoint an independent data officer to oversee data protection. The Data Protection Officer (DPO) is required to protect data and provide documentation concerning the company’s data protection. This can be an employee or a contractor, but the individual must be independent from the hierarchy of the company in their capacity as DPO. The DPO is hired on a two year basis and cannot be terminated during their term. If an individual asks a company if their data is being collected or processed, the DPO is then required to provide that information to the individual.
Failure to comply with these and other aspects of the regulation can result in harsh penalties. The highest penalty is for the willful neglect of the EU Data Protection Regulation and carries a potential fine of up to 2 percent of annual global sales.
How does the GDPR affect global industries and businesses? Web marketplaces, social network sites, search engines and other Internet-based companies will be affected the most but other more traditional industries and companies will be affected as well. Companies in the US will be forced to change the way they do data collection because they have EU customers.
Cynthia Larose, member of Mintz Levin’s corporate and securities section wrote that the “US privacy model is a mixture of laws, regulations and industry self-regulation rather than a single, comprehensive federal data protection law. Free market and freedom-of-speech principles predominate. As privacy laws are internationally trending toward the EU model, US businesses need to assess the way they do e-commerce abroad because compliance with foreign data protection rules and regulations may require them to change their business practices.” (pdf)
The ripple effect is akin to California passing an emissions standard and US auto manufacturers complying to keep the customers of that state. Cars bought in the rest of the US would then have the emissions standard passed by the California government. Companies will need to start modeling their data compliance after the new regulation or be forced out of a large market.
Businesses should not wait for the regulation to go into effect to start working on becoming compliant. There are many ways companies can get started immediately. Here are some ways to get prepared:
- Train all of your staff on the basic elements of the new regulation, keep them informed of changes and verify they are already compliant
- Review all of your procedures for data collection and privacy, ensuring your documentation is up to date and in order
- Appoint a Data Compliance Officer now. This will get your company used to working with this person of new authority within the structure of the administration
- Create a group that oversees all of your data activities to develop procedures and assess your current data compliance. Have this group submit regular compliance reports to senior management, something that will be necessary once the regulation goes into effect
- Put a policy in place that gives your customers the “right to be forgotten.” Have your company make public that it already has this feature for your customers — this can even be a selling point for your marketing department.
Spurring Innovation with Future Effective Regulations
What are companies looking for as an ideal data regulatory system to maximize their innovation, productivity and profits? The best solution to the issue of data compliance might come in the future. Right now, the US still is the center of innovation and modeling regulations off of their system could be beneficial for business and innovation. A mixture of EU law and current US regulatory practices might be suitable for both innovation and the protection of the individual. Problems would be covered with small individual laws similar to those in the US, but instead of states passing some of the laws (as in the cases of California and Massachusetts) the laws could be passed exclusively by the federal government. This could spur innovation by bringing the stability of the EU laws combined with piecemeal US laws that are more adaptive.
The GDPR might be a step in the right direction for data compliance but it may have some unforeseen negative effects. It certainly brings more rights to the individual and puts more of the onus on companies to protect data. There are concerns about companies’ costs for implementation. And it raises a bigger question about the future of innovation in the EU — will companies become wary of doing business and taking risks because of concerns about the restrictions?