The European Union’s sweeping data privacy law, the General Data Protection Regulation (GDPR), sent many companies scrambling to come into compliance (or at least attempt to) prior to its implementation in May 2018. The EU law covered EU citizens’ data anywhere in the world, meaning companies globally would have to comply or face fines up to 20 million euro or 2% of their annual global turnover (or revenue) per violation, whichever is the greater amount.
Among the rules the GDPR put into place for the “data controller” and “data processor” to follow were rights and freedoms granted to the data subject, or individual user. These include the user’s right to consent to data collection, the right of a user to request deletion of their data and the right of a user to access their data. Meaningfully responding to these rights meant many companies had to put in place systems and processes that previously did not exist. Moreover, unanswered questions about what, precisely, certain clauses in the law meant left some companies unsure if their efforts were in vain.
Now, more than a year after GDPR implementation, some things are clearer while other questions remain. What have businesses learned and what remains unclear? Most importantly, what can we expect from the GDPR supervisory authority bodies in 2020? And what does the rise of other data privacy laws, such as California’s Consumer Privacy Act (CCPA), mean for businesses?
What does GDPR compliance look like?
The GDPR is an 88-page law that contains 11 chapters and 99 articles, all of which are intended to improve and unify data privacy practices in regard to the data of EU residents. It is not limited to the borders of the EU; any company that collects and/or processes the data of any EU citizens must comply with GDPR.
Odia Kagan, a partner at Fox Rothschild LLP and chair of the GDPR compliance and international privacy practice, said there is no real blueprint for GDPR compliance. The question businesses must start with is “basically, what do the rules actually mean for my business.” The answer can be different from company to company, Kagan said.
“We tried to get started and get the basics done to get going, because there are rules common to everybody,” she said. “GDPR is not a snapshot in time, it’s an ongoing deal. You have to keep going and keep reassessing; it’s an ongoing compliance process. Even companies that have done a fair amount of work likely still have more to do and maintain.”
GDPR codifies standards for data processing and collection, creating sweeping rules governing the use of EU data even outside the borders of the EU. Essentially, Kagan said, every company must start with the following considerations when working toward GDPR compliance:
- Expanded disclosure: Companies must offer a good description of what data they collect, for what purpose, and how it is stored and processed. This includes who else the data is shared with, how long the data is stored and how the data is protected.
- User control: Companies must grant users more control over what happens to their data. Users are entitled to a copy of their data, if requested. They can also request their data be deleted, or that amendments be made to incorrect data. Users also have the right to consent as to whether their data is shared with a third-party company for any purposes other than outsourcing processing.
- Downstream compliance: Any third-party companies and service providers must be compliant with GDPR as well; otherwise, the company collecting the data can be held liable. In other words, if you collect user data by the book but outsource processing to a noncompliant company, you could remain on the hook for violations. This includes consideration of third-party cookies and how they might collect and track general data.
“The added complexity was that EU companies already had a big head start,” Kagan said. “The Data Protection Directive had national implementing laws across the 28 EU states; this basically covered like 80% of [the regulations within] GDPR.”
Subsequent improvements to the Data Protection Directive, such as the 2002 ePrivacy Directive, means the EU is ahead of the U.S. when it comes to data protection legislation. U.S. companies had to scramble to catch up during GDPR implementation. Many clients asked if Kagan had a checklist they could follow; her response was “yes, but …” it’s not a one-size-fits-all program. Instead, Kagan said, they started with these requirements common to all businesses.
The consequences of failing to comply with GDPR
The penalties for failing to comply with GDPR are potentially steep: fines up to 10 million euros or 2% of global annual revenue from the previous year. For many businesses, that could amount to a fatal blow. However, enforcement has generally been more lenient than this maximum penalty. For U.S. companies, in particular, though, this looming threat meant GDPR compliance was a critical challenge that must be addressed.
When it comes to ensuring compliance with any sweeping law like GDPR, it’s wise to partner with an attorney or consultant who demonstrates experience and specialisation in that field. However, a great place to start is to simply read the law itself, said Donovan Buck, VP of software engineering at BrandExtract.
“If you don’t know where to start, the law is really easy to digest,” Buck said. “It’s kind of long, but it’s written in clear terms that normal people can understand. And there’s a preamble to it … [that] gets the spirit of the law across.”
“The law itself is not that scary,” he added. “Read the law; it’s not that bad.”
Clarifying GDPR regulations
Even for those who read the law, the GDPR left a lot of questions unanswered leading up to (and even after) its implementation in May 2018. Since, the European Data Protection Board, the overarching supervisory authority governing GDPR, has issued clarifications and guidelines to help companies ensure they are indeed compliant. Additional clarification on key topics is expected from the board in the coming months. Some of the regulations in the GDPR the board has covered (or is preparing to release guidelines for) include:
- Clear and transparent disclosure: To obtain explicit consent from a data subject obtain explicit consent from a data subject companies must disclose their collection, usage and sharing of data with users. That doesn’t just mean including fine print somewhere in the terms and conditions; it must be spelled out clearly in plain language. Otherwise, obtaining the explicit consent of a data subject might not qualify as valid under the GDPR.
- Territorial scope: In November 2019, the European Data Protection Board released clarifications on which companies GDPR applies to and which it does not. The guidelines help make clear what constitutes an EU establishment or company that targets users within the EU. It also considers the need for an international cooperation mechanism for enforcing the GDPR on companies outside the borders of the EU.
- Legal basis of processing: In April 2019, the European Data Protection Board issued guidelines for the legal basis of processing personal data under GDPR. These guidelines clarified what constituted necessary data collection, termination of contracts and the applicability of these rules.
Despite the clarification released by the European Data Protection Board, many questions remain, Kagan said. For example, more clarity is needed around the issue of cross-border transfers, which refers to how data is sent out of the EU. Joint controllers is another open question, she said, which refers to a situation when multiple companies have rights to user data; it is unclear how to delineate those rights and responsibilities.
“A lot of unique issues are still open,” Kagan said,” and that makes compliance more difficult.”
There could be value in seeing more enforcement, she added, because it will signal to other companies what is fair game and what is foul play.
GDPR enforcement is underway
To date, GDPR enforcement has been relatively limited and few fines anywhere near the crushing 10 million euro penalty have been levied. However, there are signs that regulators are stepping up enforcement and that more (and larger) fines are soon to come. That means companies need to ensure they’re following regulators’ definitions of elements of the law like “disclosure” and “consent,” not their own interpretation.
“A lot of companies in attempts to comply with GDPR are not really following the letter of the law,” Buck said. “We often find [companies] that insist on just putting a full disclosure of what they’re doing with the data buried in terms and conditions pages that would require a lawyer to interpret. That doesn’t follow [the] letter of the law or the spirit of the law. It’s the biggest mistake I still see companies making.”
The GDPR requires that disclosure to data subjects be “concise, transparent, intelligible and easily accessible, and use clear and plain language.”
According to Enforcement Tracker, a GDPR fine tracker, the three biggest fines include a 50 million euro penalty levied against Google by the French Data Protection Authority; a 110 million euro fine levied against Marriott International by the United Kingdom’s Information Commissioner; and a 204 million euro fine levied against British Airways, also by the United Kingdom’s Information Commissioner.
Both fines against Marriott International and British Airways are not yet final but will be decided upon after the companies and the member states have an opportunity to present their cases – both incidents relate to data breaches that occurred in 2018. The Google fine, which was already imposed, was related to a failure on Google’s part to provide “specific” and “unambiguous” consent to users regarding the creation of a Google account during the setup of an Android mobile phone.
“A big part of all these regulations is how you collect consent, and how you inform the consumer in a clear, transparent and obvious way what you’re collecting,” said Chris Slovak, vice president of global sales solutions at Tealium. “In terms of what we’re seeing, I think we’re just in the beginning.”
Thus far, Slovak said, supervisory authority bodies have only levied fines against companies that have broken the rules in a “cut and dry” way. But a lot of gray area remains where supervisory authority bodies have been hesitant to levy fines. Moving forward, especially as the European Data Protection Board releases further clarification, that could change.
GDPR compliance and data protection trends to expect in 2020
More enforcement is at the top of the list for virtually everyone’s GDPR expectations in 2020. As fines and penalties ramped up in 2019, companies are bracing for more action in the new year.
“There were more fines in the fourth quarter of 2019 than any quarter before,” said Buck. “I expect that to continue to be the case. The kind of fines we’re seeing are issued because [the company doesn’t] have a legal basis for collecting the data. The biggest fines seem to be because data was not properly secured and there were breaches.”
According to Kagan, some big fines could be coming down the pike from the supervisory authority in Ireland, where many big tech companies are headquartered. More than a dozen investigations are underway in Ireland that could result in some of the biggest fines to date, she said.
“Those are taking longer because they are complicated and require coordination between authorities, but Ireland has said we will see enforcement actions on big tech come out in 2020,” Kagan said.
In addition to enforcement, companies should closely monitor the European Data Protection Board, which is likely going to release additional regulatory clarification and new guidelines throughout 2020.
Finally, GDPR is just the “catalyst” that kicked off a tidal wave of global data protection laws, Slovak said. Companies should monitor similar developments around the world.
“This isn’t isolated to EU citizens and California,” Slovak said. “It’s a trend that’s going to sweep the world. Get ahead by investing in the data flows you have today.”
Tips for GDPR, CCPA and data protection compliance
Compliance with these all-encompassing laws can seem impossible, but taken one step at a time, your business will soon be on the road to compliance. To stay motivated, remember, full compliance doesn’t have to be the goal; even showing an effort could be enough to keep regulators at bay.
“Companies that have been on a path and worked with regulators … have had cases closed against them or their fines have been reduced,” Kagan said. “You need a plan. Conduct a risk assessment, figure out the riskier pieces of your processing, and start working through them. Be on a path.”
- Don’t panic. Data protection laws like the GDPR and CCPA are complex and wide ranging. It can be overwhelming for companies, especially small and midsized businesses, to manage. However, it is important to break the process down into manageable pieces, accomplishing one small task at a time. Think of the process as moving toward compliance, rather than crossing it off the list in one fell swoop.
- Conduct a risk assessment. A great place to start, according to Kagan, is by conducting a risk assessment. Use this assessment to identify the biggest risk areas for your business where you might either be running afoul of the rules or vulnerable to a data breach.
- Start with the riskiest components. Once you have a comprehensive understanding of the risk profiles of each element of your data collection operation, you can prioritize which parts to address first. Always start with the riskiest elements of your company. For example, if your security is lacking, shore up your defenses to ward off data breaches. If you are not obtaining consumer consent to capture and use their data, implement a method by which you gain that consent. Working with a GDPR compliance consultant can help you understand risk more clearly.
- Understand the data and why you collect it. A big piece of GDPR and CCPA is that companies must have a complete picture of the data they collect, as well as why they collect it. Upon request, consumers must be furnished with a copy of their data, and companies must be able to edit or delete it. It is imperative that your business understands which data it collects, how it is stored, where it is shared and why it is used. Failure to develop a complete understanding makes compliance with data protection laws virtually impossible.
- Establish a formal governance program. Once you’ve developed an internal process for complying (or at least working toward compliance) with data protection laws, establishing a formal governance program helps you demonstrate those efforts to regulators. A formal governance program can structure precisely how data is captured, stored, shared and used. This is especially important for large companies, Kagan said, but small to midsized businesses could benefit from formalizing their data governance as well. This could include appointing a data protection officer to oversee day-to-day data collection and processing to ensure it is in line with GDPR rules.
Compliance with the GDPR, CCPA and other data privacy legislation is an ongoing process. While each piece of legislation that has been passed or proposed has different specific requirements, the basic goals are the same. From managing the processing of personal data properly to preventing a breach, there’s a lot companies are expected to do. That means you can start working toward compliance without knowing all the details or having all the clarification coming down the pike from regulators, Kagan said.
“It’s not too late to comply,” she said. “Disregard the fact that your sink is full of dishes. Don’t avoid it and put it off until tomorrow – just get started.”
By implementing and following best practices, you can reduce your risk of running afoul of data privacy laws and, in the worst-case scenario, demonstrate to regulators that you have made a good-faith effort to protect consumer data. Beyond compliance, there are compelling business reasons for adhering to the best practices set out in data protection regulations, Slovak said.
“If you do it right, you get auditability and transparency,” he said. “You can tell your customers what data you have and where you’re sending it. If you do it right, you’re going to have better conversations with your customers because you have a better understanding of what they want in the moment you’re talking to them.”
Protecting consumer data privacy is good business sense and helps you build a trusted brand, he added. GDPR readiness is a good way to start shifting toward putting consumer data protection first.
“At the end of the day, data is something that’s entrusted to you. A consumer is entrusting you with information about themselves so you can create better experiences and services for them,” Slovak said. “This is an opportunity to reevaluate how you treat your customers and prospective customers. It requires a different way of thinking, and an investment in data and the tools to manage the data itself.”
To stay ahead of the regulatory curve, regardless of where your company is based, and start building better relationships with your customers, investing in your data infrastructure and governance is a great place to start.