Four years of preparation, endless hammering out of details, and the General Data Protection Regulation (GDPR) was finally approved by the EU Parliament in 2016. The new regulation, which replaces the archaic Date Protection Directive 95/46/EC, is aimed at standardizing how organizations across the Eurozone approach data privacy. This report will bring to the forefront the key facets of the regulation such as; enforcement, innovative aspects, penalties and fines, and what companies doing business in the EU can expect in the future.
The Expansive Scope of GDPR
For companies doing business in the EU, where processing and relying on data apply, the most significant noticeable change to the regulatory landscape is in the width and breadth of the directive’s jurisdiction. Before the current legislation, geographic applicability was vague. GDPR is crystal clear in outlining how the new rules apply to processing personal data of EU citizens, regardless of where in the world the processing takes place. Also, the new legislation removes all ambiguity where using personal data to sell goods or services from outside the EU is concerned. In short, with GDPR, legislators have closed most of the loopholes in regulation. Even the “cloud” no longer affords any kind of exemption.
It is this expanded territorial or geographical scope of the new legislation that has received the most criticism and backlash. However, despite the obvious drawbacks, this territorial approach does solve one of the biggest problem European data protection law faced in the past. Previously, third country data controllers had more or less a free hand in processing substantial numbers of EU subjects’ data, which in turn endangered the privacy of the Eurozone citizens. Furthermore, any analysis of European data protection laws must mention Convention 108, an act that represents a key milestone in international data protection law. This act, ratified by nearly 50 states, laid the foundation of various data protection regimes. Concerning jurisdiction, the following reference from Convention 108 speaks directly to territorial concerns.
“The purpose of this convention is to secure in the territory of each Party for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him (‘data protection’).
While extraterritoriality is broken down into a multifaceted schema for operating under the new laws, it’s fair to oversimplify for our report. The GDPR has expanded legislation that attempts to cover all foreseen cases of offering goods or services in the EU from abroad.
Opportunities for Stimulating Innovation
While much of the narrative surrounding GDPR is of a negative connotation, many experts suggest potential opportunities for stimulating innovation. Fears the new regulations will negatively affect novelties like artificial intelligence (AI) are overblown and, to date, unsubstantiated. Such negativity and resistance end up grossly ignoring a subject’s right to privacy and consent in favor of nebulous gain. On the contrary, GDPR can serve to create pathways to excellence laxer regulations would never serve to uncover. Here are a few ways in which the new EU regulation can boost innovation.
Innovation spurred through the definition process will come from organizations seeking to comply. For instance, the scope of GDPR-relevant personal data that is, or will be, collected or derived, processed, and shared, will lead to greater transparency and client/customer trust. As an example, in a scenario where a client is denied services by the use of algorithms or AI, the customer needs access to a person able to explain the situation. Without GDPR in place, this kind of credibility is almost non-existent. If we expand on this aspect of compliance dozens of positives, arise about legality, transparency, public confidence, and so on.
Privacy by design is an innovative new strategy that incorporates data privacy in systems and processes when they are being developed or revised. Mandated by the GDPR for new projects, this strategy forces organizations to invest in data privacy early on in the creative/innovative process, which ends up mitigating future costs. Building data-imperative systems using Privacy Enhancing Technologies is another facet of this concept that leads to more innovative ideas. Some example of how Privacy by Design boosts innovation and reduces costs are:
- Potential problems are identified in the early stage when addressing them will be simpler and less costly than “bolting” solutions later.
- Organizations glean better awareness of privacy and data when privacy becomes part of their culture.
- Built-in privacy impact tools lead developers to create more efficient and effective processes for handling personal data.
- Building frameworks using this method can be helpful in reducing or exposing organizations to a higher likelihood of information security breaches.
“Expanding the European data protection scope beyond territory: Article 3 of the General Data Protection Regulation in its wider context,” by Paul de Hert & Michal Czerniawski, International Data Privacy Law, Volume 6, Issue 3, 1 August 2016, Pages 230–243
Privacy by design - from: deloitte.com
There are many more advantages to list, but the creation of end-to-end security alone is innovation enough for forward-thinking organizations to embrace these ideas. Here we can create a pause-point for condensation of our positives. A recent Deloitte study indemnifies GDPR (and our report) as a potential for positive change with:
“Ensuring privacy and security—through every phase of the data lifecycle (e.g., collection, use, retention, storage, disposal or destruction)—has become crucial to avoiding legal liability, maintaining regulatory compliance, protecting your brand, and preserving customer confidence.”
Some Significant Changes
GDPR has shifted data protection farther in favor of the individual. This is the most significant fundamental change in legislation. As the balance of ownership of personal data shifts from the company to the person, greater rights are now afforded to the individuals to decide how corporations use their data. Before GDPR, EU legislation defined personal data as anything that could be used to identify a “natural person.” Now the definition is expanded to include other metadata, including IP addresses, mobile IMEI numbers, and SIM card IDs, along with website cookies, and biometric data.
Before GDPR, organizations used smart technologies to make any number of crucial decisions “profiling” individuals. Now, the individual will have the right to challenge the way these algorithms work and the decisions they make. So, the new legislation forces all organizations to reconsider how consent to use data is done. Article 17 of the GDPR also introduces something called the “right to be forgotten,” or the power to legally request that personal data be deleted without delay. And under GDPR, data processors are as responsible for managing data as the data controller is, which presents several technical and business obstacles.
Another major change is that, under GDPR, a breach of data must be reported to a local supervisory authority within 72 hours. Negligent or intentional violation of GDPR can result in steeper fines than any previous regulation as well. As we’ve iterated, the GDPR is designed to harmonize data privacy across Europe, protecting EU citizens’ data privacy and reforming the way organizations handle data. In the past, each individual state had the authority to create its own regulations, but the current legislation is a win-win of standardization.
Finally, while there are myriad smaller changes in legislation within GDPR, the central notion of ‘territory’ is replayed with ‘jurisdiction.’ In one case, data controllers and processors outside the EU are brought under the GDPR using the identification of potential links between processing operations and EU law. Then there’s the targeting or destination approach instigated by the new regulation, which now bears more teeth than in past regulations. It’s these “teeth” that need the brightest scrutiny.
GDPR is poised to enforce “one law across Western Europe and a universal set of regulations that apply to companies doing businesses within EU member states.” As we’ve explained, this means the reach of the legislation extends beyond Europe, as organizations outside the EU will still need to comply. In the past few weeks, EU officials have begun rolling out EU General Data Protection Regulation, and many partners are not in compliance with from the start. France's data protection authority, the CNIL, has offered some examples of noncompliance, as have other EU states. But the big problem for organizations now is the seeming unpredictability of enforcement. And, the broader scope reveals a veritable enforcement/litigation minefield since GDPR will be enforced as of May 25.
Companies in the U.S. that may not have even considered themselves as part of the legislation will now have to ramp up to prepare. Amazingly, answers to the question of what enforcement will look like are not on the surface. At one end of the spectrum, solution providers are practicing fearmongering to glean GDPR compliance business. On the other hand government officials in the know plead for calm, declaring that GDPR compliance will be an ongoing journey. The sad truth today is, no one seems to have a grasp of how officials will enforce the regulations.
That’s right, with huge fines and sanctions looming on the horizon, there’s no differentiation in between fining Google €2.4 billion and leniency many organizations will certainly beg for. What we do know was expressed recently by an attorney involved in helping companies comply. Shannon Yavorsky told The Verge:
“We know roughly what compliance looks like, but we still don’t know what enforcement will look like or how aggressive the EU regulators will be. The simplest takeaway is that breaches will get a lot more costly, and that cost will be spread a lot further through the network. It will get more expensive to share user data, and sites will probably try to make do with fewer partners, which would certainly be a win from a privacy perspective.”
Amid the confusion and behind the curtain of GDPR potential actions, there are “clues” as to how regulators will use it. The Irish DPA, for one, will focus its enforcement efforts on resolving complaints as designated by GDPR, which requires DPAs to investigate all claims. Helen Dixon, who is the data protection commissioner for Ireland, shed some light recently on how enforcement will proceed. She also revealed how regulators would track down possible infractions by scrutinizing privacy policies, notices, and other literature of organizations for clues toward possible non-compliancy.
Still, even the most transparent country experts seem uninformed or unsure of a cohesive and consistent plan of action. So far companies are being advised to address the areas of highest risk for GDPR Compliance, which really puts a lot of organizations in limbo. The only thing that is sure here is that EU budgets for government data management and enforcement bureaucracies worldwide are set to skyrocket as the era of “self-regulation” comes to an end.
Penalties and Fines
Despite the relative confusion from EU official sources, and even with the fear-based service selling, regulators are assuring all concerned the new regulations will not be some kind of speed trap for businesses. Turning again to ICO’s Elizabeth Denham, the commissioner made a point stating that fines are a last resort of the regulatory process. She and other officials insist that “the point of GDPR is to ensure fair and proportionate (proportionate being the operative word here) action is taken against those that fail to meet the agreed standards.“ First, will come warnings, then the recommendations, and finally fines for those worst-case scenarios.
The meat of regulatory legislation does come in the form of the most substantial fines of the type ever levied. According to GDPR, companies can be fined for GDPR violations on one of two levels. Lower-level violations can draw penalties of €10 million or two percent of the violator's worldwide annual revenue, whichever is higher. That's revenue, as in income before expenses. As for more severe violations, the bigger non-compliance fines can be as much as €20 million, or four percent of the violator's annual revenue — again, whichever is higher.
In short, the impact a significant GDPR fine can have on a firm's bottom line can be devastating. The good news is, it is not in the best interest of EU regulators to break the companies which support the economy. At least it would seem that good faith will prevail.
Finally, there is the GDPR Accountability Life Cycle, which can serve as a guideline/lifeline for organizations seeking to comply. The GDPR Best Practices Guide puts forward a GDPR implementation methodology designed to:
- Engage stakeholders to ensure timely and efficient organizational readiness for GDPR.
- Implement effective procedures that embed GDPR-compliant operational behaviors.
- Establish assurance criterion that will sustain and evidence GDPR accountability.
This methodology is made up of three phases (Prepare, Operate, Maintain). In each of these phases, there are some supporting activities with objectives. The stated goal of the methodology is “sustaining and evidencing compliance with the GDPR Accountability Principle.”
The first phase is all about getting your organization ready to buy into the new regulatory structure through education and compliance training, building teams able to sustain a compliance program, identify and assessing relevant business functions distributing updated data protection policies and privacy notices, and similar activities.
Phase two of compliance is the operational phase where your teams get input, do due diligence, record and react to the regulatory landscape.
Then in phase three, if all the other steps are completed appropriately, your operations can maintain compliance through the integration of this new framework within your organization. Performing periodic impact assessments and being flexible enough to weather business change events are just two of the desirable compliance attributes you need going forward.
How GDPR Will Affect Hoteliers
GDPR will affect hoteliers and hospitality business the same way it affects any other industries. Marketing to guests will now have to respect a set of mandatory rules to be GDPR-compliant. This infographic by the GDPR coalition summarizes these rules: