Tag Archive for: GDPR

GDPR Best Practices: How Companies Adapted to Comply

By: Jon Avidor

The European Union’s privacy regulation General Data Retention Protection Regulation (GDPR) came into effect on May 25, 2018, which prompted companies to quickly review or change the way in which it collects and process users’ personal data. The new regulation gives European Union citizens more control over the private information they share online and applies to all companies worldwide that do business with E.U. citizens. Compliance with GDPR is critical for companies, as non-compliance could cost a company fines of as much as 4% of its annual revenue or 20 million Euros, whichever is more. We looked at how companies including major brands have changed their terms of use and privacy policies in compliance with the newly effective GDPR rules and requirements as a follow-up to an earlier GDPR article.

 User-Friendly Language and Interface

The crux of GDPR is that users now have the right to their own data and must consent to companies collecting their data by opting in, rather than opting out.  For users to understand what data they are divulging, how that data is being used, and what a user can do to remove or update their data, companies had to update its terms of use and privacy policies to be understood by the average user. This required the use of less technical language and the inclusion of definitions for lesser-known or ambiguous terms.  For example, Google now includes explanatory videos of how Google uses the data it collects from its users, and Twitter includes scroll-over definitions for terms such as “location data” and “advertising partner data” so that users can have a better understanding of what these terms mean in regard to personal data. These terms are important to define for users because terms such as “location data”, “online identifiers” or “genetic data” are now deemed to be personal information under GDPR.

Additionally, shifting away from dense, aesthetically unpleasing terms of use and privacy policies, companies have updated their interfaces to create a better user experience. The less technical language coupled with the more user-friendly interface have made the terms of use and privacy policy easier and more inviting to read and understand.

Personal Privacy Controls

Most companies now include a privacy settings tab that allows users to review what specific personal data the website has collected, review or rectify that data, and approve what data the website may continue to retain or share. These controls also allow users to have a transparent understanding of how the companies will use the data provided by its users. Companies have also included step-by-step tutorials and guides on how users can access and review this information.  In some instances, such as LinkedIn, any visitor to the site, regardless of whether the user has a registered account, has the right to access and control their personal data on the site.  Some sites only provide this feature for users accessing their site with registered accounts.

Data Protection Officer

The role of a data protection officer (DPO) is a mandatory implementation under GDPR for public authorities that process person data, companies that systematically monitor personal data on a large scale or companies that collect or process sensitive personal data or data regarding criminal convictions and offenses. The appointed DPO (either a designated employee or a hired outside consultant) must possess expert knowledge of data protection law and practices. The DPO is responsible for educating its company and employees on important compliance requirements, training staff involved in data processing, and conducting routine security audits.

To comply with GDPR, large scale data processing companies, such as Salesforce and Google, have appointed DPOs that will be the point-person for its companies’ users to inquire about the data collection procedures of its companies and policies as it pertains both generally and individually.

GDPR Compliance Good-Faith Effort

There is no magic language or magic sauce that a company can use to ensure complete and total compliance with GDPR.  There are many complexities and unanswered questions regarding GDPR, making it difficult for companies to guarantee complete and total compliance. By demonstrating good-faith efforts to substantially comply with the requirements of GDPR, companies may be able to mitigate the risk of paying the exorbitant fines for noncompliance.

E.U. General Data Protection Regulation Looms for American Multinational Businesses

By: Jon Avidor and Cassidy Lopez

If you do business in Europe, a new landmark European Union data protection law may have a huge impact on how you may collect and store personal information from their E.U. clients and customers.

The General Data Protection Regulation (GDPR), which is set to go into effect on May 28, 2018, is perhaps the most significant change in personal data privacy rules to date. The new regulation gives European Union citizens more control over the private information they share online and applies to all companies worldwide that do business with E.U. citizens. It is a prime example of the difference in how American law and European law approach consumer privacy—opt-in vs. out-out—while forcing global companies, especially those in the tech, retail, healthcare, and financial industries, to find a compliant yet practical and workable balance.

The new law itself has extensive technical and costly requirements, including providing E.U. customers with copies of their personal data at their request and also deleting any such personal data at the customer’s behest. Companies must also report any data breaches within a 72-hour period. Non-compliant companies can face threatening fines of as much as 4% of its annual revenue or 20 million Euros, whichever is higher.

Implications for Data Collection and Retention

Personal Data:
 The GDPR regulates directly or indirectly identifiable information about a person, or “Data Subject,” which is more expansive than the traditional American concept of “personally identifiable information,” and can include the consumer’s name, photo, email address, financial and banking information, social media posts, medical information, and even IP address.

Information Concerning Minors: Data controllers must obtain parental consent before processing personal data of children under the age of 16, though E.U. member states may lower the minimum age to no less than 13. This sets a higher bar than American privacy law, which under the Children’s Online Privacy and Protection Act requires verifiable parental consent before collecting and storing personally identifiable information relating to children under the age of 13.

Consent to Collect Data: The hidden browse-wrap privacy policy is a no-go under the GDPR. Data collectors must have “unambiguous” consent to collect ordinary identifiable “personal data,” such as a person’s name, location data, or demographics, but “explicit” consent to collect sensitive personal data, including information relating to a person’s racial or ethnic origin, political opinions, religious beliefs, health, and more. An intelligible and easily accessible form stating the purpose of data collection is sufficient for unambiguous consent, but explicit consent requires affirmative acceptance or opt-in.

Data Retention and Consumer Requests: The GDRP’s greatest compliance cost will likely result from the strict data retention policies. Data collectors must routinely account for the data they hold and why and where, how, and for how long its stored. Within one month upon request by a data subject, these companies must provide E.U.-citizen customers with reports detailing all high-risk personally-identifiable information held by the company and disclose how they use that data and under what permissions. Companies will develop mechanisms for users to submit data requests to gain access to personal information.

This is not surprising in light of the 2014 ruling by the Court of Justice of the European Union that, under the EU’s 1995 Data Protection Directive, individuals have the “right to be forgotten,” more specifically, the right to request Internet search engine operators remove information from search results that is “inaccurate, inadequate, irrelevant, or excessive.” Listen to John Oliver’s take on Last Week Tonight.

Mandatory Security Breach Notifications: To ensure accountability, in the event of a “high risk” security breach, the data controller must notify its country’s supervisory authority and all affected individuals within 72 hours of discovering the breach.

Appointing Data Protection Officers: Organizations that engage in “large scale” systematic collection and processing of personal data must hire an expect in data protection law and practices as a Data Protection Officer.

Penalties for Non-Compliance: The enforcement mechanism under the GDPR is a fine, tiered up to the greater of 4% of total worldwide turnover (i.e., revenue) in the past financial year or 20 million Euros, based on, among other things, the scope and duration, negligence, and subsequent transparency of the data breach or non-compliance, as well as past infringements

Effect of “rexit: Since the United Kingdom will still be a member of the European Union when the GDPR goes into effect later this year, the GDPR will become part of U.K. law and remain so after leaving the E.U. The U.K. Department of Digital, Culture, Media and Sport introduced into Parliament the Data Protection Bill, which according to Shearman & Sterling, would largely implement and perhaps even enhance the GDPR framework and policies. As of January 18, 2018, the bill had proceeded from the House of Lords and is currently under consideration in the House of Commons. Check the status here.

U.S. Cooperation and the Privacy Shield

The E.U.-U.S. Privacy Shield framework is an agreement between the U.S. Department of Commerce and the European Commission designed to provide a regulatory framework for commercial personal data exchange between the European Union and United States in a way that satisfies both jurisdictions’ privacy and consumer data protection laws, namely the GDPR. It replaces the U.S.-E.U. Safe Harbor program. Once an eligible U.S. organization voluntarily and publicly commits to the Privacy Shield Principles, compliance with its commitment to data processing transparency, security, and accessibility is enforceable under U.S. law, primarily by the Federal Trade Commission or, if relating to an airline or ticket agent, the Department of Transportation. Participating American businesses must also provide a free mechanism for consumers to resolve privacy issues directly with the company and agree to final, “last resort” arbitration with an approved data protection authority. The E.U.-U.S. Privacy Shield will not apply to data transfer between U.S. and U.K. companies post-Brexit, according to a U.K. parliamentary committee report as reported by TechCrunch.

Looking Ahead, Companies Weigh Their Options

Compliance with GDPR is a top priority for many large U.S. based multinational companies, but achieving compliance won’t be cheap. PricewaterhouseCoopers reported that, to insure against the threat of fines and penalties resulting from non-compliance, 92% of U.S. multinational companies cite compliance with GDPR as a top priority and 68% of those companies are committing between $1 million to $10 million to GDPR compliance efforts. For others, the investment isn’t worth the return, and the threat of high fines and injunctions is instead leading some businesses to reconsider doing business in Europe. In another recent survey conducted by PwC, 32% of respondents plan to reduce their European presence, while 26% plan to exit the European market all together. While Google parent company Alphabet certainly won’t exit the European market, which contributes approximately $9.3 billion to Google’s annual revenue (approximately 33%), Deutsche Bank predicts Google’s bottom line could take a 2% hit as an estimated 30% of E.U. users will likely opt-out of data sharing under the GDPR, decreasing Google’s targeted ad efficiency by 20%. One report also claims that only 34% of sites in the EU are ready for GDPR. As European regulators continue to clarify how they will interpret the GDPR, more American companies are likely to re-evaluate the return-on-investment of their European initiatives.

* We would like to thank Cassidy Lopez for her contribution to this article.