NEW EU DATA PROTECTION LAWS

Tech companies are already counting the cost of sweeping EU rules on data protection (General Data Protection Regulation) that will come unto effect across the EU next May. The sector is scrambling to hire new staff and redesign products as it faces millions of dollars in higher costs and lost revenues. The new General Data Protection Regulation will require businesses to adopt stricter standards for dealing with customer data.

The EU’s market for monetised data amounted to revenues of €59.5bn in 2016, and is the backbone of a technology industry that has increasingly turned to personal information for new product ideas and advertising revenues. However, GDPR will radically alter how these data can be collected, stored and deleted.  At the heart of GDPR is consumer protection. The rules will require companies to ask for explicit consent before using personal information, creating challenges for those that have hidden behind long and confusing privacy policies. They will also impose a strict 72-hour deadline for identifying and reporting security breaches.  Under the new rules, consumers will have a right to be forgotten and to withdraw consent, which means they could request that data be completely deleted from computer servers. This will cause problems for technology companies that share data and for the cloud service providers, such as Microsoft, Amazon, IBM and Google, which host information in data centres on behalf of other companies. Most cloud companies are unprepared, because until now, customer data has largely been the responsibility of “data controllers”the companies that collect personal information rather than the “data processors” that service it. Cloud providers are severely impacted by this, because they are processing data for customers, whether they know it or not. Until now, the nature of many cloud providers has been that they don’t want to know what data they have. GDPR will give regulators the power to fine businesses €20m or up to 4 per cent of their previous year’s global turnover, whichever is higher.  The rules are stringent and that is something that definitely has a business impact

Under GDPR, companies will no longer be allowed to hide behind what the EU calls “silence, pre-ticked boxes or inactivity”. Businesses have adopted different approaches for tackling this challenge. Designers have set to work reformatting privacy disclosures to make it easier for customers to choose “I do not agree” boxes, which are often smaller in size than boxes next to “I agree”.

Summary

1. GDPR established hefty fines for non-compliance. An egregious violation, such as poor data security leading to public exposure of sensitive personal information, could result in a fine in the millions or even billions of dollars
2. The regulation imposes detailed and demanding breach notification requirements. Affected companies that are accustomed to U.S. state data breach reporting may need to adjust their breach notification policies and procedures to avoid violating GDPR.
3. GDPR  tightens the definition of consent. Data subjects must confirm consent through a freely given, specific, informed, and unambiguous statement or a clear affirmative action. In other words: silence, pre-checked boxes, or inactivity no longer constitute consent.
4. The new regulation takes a broad view of what constitutes personal data, potentially encompassing cookies, IP addresses and other tracking data.
5. GDPR codifies a right to be forgotten so individuals can ask your organization to delete their personal data. Organizations that do not yet have a process for accommodating such requests will have work to do
6. GDPR gives data subjects the right to receive data in a common format and to ask that their data be transferred to another controller. Organizations that do not yet have a process for accommodating such requests will need to develop one.
7. The regulation distinguishes between data controllers and data processors. Controllers are liable for the actions of the processors they choose. (The controller-processor relationship should be governed by a contract that details the type of data, purposes, uses, retention, disposal, and protective security measures)
8. GDPR increases parental consent requirements for children under 16.

Affected Companies

Any company that sells or markets products or services to citizens of the European Union is subject to the GDPR regardless of whether the company has servers located in the European Union, offices in the European Union, or contracts with data processors within the European Union. Social media, software, financial technology, internet companies will be affected e.g.

1. Facebook
2. IBM
3. Amazon
4. Microsoft
5. Google
6. Funding Circle
7. TransferWise
8. HPE
9. Cisco
10. Deliveroo