US companies could be at risk of multi-million-dollar fines if they do not respond to the upcoming changes in EU data privacy, with less than a year to finalize their compliance.
When the EU’s General Data Protection Regulation (GDPR) comes into effect on May 28, 2018, it will change the way many companies collect, process and store data about people living in the 28 EU member states. Article 50 of the regulation specifically states that it applies to companies based outside the EU.
More than half of US multinationals say GDPR is their top data-protection priority and 77 percent plan to spend $1 million or more in the next year to prepare, according to a PwC survey of C-suite executives conducted in January.
Notable GDPR provisions include the need to obtain active consent from individuals before processing their data, the right of EU residents to know what personal data a company has about them, and the right to be forgotten, which grants EU residents the power to demand a company stops processing data about them and deletes the data it already has. The definition of personal data includes bank, credit card and healthcare information.
The GDPR outlines much stricter data privacy rules than the EU’s previous data protection regulation from 1995, and that has far-reaching implications, says Kendall Burman, counsel at Mayer Brown. ‘Companies that wouldn’t have European data privacy on their radar will now have to think about whether GDPR applies to them,’ she tells Corporate Secretary.
The maximum fines for a breach are €20 million ($23 million) or 4 percent of global annual turnover, whichever is greater. While this may seem an unlikely sum to collect, the EU demonstrated this week that it’s not afraid to bare its teeth at even the largest US companies when it hit Google with a $2.7 billion fine for an antitrust breach.
Cyber-security risk and data transfers
Beyond the collection and processing of individual data, the GDPR also seeks reassurances from companies about how that data will be stored securely and updates the EU’s position on how it can be transferred across borders legally.
While the American Institute of CPAs (Aicpa) recently launched a voluntary framework for reporting on cyber-risks (CorporateSecretary.com, 5/4), the GDPR requires companies to proactively provide a ‘reasonable’ level of data protection and privacy to EU residents – although the word ‘reasonable’ has not yet been defined.
Under articles 33 and 34, companies will also have to report cyber-security breaches to a supervisory body within 72 hours of the breach. ‘What we’re encouraging companies to do at this point is to understand their data, assess whether they need to make changes based on GDPR and then come up with a plan,’ Burman says. ‘It pays dividends to be smart about GDPR now.’
One particular area of focus for international companies will be the changes GDPR introduces to cross-border data transfers. The processing of data relating to an EU resident requires a lawful basis under GDPR, as does the transfer of that data. There are several frameworks that will currently provide some form of legal basis for cross-border data transfers, including binding corporate rules and the EU-US Privacy Shield, which replaced the Safe Harbor provisions in 2016.
The latter is likely to face a legal challenge from the EU once GDPR comes into effect, Burman says. ‘It was anticipated there would be a legal challenge, so we’re watching any developments that could threaten it,’ she says.
According to the EU-US Privacy Shield website, 2,259 US companies have signed up to the self-certification framework so far.