Digital Privacy and the GDPR: Why You Should Pay Attention Now
- Tyler Mills
Even if your organization doesn’t collect or process the personal data of individuals in the European Union, you should pay attention to the EU’s General Data Protection Regulation (GDPR).
Why? Because this landmark data privacy law has become the standard by which all other privacy laws are now measured. Far from being “just a European thing,” digital privacy legislation has been enacted in 71% of countries worldwide — including in a growing number of U.S. states — and another 9% of countries have laws in draft form.
If your business is a cloud service provider, there’s a good chance that one or more of your clients have already requested a GDPR assessment as an add-on to their System and Organization Controls (SOC) 2 report. If you can’t assure these clients that your practices enable them to comply with the GDPR — for instance, that they have the ability to erase an EU resident’s records if they request it — then they will be forced to find another service provider who can provide that assurance. While this loss of business might start as a trickle, it is likely to accelerate.
The GDPR, which went into effect on May 25, 2018, regulates how organizations collect, process, market, use, and store personal data related to people in the EU, whether or not they are EU citizens.
Personal data is defined by the GDPR as:
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
With this broadly inclusive definition, the GDPR has included within its scope everything from identity information (e.g., name, address, email, Social Security number) to geolocation data (e.g., IP addresses, website cookies) to racial categories, health and genetic data, sexual orientation, and even political preference.
Both “data processors” (those who process the personal data of EU data subjects) and “data controllers” (those who direct or control how the data will be processed) must adhere to a set of data protection and accountability principles. For example, you must process the data for legitimate purposes specified to data subjects at the time of collection, and you should collect and process only as much data as is absolutely necessary for those legitimate purposes.
Data subjects also have a set of privacy rights regarding their data, such as the right to erasure. Complying with this “right to be forgotten” can be one of the biggest and costliest GDPR-related hurdles for service providers. If an EU data subject requests erasure of their data, you must be able to show unequivocally that those records have been destroyed and that no record relating to that person remains on any of your databases or servers — including within backups. This ability to delete individual records from backups often requires costly changes to an organization’s processes, such as setting up separate environments for GDPR and non-GDPR data subjects and backing them up independently from each other.
Compliance with these provisions can be costly, but noncompliance has a far steeper potential price tag.
Within the GDPR’s two-tiered penalty system, the most serious infringements — such as those that violate the right of erasure or any of the GDPR’s other data protection principles — can trigger maximum fines of 20 million euros or 4% of the company’s global annual revenue. In addition to these administrative fines, data subjects have the right to seek compensation for damages.
The European Commission has demonstrated its commitment to enforcing its landmark privacy law, handing out a total of $1.25 billion in GDPR fines in 2021.
Although the U.S. is unlikely to enact federal data protection legislation anytime soon, a growing number of states have passed their own laws. The California Consumer Privacy Act (CCPA) made a splash in 2018 as the most comprehensive U.S. data privacy law, similar in many respects to the GDPR. Since then, three additional states (Colorado, Utah, and Virginia) have passed consumer privacy laws, and a dozen others (such as New York, New Jersey, Louisiana, and North Carolina) have bills in process.
In other words, there’s a very good chance that your state or a neighboring state has enacted or will soon enact a data privacy law. Rather than wait until your business finds itself with a data exposure, it’s worth your time now to assess your organization’s data collection methods and your data protection responsibilities. What might be your potential exposure? What would be the cost of changing your processes to keep pace with evolving laws and expectations?
Organizations with significant exposure to data privacy risks are wise to consider hiring a dedicated data privacy officer, rather than tacking the responsibility onto the job description of an existing position. If you can’t justify hiring internally, or can’t find a qualified candidate in today’s tight labor market, consider outsourcing the position to a reputable information security and privacy consulting firm.
Privacy concerns are not going away. Most American organizations will be impacted by a privacy law sooner or later. Take time now to understand your responsibilities and get out in front of evolving laws and consumer expectations. Whether you have questions about compliance with the GDPR or your state’s privacy laws, or you want to assess your data privacy practices and chart a path forward, contact CRI’s privacy and security professionals.
Subscribe to our e-communications to receive the latest accounting and advisory news and updates impacting you and your business.