GDPR Q and A
To find out more about GDPR and its implications from a legal and cyber security perspective, we speak with Cognosec AB’s Group General Counsel, Daryn Stilwell.
Daryn, could you begin by stating what GDPR is and its aim?
The General Data Protection Regulation or GDPR, is new data protection legislation that will become law on 25th May 2018. The aim of GDPR is essentially twofold:
To safeguard the rights of data subjects, that is those individuals whose personal data is collected by individuals or companies; and
Provide a uniform data protection regime across the EU.
What is the scope of GDPR?
The scope of GDPR is very broad: GDPR imposes obligations on both data controllers, those who determine the purpose and way in which personal data is processed, and, for the first time, data processors, those who store data on behalf of controllers e.g. cloud service providers.
The fact that the same entity can be both a data controller and processor widens potential liability even further. For example, a company can be a data controller with respect to its employees’ data, and a data processor with respect to, for example, where it stores personal data on behalf of a company which has outsourced this function.
If you think of the number of companies that outsource their data storage to cloud service providers, who were previously only liable for data protection breaches via the contractual agreements between themselves and the controller, this direct liability will have both implications for how such cloud service providers do business, as well as the companies who outsource their data storage to them.
Why was it necessary to introduce new data protection legislation?
Firstly, from a regulatory perspective, the current data protection laws across the EU vary from country to country, sometimes rather significantly.
This is because each national data protection law was put in place as the result of a directive, the EU Data Protection Directive. An EU directive requires each EU member state to implement the directive into national legislation: the UK for example implemented this legislation via the Data Protection Act 1998. The problem is that, as a directive, there was potentially room for interpretation as to how the data protection directive was implemented into each member country’s national law.
This resulted in uneven data protection laws throughout the EU and raised the potential for data arbitrage e.g. companies transferring and storing personal data in one EU country because its data protection laws were laxer and therefore potentially cheaper in terms of compliance, than the home country of the individual whose data was processed.
A regulation, unlike a directive, does not need to be transposed into the national law of individual EU member states, rather it becomes immediately enforceable throughout the EU at the time of its entering into law. This should mean that there will be one EU data protection law. In practice, this is not entirely true, because for example, the policing of data protection will be carried out by a country’s Data Protection Authority (DPAs). The DPA of a particular country is its chief data protection body (e.g. Information Commissioner’s Office in the UK), and how it implements the law will necessarily vary from Member State to Member State. Nevertheless, at least in theory, they will all be working from the same legislation.
What are the consequences of breach?
The headline with regards the consequences of breaching GDPR are the administrative fines for breach of the provisions. These are:
€10m or 2% of annual global turnover for less severe offences; and
€20m or 4% of annual global turnover for the most serious offences.
These are significant enough, but become even starker if we unpack the above.
First of all, it should be understood that a company does not have to suffer a data breach to incur the most significant level of fine. As just one example, failure to comply with a data subject access request will, under GDPR Article 15, result in the highest fine.
Similarly, where a controller holds inaccurate information on a data subject and fails to comply with a rectification request in a timely manner, this will incur the maximum level of fine. What this illustrates is that a company must ensure that it has a robust internal communications system and processes in place at all levels of the organisation.
The other important point is how many articles in GDPR carry the highest level of fine for breach. What may appear relatively innocuous breaches could carry the maximum fine.
Additionally, although the full scope of GDPR is applicable only to data controllers, data processors are also subject to several of the most serious provisions. In addition, where there is a breach that involves a data controller and a processor, then both are liable for the full amount of the above fine for the breach.
What are the consequences and/or requirements in case a company suffers a data breach?
Well in addition to the administrative fines regimes referenced above, if a data controller suffers a breach involving personal data, there is a right under Article 82 for data subjects affected to directly claim compensation for any damages they suffer as a result of the breach. If you imagine any sort of company that stores a large volume of customers’ personal data, such as a financial institution, or sensitive personal data, such as a hospital, a breach could result in a fine comprising the higher of 4% of its gross annual turnover or €20m, in addition to having to pay direct compensation to what could be hundreds, thousands or even millions of individuals. Couple this with the reputational damage that would accompany any such breach, and we can see that the very existence of even large multinational companies could potentially be at risk: this is why it is of paramount importance to ensure adequate preparation is made well before 25th May 2018.
Finally, a data controller must under Article 33, notify a personal data breach to the relevant supervisory authority without delay and no later than 72 hours after becoming aware of it, unless the data breach is unlikely to result in a risk to the rights and freedoms of individuals. If a company does not provide the above or if it does not, provide an adequate explanation for delay, then it will incur a fine of €10m or 2% of global turnover.
What can Cognosec do to help organisations prepare for GDPR?
There are currently numerous GDPR solutions on the market, from tools that essentially provide an audit of a company’s data processing and storage functions from which a gap analysis can be done, to various legal solutions involving the drawing up of governance documents and drafting of GDPR-compliant legal frameworks, and technical solutions involving assurance and advisory services, consulting on what products are required, through to implementation and even maintenance.
Where Cognosec can help and where it is unique, is that it provides an end-to-end GDPR solution comprising all requisite legal, technical and regulatory elements. Cognosec will be able to guide a company from the initial audit stage, through to ensuring that the company is fully prepared for GDPR from a legal and technical perspective, with all the necessary documents and procedures in place.
The underlying principle of GDPR compliance, under Article 5(2), is accountability, meaning that a company must not only show that it is GDPR-compliant, it must demonstrate its compliance and explicitly state that it is aware of its ongoing responsibility in this regard.
The practical effect is that a controller must, for example be able to demonstrate to its DPA (in the instance of an audit) that it maintains up-to-date and relevant documentation on its processing activities and where appropriate, use data protection impact assessments and appoint a data protection officer.
In addition to an end-to-end GDPR compliance solution, Cognosec can also offer its clients a compliance task-force for once GDPR becomes implemented, which will be able to provide ongoing assurance and assistance in case of, for example, a company suffering a data compromise or requiring the incorporation of any additional legal paperwork.
Finally, can Cognosec help companies based overseas or those EU companies with international offices?
The scope of GDPR is truly global: any company outside the EU is also caught by GDPR if it either monitors EU citizens’ or offers them goods and services.
This brings not only large multinationals into scope of GDPR, but also in an increasingly globalised and interconnected world, many smaller companies.
Due to Cognosec’s global presence, with companies across three continents, we can ensure that both relevant non-EU companies and those EU companies with overseas offices, are adequately prepared for GDPR.
Cognosec can advise on the legal aspects, such as the drafting of Binding Corporate Rules (BCRs) (recognised for the first time under GDPR as a legitimate means of ensuring the integrity of personal data that is subject to cross-border transfer between subsidiary offices of a multinational company), as well as providing the technical consultancy required to comply with GDPR in order to do business in the EU.
In all instances, Cognosec will be able to provide concerned companies with an end-to-end GDPR solution that will not only demonstrate compliance and thereby avoid large fines, but also impart to companies the sophisticated approach to data protection that is the ultimate end goal of the legislation.