 |
| Image courtesy of the European Commission |
This is the second in our series examining the impact of GDPR outside the European Union. GDPR (General Data Protection Regulations) is the new privacy law enacted by the European Union that becomes effective May 25, 2018.
The law attempts to enforce an individual’s ownership rights of their personal data. It includes provisions to protect the use of any individual’s data that is collected by an enterprise and/or shared with business partners, etc.
It includes significant control over and restrictions on what can be done with such data without specific permission of the owner. In addition, because of the risk of exposure of private data by ‘bad actors’, it imposes very tight deadlines on reporting exposure of such data, along with severe penalties for violating GDPR provisions.
As a result, the details of the act become very important. As with any very large, broadly targeted and comprehensive law created by a large bureaucracy, there are certain to be unintended consequences along with the intended consequences of the provisions. GDPR covers procedures for obtaining permissions for data use. There are deadlines set for reporting of data theft, data breaches, loss of control, etc. In this piece, we examine some of those details and the risks entailed as a result.
Areas of Uncertainty
Given the size of the task, it is not so surprising that many areas exist in GPDR regulation requirements that are unclear, lacking in detail, or remain undecided. For example, there exists no clear explanation about how the regulations will function in practice. Also lacking are any hints of what operational changes will have to be implemented during the first several years as the regulation begins to take effect. It is normal to have some timeline and specifics provided to help guide and facilitate implementation efforts.
As an example, in many enterprises, while there are management and audit groups that set policy, it is IT operations that has direct responsibility for the implementation details and activities involved in data collection, storage and management. Therefore, GPDR-related implementation will have a profound effect on IT operations. Operations managers should be aware of areas of concern.
As mentioned in the first article, explicit permission is required for collection and use of data. For minors, either the parents or a legal guardian must consent. That requirement alone can have severe problems in implementation, both practical and legal. What will be the process to contact the parents for consent? If you rely on the child to involve the parents, will they tell the truth? Will they identify someone else, who they know will give permission? What restrictions exist about the data that can be requested?
Another area that comes to mind concerns the GPDR-set reporting deadlines in response to violations or permissions. For example, the time limits set for responding to queries for access to personal data, or for alerting and acting on data access breaches appear unrealistic[1]. They will have to be adjusted as companies fail to meet them. We know from experience that planners seldom anticipate the full consequences of their dictates, nor are they good at estimating the cost and time required to comply with their dictates. Only experience reveals the unintended results. It is reasonable to assume many of the GDPR proposed changes will be revised or radically altered, even eliminated, as actual experiences at applying the rules accumulate.
However, it is not clear how significantly nor how quickly any such adjustment will be made. Nor, is there a guarantee how infractions will be treated in the interim.
Each country within the EU will have its own GPDR authority. This raises a host of questions. Germany, for example, has historically been the strictest enforcer/protector of data privacy. Applying restrictions and punishing violations much more vigorously than other countries. We don’t expect any change in their positions.
Additionally, will large companies be able to shop around the EU to identify the country with the laxest enforcement policies? This is exactly what happened with corporate tax legislation and enforcement. Companies arranged business accounting, manufacturing and delivery processes to minimize tax liabilities. By implementing complex transaction processes, companies were able to greatly reduce taxes paid. As would be expected, enterprises would include careful consideration of country’s taxation policies when making large scale investment and job creation decisions. Will it be possible to do the same with GPDR?
The way actual fines will be determined is not specified. Will the countries differ in calculation formulas? For example, how would the fine be calculated if the data on 500 people is stolen? Does that count as one infringement, or 500?
Strict reading of GDPR means that American companies, including those that have no physical presence in the EU could be subject to the EU’s worldwide scope if they have personal data on any EU citizen or resident in their system. Presumably, the EU would need the local courts to agree to enforce penalties on these companies. How will that work? Will enterprises have to wait for such a case to reach the US Supreme Court to find out the answer? Or, will it become an issue in trade negotiations? To date, there have been no public announcements, or, as far as we know, no discussions. Nevertheless, it is reasonable to assume the US will enter any such negotiation with its own interests in mind.
What will be the effect of Brexit on the GPDR? Since the UK is leaving the EU, it would seem that the EU mechanism for enforcing GPDR will not apply to the UK. Will the UK decide to make GPDR a part of its law? If so, will the UK make changes in the version of GPDR that it adopts? If they do, how will it differ? In scope? In fines? In restrictions? Will UK enforcement be similar to or radically different from enforcement in the EU? If not, how will it differ? Presumably, at least some of these questions will be answered as the UK prepares its exit from the EU.
Finally, the GPDR may be tied up in the European courts for some undetermined period as soon as some of the rules are enforced. And, it is likely that it will be challenged in this way. This may also happen in the UK if Britain leaves the commercial trading jurisdiction of the EU as they exit the EU community.
In sum, there are numerous areas of uncertainty surrounding GPDR. Only experience and time will provide definitive answers. In the meantime, it is wise to determine the potential for GDPR to impact your operations. If it is significant, you will need a strategy to prepare for it. Our next installment will examine issues about that potential, as well as what should be considered in developing such a strategy.
This document is subject to copyright. No part of this publication may be reproduced by any method whatsoever without the prior written consent of Ptak Associates LLC.
[1] There are studies that show current response times are on the order of weeks rather than the days required by GPDR rules. Of course, that might not be relevant if response times can be adjusted downward under the pressure of the new rules.
