How does a company transfer data from the European Union (EU) to the US under the General Data Protection Regulation (GDPR) which went live on May 25, 2018? I recently had the opportunity to visit Jonathan Armstrong, partner at Cordery Compliance in London and an internationally renowned data privacy/data protection expert on this topic. Armstrong noted there have been some changes which may significantly impact this issue going forward. There are basically four ways to affect such a transfer.
However, there is a method that many people may not realize is a data transfer as it involves reviewing data which sits on a server in the EU. This means that even if the data does not move out of the EU but you can access it from the US that counts as a data transfer as well. A fairly typical corporate example might be where your organization has a system for your employees that does that payroll and that payroll information is on a server in Belgium. Your Human Resources (HR) Department from the US can get into that server and extract data from it. This is a data transfer under GDPR.
Not that the Trump Administration is any friend of the EU (or data privacy for that matter) but if the European Commission is minded to retaliate, one easy way to do so would be to withdraw the Privacy Shield scheme. From the European legal perspective, Privacy Shield currently faces two faces challenges before the ECJ. These are likely to be heard in 12 to 18 months. Finally, the European Parliament and the several European data protection regulators are not fans of Privacy Shield and this has hampered progress since it was brought into force. Armstrong concluded by stating, “my gut feel would, would be the privacy shield will die. It is a question of when and not on privacy shield. Certainly, in a worse position now than it was on May 25th.”
Armstrong emphasized this is not a rubber stamp process but one which takes time and concerted effort. He estimated that it is an 18 month or so process. However, under GDPR there was the creation of a European Data Protection Board (EDPB) and one of its function is to help the process of getting Binding Corporate Rules approved more quickly.
Armstrong concluded by cautioning there is still much fluidity in the mechanisms for data transfer. There still may be many changes from both the regulatory perspective and the legal perspectives through court challenges. He concluded by stating “vigilance is the watch word here.”
You will note the new title for this episode, Life With GDPR. When Jonathan Armstrong and I began this series in early 2018, we had intended to give listeners a grounding in the new law in the lead up to its go-live date of May 25. However, the response was so overwhelming and Jonathan and I had so much fun putting on the podcasts that we decided to make Countdown to GDPRa permanent part of the Compliance Podcast Network, albeit with a more appropriate name. So welcome to the re-monikered Life With GDPR, which I hope you will enjoy as much as you enjoyed its predecessor. Today Jonathan and I take up the issue of non-monetary penalties.
While most practitioners focused on the heavy fines and penalties available under the General Data Protection Regulation (GDPR) of up to 4% of total global revenues or other very large fines, there are other remedies that each EU and UK data regulator can levy or put into place that may require considerable corporate cost and effort. Moreover, these lessor penalties and sanctions can be the precursor to larger monetary fines and penalties. Armstrong emphasized that each EU country has its own regulator and they will have varying degrees of aggressiveness.
Armstrong pointed to three areas the regulators can order companies to engage in activities. First, it can order a GDPR audit to determine if it has previously assessed its data protection/data privacy issues correctly. Here he pointed to an example of a healthcare organization that was ordered to perform a Data Protection Impact Assessment (DPIA) and report back to the regulators within one month.
Next, Armstrong pointed to the joint areas of date controllers and data processors. Regulators can require a company Data Protection Officer (DPO) to comply with data requests, even Subject Access Requests (SARs). He referenced to a recent example from the UK involving Cambridge Analytica, which was ordered to comply with a US academic’s SAR. Further, a regulator can order a company to bring its data protection program in line with GDPR. Additionally, regulators can maintain investigations in the form of data protection audits and have the right to obtain access to any premises of the controller and the processor, including any data processing equipment by obtaining a warrant. This may prove to be a significant tool in the data protection regulators’ toolkit.
Regulators can also order companies to stop certain activities. Here Armstrong provided the example of a US based company with operations in Europe who is not GDPR compliant around its internal reporting structures. An EU regulator could order the company to suspend its hotline in Europe until there is compliance. Under such a scenario, the US Company would be out of compliance with US securities law and it may be at risk under best practices compliance programs under the Foreign Corrupt Practices Act (FCPA), Anti-Money Laundering (AML) regulations, export control regulations or even US anti-trust law.
Armstrong emphasized that it is not simply the regulators who have powers under GDPR, individuals do as well. SARs of course are well-known but there are other individual rights Armstrong emphasized. If an individual files some type of GDPR complaint with a statutory regulator, who does not take up the complaint within 30, days that individual can appeal against both the regulator to get the complaint moving forward. This means that individuals can file SAR actions against companies that do not respond in a timely manner to SARs. Moreover, such individuals can then band together in a class action lawsuit over such failures. There is also a mechanism for equitable reallocation of damages between parties. If a data processor has to pay damages properly attributable to a data controller, GDPR Article 82 provides a procedure for claiming these damages back. Finally, recall that any person who has suffered “material or non-material damage” due to an infringement of the new rules has a right to compensation from the data controller or processor concerned for the damage suffered and you begin to realize the powers that individuals hold under GDPR.
Interestingly, Armstrong believes that the number of regulatory and individual remedies will mandate that if companies have an incident, they should investigate and remediate quickly. From there, the entity should prepare their investigative results, remedies and internal sanctions they may have put in place on those employees involved. These steps will all go towards mitigating any proposed financial penalty the regulators may be considering. Basically, businesses need to have their ducks in a row, as it can lead to not only reduced costs for corporations, but also could well lead to greater compliance if tied to a root cause analysis.
Today we consider Subject Access Requests (SARs) under General Data Protection Regulation (GDPR). As always, I am joined in this exploration by Jonathan Armstrong, a partner in Cordery Compliance in London. SARs may turn out to be one of the most onerous, costly and time-consuming issues for companies after the go-live of GDPR on May 25, 2018. Of all the requirements of GDPR, this may be the single one which companies are least prepared for going into the new regime.
SARs currently exist for all countries in the European Union (EU), in most jurisdictions companies can currently charge a small fee for them. Although the fees are generally fairly trivial, it does put off many applicants. However, post-GDPR Armstrong believes that we are “going to see a significant increase in the number of subject access requests that people will make”. Moreover, SARs can be very difficult and time consuming to fulfill. He noted that some of Cordery’s clients estimate they spend between 100 and 300 hours per SAR. But it is not simply the detailed work needed to fulfill the SAR but a company must also redact out the data on other people.
Armstrong provided an example for a SAR for emails sent to an individual. A SAR might come in for emails being sent to Mr. Jones. While you might be able to do a word search for Mr. Jones and find all emails relating to him, it could be that 10 other people were copied in on emails to/from Mr. Jones. You are required to redact out the details of those 10 people.
Armstrong further refined the example by adding the factor that the email related to performance appraisal and a manager is communicating how their seven direct reports accomplished in that performance appraisals for the year. In responding to the SAR, a company must disclose the information on the one individual who has made the request but redact the information on the others. He words like “he or she” must be reviewed as they can provide personal identifiable information such as a person’s sex. There is also information such as cell phone details, which might be found on the footers of emails that would identify individuals. This information must be redacted.
Obviously, this example is antithetical to the way in which US companies not only do business but the manner in which they try to avoid releasing any information to the public. However, Armstrong believes this is very important in the EU and will be going forward in the UK, post Brexit. He even pointed by to Max Schrems and the original litigation which brought down Safe Harbor. It could also be that EU and UK citizens might make SARs and then use the US corporate responses as the basis for class action type lawsuits. All of this mean US companies must not only take SARs seriously but have a protocol in place for handling them.
Once again, the key is to have policies and procedures in place to deal with SARs. He said it all begins with training so employees understand what a SAR might look like when it comes in because there is no one prescribed form. Also remember that a SAR can be made orally as well. From there you will need a process for escalating the SAR to the correct person or department. The person who will respond is critical not only for the reasons detailed above in appropriately responding to the SAR but as Armstrong noted, “there needs to be a more highly trained person, who can diagnose whether that request is validly made and deal with it.” Such a trained and designated person should not pass up the opportunity to speak to the person making the SAR, as “sometimes there is a rumbling of discontent behind a SAR. It might be that you could resolve the underlying issue, avoid the entire SAR” by handling whatever the issue is which led to the SAR in the first place.
In this episode, Jonathan Armstrong and I discuss the backbone of the new General Data Protection Regulation (GDPR), which is data protection and the ancillary topic of responding to data breaches. GDPR introduces significant changes on the mandatory reporting of data breaches, including both a requirement for reporting to the relevant regulator(s) and communication to those affected by any data breach.
In this episode of Countdown to GDPR, Jonathan Armstrong and myself are interviewed by Laura Petrolino, the Chief Client Officer at Arment Dietrich, Inc. on the applicability of GDPR to the professional communications industry. It was a fascinating way to discuss some of the key points of GDPR in the context of one industry/profession.
Some of the topics we discussed are:
For the communications specialist, you learn a lot about GDPR compliance and data privacy and protection. But the key takeaways should give you a lot to think about as far as how you use data as part of your communications strategy. They include:
Properly viewed GDPR implementation can be business opportunity for the communications professional.
To see Laura Petrolino's blogs on GDPR for the communications professional check out her musing on SpinSucks:
In this episode of Countdown to GDPR, Jonathan Armstrong, a partner at Cordery Compliance in London and I consider the roles of vendors in GDPR. These roles are both in complying with GDPR and substantively following the regulation itself. The first area is a vendor which is a subject matter expert in the areas of data protection and data privacy.
Armstrong discussed an actual advertisement where a company claimed to be a ‘GDBR’ expert. Leaving aside the copy editing FUBAR, the ad also cited regulatory requirements from preliminary drafts of GDPR which were superseded by the final version of the legislation. He stated, “there's still the difficult thing that corporations out there that are struggling but there are snake oil salesmen who are trying to prey on them and sell them projects that they don't need and not sell them projects that they do need. There is definitely a skills gap. And obviously as we get closer to GDP that gets all the more worrying.”
Beyond this problem of technical competence, vendors present another set of risks under GDPR. Many organizations with literally worldwide operations are concerned with their potential liability for their vendors in the United Kingdom in the EU or in countries under GDPR. Armstrong noted that the initial inquiry a company should make is who is the data controller and who is the data processor. Under the old rules, data controller was the corporation and the data processors were the vendor. With days of cloud computing and software as a service (SaaS) these lines are more blurred. He noted “as a very general rule the corporation remains liable for everything that it does even if it uses a vendor to process data on its behalf or to manage part of the service.”
GDPR will require a more robust third-party risk management process for vendors. Armstrong explained, “when you are bringing vendors onboard you need to go through a proper process to do due diligence on them. “There are some warning signs to start off with, such as if a vendor says I understand all about GDPR and then talks to you about PPI you should show them the door.”
He went on to add, “If they say you can't have any audit rights. Show them the door. If they say we will not commit to telling you about data breaches within 72 hours. Show them the door. There are various minimum requirements that a vendor has to meet under GDPR and if they don’t, find somebody else.” But simply performing background due diligence is not enough.
You should have an appropriate set of contract terms and conditions around GDPR compliance in your agreement with them. There should also be “some sort of attestation about what they're doing particularly” around continued GDPR compliance. If certainly would want to know where the data is going to be hosted and if there are ISO 27000 certificates in place for the data centers. Finally, the management of this risk must continue throughout the life-cycle of the third-party relationship with the customer.
In this episode, we take up a key element in the upcoming General Data Protection Regulation (GDPR), which comes into effect on May 25, 2018, that being the issue of the Data Protection Impact Assessment (DPIA). As always, I am joined in this exploration by Jonathan Armstrong, partner at the Cordery firm London. The UK Data Protection Regulator, the Information Commissioner’s Office (ICO), recently published new draft guidance on conducting DPIAs, entitled “Consultation: GDPR DPIA guidance”(Consultative Guidance).
A DPIA is mandatory in some cases under GDPR. At its simplest, it is a way of assessing data protection risk in any process that involves personal data. A good DPIA process will enable you to identify exactly what you are planning to do with personal data, what the risks are and how you are going to address them. The Consultative Guidance, notes your DPIA “should describe the nature, scope, context and purposes of the processing; assess necessity, proportionality and compliance measures; identify and assess risks to individuals; and identify any additional measures to mitigate those risks.” There are consultation obligations as part of the DPIA process including, in some cases, the obligation to show your DPIA to a Data Protection Authority (DPA) and seek prior approval.
For more information, check out Cordery’s great GDPR resource, GDPR Navigator.
Finally, if you are in Houston on April 10, the Greater Houston Business and Ethics Roundtable is hosting Jonathan Armstrong for a ½ half day GDPR workshop, entitled “Are You Ready for GDPR?”. For information and registration, click here.
In this episode we explore the basic policies and procedures that you need to have in place to comply with the General Data Protection Regulation (GDPR). I am joined in the exploration by Jonathan Armstrong, a partner at Cordery Compliance in London. GDPR compliance mandates some specific policies and procedures that Jonathan Armstrong and the team at Cordery Compliance in London suggest that you put in place at this time for the GDPR go-live date of May 25, 2018.
In today’s episode of Countdown to General Data Protection Regulation (GDRP), Jonathan Armstrong, a partner at Cordery Compliance Ltd in London, and myself consider the role of the Data Protection Officer (DPO) in complying with the new regulations which go live on May 25, 2018. The Cordery Compliance FAQs note that DPO must be appointed to deal with data protection compliance where:
The DPO must be suitably qualified and is mandated with a number of tasks, including advising on data-processing, and, must be independent in the performance of their tasks – they will report directly to the highest level of management. Businesses will therefore have to determine whether a DPO must be appointed or not, but, given the significance of privacy compliance today, even if technically-speaking a DPO is not required to be appointed, a business of a particular size that regularly processes data may wish to consider appointing one in any event.
The role of the DPO is critical in complying with GDPR. The time to start is now. For more information, visit the Cordery GDPR Navigator, which provides a wealth of information to utilize in your data privacy compliance program. Finally, Jonathan Armstrong will be in Houston on April 10, 2018 to put on a 3-hour workshop on GDPR. The event will be held at the South Texas College of Law, from 9-12 AM. You can find out more information on the event and register by going to the GHBER.org site.
Whether you are ready or not, the EU General Data Protection Regulation (GDPR) goes live on May 25, 2018. It will impact companies doing business in London as much as any other EU legislation. To help US companies prepare, Jonathan Armstrong and myself have started a countdown to GDPR podcast. In this premier episode we discuss what is GDPR and why it is so important that you begin preparing now.
It is quite a wide piece of legislation and covers all personal data. Armstrong noted it is incumbent to remember that the definition of personal information is much wider than the US definition as it includes information such as geographical locations. GDPR applies to anyone doing business in the EU. It could be as simple as having a website which is accessible to people in the EU. GDPR has heightened obligations on data security; in most cases your organization will be required to report data breaches to a UK data regulator within 72 hours of the awareness of the breach. Another distinction is the right for an individual to ask companies what information it may hold on them and to exercise the right to be forgotten. All of these requirements present special challenges for US companies. Finally, one area that has received quite a bit of attention is the fine range. Armstrong noted, “if you’re a small business then you’re subject to a fine of 20 million euros. And if you’re a larger business that fine can be 4% of your global annual general revenue.” Lastly, to top it all off, there is a private right cause of action under GDPR.
Even at this late date, there are steps you can take to begin to get ready. Armstrong laid out three steps a company can take now. First, through a proper plan which is achievable, and concentrates on the main issues, Armstrong believes “that are less likely to get you into trouble with the regulator or expose you to private rights of action.”
Second, Armstrong said you should look at how you relate to individuals, whether they are consumers or employees, you are going to have to be much clearer with them about how you are using data around them. To do so, you will need to engage with marketing and sales teams to provide them with some awareness as to the changes that GDPR is going to make to what they do with individuals and the transparency obligations.
Third is to have a real focus on data security. You will need to make sure that you secure everything that you can, including both soft and hard copies of data. In conjunction with this final point, you must plan for and rehearse data breach responses, because under GDPR you have, in most cases, just 72 hours to respond to a data breach so you need to practice the scenario to be able to do that efficiently.
Near and dear to the compliance professionals heart, Armstrong said it all begins with a risk assessment. This means your corporate compliance function may well play a very large role in your GDPR compliance. From there manage the risks that you see in your data protection and management program. In the Cordery FAQs (FAQs) regarding GDPR it states, “Privacy by design and/or default will not be an add-on, but, instead, will become the norm as businesses will have to incorporate data protection safeguards into their products and services from the beginning.”
You should anticipate the need to appointment a Data Protection Officer (DPO) in your company. The FAQs state:
A DPO will have to be appointed to deal with data protection compliance where:
“The DPO must be suitably qualified and is mandated with a number of tasks, including advising on data-processing, and, must be independent in the performance of their tasks – they will report directly to the highest level of management.”
In addition to the basic risk assessment, Cordery advises, companies should undertake ““Data Protection Impact Assessments” (DPIAs). Where processing operations, in particular those using new technologies, “are likely to result in a high risk for the rights and freedoms of individuals,” an impact assessment of the envisaged processing operations on the protection of personal data must be carried out, prior to the processing, “taking into account the nature, scope, context and purposes of the processing.” The new rules also set out other additional criteria that will necessitate an impact assessment. A data protection regulator must also be consulted prior to the processing of personal data where an assessment “indicates that the processing would result in a high risk in the absence of measures taken by a data controller to mitigate the risk”.
DPIAs are likely to become common and should prove to be a very useful tool for businesses in addressing privacy risks.”
For more information, visit the Cordery GDPR Navigator, which provides a wealth of information to utilize in your data privacy compliance program. Finally, Jonathan Armstrong will be in Houston on April 10, 2018 to put on a 3-hour workshop on GDPR. The event will be held at the South Texas College of Law, from 9-12 PM. You can find out more information on the event and register by going to the GHBER.org site.