GDPR Countdown – 8 Weeks to Go

This was not a great week for you to buy a sandwich at Panera, take a flight on Delta, get some tires at Sears, use natural gas to heat your house, go for a jog in your Under Armour gear (click clack), or uh, you know, be Mark Zuckerberg. The near-constant stream of data breaches this year are an indication both of the ubiquity of bad data security and the urgent need for better awareness of data sharing among companies, both by consumers and by the companies themselves. Obviously, there’s a lot to do.

Breaches are becoming more commonplace, and we are becoming more ho-hum about them, two developments which are going to have to change under GDPR. The requirements for how to prepare for, respond to, and act after a data breach in the Regulation are far more rigorous than anything on the books now, either in the EU or the United States. Those requirements, coupled with the severe penalties that we’ve discussed before, make it almost a good thing to get your breach out of the way now, and not, say, in June.

The near-constant stream of data breaches this year is an indication both of the ubiquity of bad data security and the urgent need for better awareness of data sharing among companies.

GDPR requires that companies incorporate “privacy by design” into their operations. What that means is that it’s no longer sufficient to be reactive when it comes to data security. Instead, controllers and processors must “integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subject.” In other words, protection of data subject privacy is a mandatory component of the law, and controllers have the affirmative, proactive obligation to go find ways to ensure data security as best as can be done.

This is a substantial departure from the law in the United States, to be sure. Here, the tort law model we follow essentially says “if you were lax enough to get hacked, you’ll get sued.” Proving that kind of case requires a showing that known risks were disregarded or, in the rarer case, that the company wasn’t keeping up with industry standards of care. That’s not so easy to prove, but in our legal system, the threat of litigation (and its staggering costs in time and money) can be deterrent enough.

Not so in Europe. Regulators will have the power to conduct non-judicial inquiries and impose fines and costs outside of litigation, though, to be sure, in some countries courts will still need to approve the penalty. DPAs will have the ability to find that, under the totality of the circumstances, a company has liability for a breach simply by virtue of not meeting the standards of Article 25. And who gets to decide the contours of failing to meet the standards of the GDPR?  Yep: the regulators.

In addition, there’s an affirmative duty to report breaches to DPAs, with limited exceptions. Although the Regulation says that the notification must be made “without undue delay,” it sets the standard at 72 hours, which is what most regulators have described as their timeframe. That is a drastically shortened timeframe than most existing laws. And, of course, a failure to notify a regulator under Article 33 within the appropriate timeframe is itself a violation of the GDPR that would subject you to a penalty. You can see how quickly those fines can add up if you mismanage a breach.

And who gets to decide the contours of failing to meet the standards of the GDPR?  Yep: the regulators.

It’s tempting to say, in response to all of this, a glib “I guess you just can’t get hacked.” But the Regulation (and regulators) understand that it’s impossible to prevent every breach, and it would not be economically feasible for most companies to even try. The goal, instead, is to drive the market towards greater emphasis on preventing as many breaches as possible.

Put another way, just because your company has a breach doesn’t mean that you’re necessarily looking at a hefty fine or even a non-monetary penalty. Instead, if you…

    1. make a good faith effort at incorporating privacy by design,
    2. follow GDPR principles like transparency and legitimacy, and
    3. promptly comply with notification requirements,

you may be able to avoid a regulatory action altogether. The key is starting the process of implementing those practices and procedures now, so that there is a demonstrated record of having the right focus. That’s how you show the regulators that your company is datasmart — even in the wake of a breach.

Leave a Reply