Preparing for the EU GDPR Changes

May 23, 2018
Blackstone Media

To gain a better understanding of the General Data Protection Regulation (which has already been dubbed “the most important change in data privacy regulation in two decades”), we recently consulted with Robert W. Dibert, a Frost Brown Todd attorney with extensive data privacy and security experience dating back to the early 2000s. Mr. Dibert was happy to provide additional insights into many of our questions, giving us a better idea of what some of these GDPR changes are, who they might affect, and what can be done to ensure smoother GDPR implementation for companies before the May 25th deadline.

Keep in mind that the GDPR is a massive piece of legislature, and this blog will only touch on some of its stipulations. This blog is also not intended to be taken as explicit legal advice for your company to follow. This blog only aims to educate readers with an informative GDPR overview, while also providing examples of steps that other companies have taken to ensure their own compliance.

Why does the EU GDPR matter to American businesses?

“This is causing a commotion in the US because, according to some surveys, more than half of all large U.S. companies may be subject to GDPR because of the amount of business they do with or inside the EU.” – Robert W. Dibert, Frost Brown Todd

 
Even though the GDPR is a European initiative, it’s set to affect virtually all businesses who offer goods and services to or monitor the behavior of EU data subjects. In fact, one of the most drastic GDPR changes is that any company collecting personal data on EU citizens, or even non-EU citizens inside an EU country at the time, may be subject to a wide variety of penalties. For example, if a non-EU company violates a GDPR guideline, that company could still incur a maximum fine of up to 4% of its annual global turnover.

To avoid such steep fines, GDPR awareness will only become more and more essential if companies wish to continue collecting personal data on EU subjects (or even American subjects simply traveling through). But what exactly constitutes “personal data” under the new GDPR framework?

“While the 1995 Directive was somewhat consistent with the US definition of what defines personal information, there’s an expanded definition of what is considered ‘personal data’ for the GDPR. Beyond specific definitions of personal health information and  personal financial information common in the U.S., the GDPR says that any information that can be used to identify an individual qualifies as personal data, so that expands the scope into things like IP addresses, biometric identifiers, or any other information that could be linked to define an individual.”- Robert W. Dibert

 So, after 20 years of relative consistency with the Data Protection Directive, the new GDPR aims to modernize things to more effectively protect today’s EU citizens from “privacy and data breaches in an increasingly data driven world that is vastly different from the time in which the 1995 directive was established.” To more efficiently update and reinforce the protection premises contained the ’95 directive, a widely publicized series of new policies have been set in place emphasizing on “extraterritorial applicability”—that is, the increased emphasis on protecting personal EU subject data from organizations outside the EU, as well.

What are some of the biggest GDPR changes to prepare for?

Of course, all of this is still just a sample of the many changes GDPR will bring about. Considering that the regulation currently contains 11 chapters and 99 articles, it would be hard for any single blog to comprehensively cover every nuance of its legislature. In addition, some of its articles and laws may apply to your business more so than others, while others may not apply to your business whatsoever. All of this is why it’s so critical that you confer with your organization’s own legal team to sort through this massive piece of legislature to become as compliant as possible.

What are companies doing to prepare for these GDPR changes?

“We have seen general activity dating back to 2016 when the EU formally passed GDPR. In the last 90 days or so, there has been an uptick in businesses looking at their operations and asking, ‘Are we doing a kind of business that is reaching across jurisdictional lines, and if so, what are the costs of compliance versus the cost of doing that business?’ There are even some internet businesses that have stopped doing business across jurisdictional lines because the cost of compliance just isn’t worth it.” – Robert W. Dibert


Back in late March, it was estimated that only 
21% of U.S. businesses had a GDPR plan in place. Of course, compliance requirements will vary by company and industry, and since the GDPR assigns distinct titles to organizations based on the way they collect and use data, ensuring full compliance is a tricky and expensive undertaking. But that’s no excuse for a lack of initiative. Still, for that small percentage of general companies who have been preparing for the GDPR, they’re at least ahead of the game.

With transparency being such a critical component of the GDPR, companies are updating their sites so that cookie and other data-collection policies are easier to find, if not front and center. For example, we at Blackstone Media recently updated our own Privacy Policy so that visitors can see exactly when and why we collect their information (like when they sign up for a newsletter, or if we want to track their on-site behavior to identify common pathways and areas of interest).

We also explain what we may use their information for, which could be anything from statistical analysis, creating tailored email lists, delivering customized content, etc. For further transparency, we explain what steps we take to safeguard their information, and also mention that we only collect info if it’s voluntarily provided, and so on. Essentially, the goal was to be as up front, clear, and honest as possible, which is ultimately what the new GDPR privacy protection stipulations are all about.

Here are some examples of steps that other companies have taken to prepare for upcoming GDPR changes, many of which have been meticulously outlined in their own on-site blogs and articles:

Will this new GDPR framework ultimately be good or bad for the internet?

 

"In the EU, up to ⅔ of EU citizens are concerned about their ability to control the use of their personal data. In the US, the reported number is somewhat less, but it’s still at least half. There was also a survey in the UK that showed that up to half of their citizens intend to assert their rights to protect their personal data. So, as far as consumers are concerned, yes, there is a clear want for more transparency and consistency in regards to how their data is being collected and used. On the other hand, GDPR compliance will cost businesses a lot of money, meaning some companies may look for alternatives such as outsourcing EU-related internet communications to a provider who can assume much greater responsibility for compliance.” – Robert W. Dibert

So, in essence, the GDPR is good in that, ideally, it will lead to a more open and intuitive internet, one where customers don’t have to struggle to find a “Decline” or “No thanks” CTA while glaring at a ridiculously sized “Accept” button. And that’s not just an opinion—in fact, a HubSpot survey on consumers in the UK, Ireland, Germany, Austria, and Switzerland found that 90% believed the general GDPR privacy protection principles are a “good thing.”

On the other hand, GDPR implementation has already cost companies around the world a lot of time and resources—and these expenditures won’t simply end come May 25th. Ongoing upkeep and accountability will become hallmarks of many businesses, assuming those businesses wish to maintain prolonged compliance and avoid steep GDPR penalties.

Still, at the end of the day, the argument about whether or not the EU GDPR rules are “good” or “bad” is irrelevant—they’re coming either way! However, since we like to end things on a positive note, we would like to say that we do believe these GDPR changes will ultimately lead to a better, safer, and more transparent internet…and that’s desperately needed in a time filled with such widespread publicity surrounding data breaches and other issues. At the end of the day, any law or regulation that eventually leads to renewed customer trust and better relationships between companies and consumers is a positive step in the right direction….in our book, at least.

This article was originally posted on Blackstonemedia.com.

Attorneys

Practices

Top