Global Directors Beware: Are You Ready for EU’s Data Protection Regulation?

On May 25, 2018, the European Union (EU) General Data Protection Regulation (GDPR) will go into effect in the 28 EU member states. Companies, the world over, are now rushing to meet the deadline for compliance but how many will make it?

The GDPR requires every organization that offers products or services to EU residents comply with a strict set of data privacy and security measures. These requirements will apply equally to those companies’ business partners. This essentially results in global regulation with potentially financial penalties and even criminal penalties for non-compliance.

GDPR is not just an EU-specific regulation – every EU citizen’s private data, regardless of where it is stored, must be protected. In today’s world of web-connected businesses, even small organizations not located in the EU may have data for individuals from EU countries and are, therefore, subject to aspects of GDPR. Storing the personal data of just one EU customer means that compliance with GDPR is required.

While originally thought to bring uniformity to enforcement in the EU, some EU member states are already making efforts to differentiate applicability of GDPR in their countries, which could add to the difficulties of implementation.

As it stands and was enacted, GDPR is binding on all EU members and, at 88 pages, is designed to address the disruption to data privacy wrought by the rapid evolution of information technology and business models over the past 20 years. The regulation will be enforceable by the data protection authorities (called “supervisory authorities”) of member states. Multinational companies, with their greater access to resources, will likely be able to meet immediately some of the GDPR’s requirements, but most will find that they need all the available time before inception to be completely ready. On the other hand, it is anticipated that many smaller entities may not be GDPR compliant before the deadline.

The GDPR will replace the EU’s existing data privacy and security regime, the Data Protection Directive 95/46/EC, which was enacted in 1995. The penalties for the violation of privacy regulations under the existing regulation vary among member states, with the potential for fines ranging from €150,000 to €900,000 ($184,540 to $1.1 million).

Supervisory authorities had little recourse against large, well-funded multinationals that viewed such fines merely as a cost of doing business.

This changes under the GDPR, which could see fines imposed up to €20 million ($24.6 million), or 4 percent of the offending company’s global annual revenue, whichever is higher.

GDPR also provides for potential criminal prosecution to be sought against directors and officers for deliberate breaches. Simply put, a board member can be jailed.

The regulation also features notification requirements modeled loosely after U.S. breach notification laws – the biggest difference being a new, shortened 72-hour time frame. Given that most breaches are not immediately discovered, and the extent of a breach can take time to determine, this could be a challenge for many entities.

Because the U.S. does not have a federal data protection law, data protection measures are set forth in numerous state laws and regulations. As a result, with the advent of the GDPR, organizations based in the U.S., which hold data on European customers, now have the daunting task of keeping track of each U.S. regulation, while ensuring that they are compliant with GDPR.

Fortunately, the GDPR’s requirements for data protection are in concert with most regulations in the U.S. There is nothing in the National Institute of Standards and Technology (NIST) Cybersecurity Framework that conflicts with the data protection practices required by GDPR.

An organization’s CEO and board of directors are responsible for GDPR compliance as well as with compliance with U.S. laws. They must ensure that practices are balanced with all cyber security and data privacy regulations that apply to their organization.

Rather than passively relying on others to understand the issues and resolve them, the board must become more involved and should start by asking questions about their organization’s level of readiness for GDPR and consider allocating resources to ensure the company is compliant by the deadline.

Unfortunately, most boards are not cyber-savvy. An article in the Harvard Law School Forum on Corporate Governance and Financial Regulation strongly suggested that the board itself create a committee focused on cyber risk and cyber security that covers the gamut of potential threats from both internal and external parties, including strong data protection capabilities. The article makes it clear that directors need to deal in specifics, rather than an “overview” approach.

A report published by Accenture revealed that only 6 percent of the directors at the world’s largest financial institutions have technology expertise. The data in North America is hardly better, with only 12 percent of directors having a professional technology background, according to the report.

Clearly, boards of businesses large and small are going to have to build or acquire new cyber-security skills going forward.

It is unlikely that the focus on holding individual directors responsible for cyber security will abate. Data breaches which are reported almost daily have raised the general level of distrust of “big business,” such as the recent criticism of the officers of EquiFax and Uber and many others before them, and a corresponding increase in the desire to hold top executives personally responsible. In response to these trends, board members must increase their cyber security skills, engagement and awareness to comply with the GDPR and the likely next wave of cyber laws and regulations.

Not only is GDPR of interest to multinationals and their U.S. business partners, but underwriters of cyber liability and management liability insurance policies are looking at how it will increase market opportunities. First, however, underwriters will want to be confident that their insureds are making timely strides toward compliance. If companies fail to comply, they could be slapped with significant penalties, and face reputational damage. At the same time, unhappy shareholders could sue the directors and officers of such organizations for securities losses.

Multinationals and their US business partners can expect to have to answer underwriters’ queries as to their compliance with GDPR when they are buying or renewing their cyber liability and management liability policies for the next several years.

As organizations approach the inception date of GDPR, they face the challenge of becoming compliant with the new regulations while at the same time dealing with potential conflicts with U.S. laws. A portion of the GDPR will remain in flux as some member states make an attempt to differentiate applicability of GDPR. This will continue to cause uncertainty until and if the European Commission decides to step in and require absolute uniformity among the members.

Meanwhile, it would be a good idea for companies and their data processing officers to develop relationships with the supervising authority in each EU state where they do business. Having a relationship and evidencing a desire to comply with the GDPR may persuade a regulator that a minor failure to comply is insignificant.

Only time will tell how the regulations will be enforced by EU supervising authorities and European courts. There is no doubt, however, that it will be quite uncomfortable to be the “first” to be publicly targeted for violation of the GDPR.

Related:

• Cyber Risk Management Fails to Measure Up to Escalating Cyber Risks: Marsh, Microsoft
• Help Wanted: Data Protection Officers to Aid Anxious Firms with EU Data Law
• 8 Ways Cyber Threats and Business Security Will Change This Year: Aon’s Predictions
• Companies Across Globe Race to Comply with EU’s Data Protection Law