On May 25, 2018, sweeping new regulations on consumer data privacy and security, collectively known as the General Data Protection Regulations (GDPR), will become law in all European Union member states – and any US companies who share data with EU-governed entities will be affected. To provide an overview of GDPR and answer a few burning questions, we turn to United Kingdom barrister and data privacy expert Dean Armstrong, QC, author of the book “Cyber Security: Law and Practice,” for this month’s illuminating Wise Interview.
By Rick Ferguson
- Tell us a little bit about your background.
Armstrong: In the United Kingdom, barristers present court cases dressed up in wigs and gowns. I am one of those, and have been since 1985. In my career, I've done a lot of corporate work, assisting various large entities in compliance and regulatory obligations. Three years ago, I was looking at the next big issue facing corporations, and that landed me in the world of data. As a result of that work, my colleagues and I decided to write a legal textbook dealing with data protection: Cyber-crime, database protection, espionage, consumer privacy, and the subject in which I've come to specialize: General Data Protection Regulations, or GDPR.
- For the uninitiated, can you explain GDPR?
Armstrong: GDPR is the first attempt at European Union-wide regulation of consumer data to unify protection of consumers' personal information. The regulations were ratified in June of 2016 for a two-year period. The purpose of GDPR is to enshrine in regulations the sanctity of our personal data. It recognizes that personal data has become "the new oil," and as such has become as important to us as any of our treasured possessions. It will also bring, through those regulations, serious fines if companies transgress and fail to protect the sanctity of that data.
- Noting that these regulations passed just as the UK voted to leave the European Union, how will Brexit affect the UK's need to comply with GDPR?
Armstrong: What many Britons don't realize is that the UK's Information Commissioner's Office (ICO) had a large hand in formulating GDPR, which passed just as the UK voted to leave the EU. Because of Brexit, there is a misconception amongst companies that the UK will not be affected by GDPR. In fact, when GDPR begins to be enforced in all EU states in May of 2018, the UK will still be an EU member state – which means we will need to comply with GDPR.
After Brexit, the ICO has suggested that it's very likely we will retain GDPR or pass similar regulations. So, those who believe that the UK will not be affected by GDPR are incorrect. It will have a direct effect both within the UK and on any companies trading with EU countries.
- Can you provide a high-level overview of the regulations, as well as penalties for non-compliance?
Armstrong: The centerpiece of GDPR is consent: Any company utilizing or trading in your personal data must have your explicit consent before they can do so. The reason consent is so important is that GDPR now recognizes that your personal data is your possession, and that companies must treat it as such. For example, if someone borrows your car, then at some point you need to get that car back, or it becomes theft.
For practical purposes, GDPR says that if a company holds your data, then they must have your explicit consent, which must be active, demonstrable, and unambiguous. GDPR also recognizes the right to be forgotten, which means that companies may hold your data for no longer than necessary. A company can't receive consent to hold your data for two years, and then decide later to hold it for five. The company will continue to need your active consent to hold your data.
Companies found in breach of GDPR can be fined up to 4 percent of annual global turnover or €20 million – whichever is greater. So, obviously the penalties for non-compliance can have a severe impact on a company's balance sheet.
- GDPR affects any company who controls or processes data on EU-member citizens, whether or not that company is headquartered in the EU. What should US companies who do business in the EU, for example, know about these new regulations? Are US companies prepared?
Armstrong: It's going to be interesting time for US companies because of the conflicting approaches to data regulation. On the European side of the water, GDPR provides for much tighter regulations on consumer data protection. On the US side, there is perhaps a move toward less regulation. Certainly, there is potential for enormous tension between these two approaches.
The significance of GDPR for US corporations is that, while companies not headquartered in the EU are not governed by GDPR, there will be a problem with the transfer of personal data across borders. For example, a European company may have a supplier or partner headquartered in the US. GDPR will say to that European company that they cannot export consumer data to that supplier or partner unless they can demonstrate that the company receiving the data has adequate procedures in place to protect it. Any data that might lead to the identification of a natural person must be adequately protected, or the European company could face sanctions.
Conversely, no European company that is a supplier or partner of a US-headquartered company can receive data from that company unless the US company can demonstrate that the data has been adequately protected. Frankly, it's difficult to see how a multinational company based in the US can do business without complying with GDPR. If a US company has operations in the EU, and the US side of the business is found to be in breach, then the European operation could face sanctions. I would therefore advise US companies doing business in Europe and the UK to voluntarily comply with GDPR regardless of regulations in the US.
- Many US-based companies offer loyalty programs that traverse EU borders – for example, a large hotel brand might have millions of European citizens in their loyalty database. How will GDPR impact loyalty programs?
Armstrong: There's a specific reference to profiling consumers in GDPR. So, if a loyalty program conducts any sort of online monitoring of an EU citizen, then the company operating the program could be impacted by the regulations.
For companies operating loyalty programs that include EU citizens as members, their first task is to solicit member consent to hold their data for marketing purposes. The company must say, "We have this information about you, we will use if for these purposes, and we will hold the information for this amount of time. Do we have your consent?" Again, that consent must be active and demonstrative. Companies operating loyalty programs will need to change their approach – standard Terms and Conditions acceptance will no longer suffice, because consumer consent must be unambiguous.
There are also regulations regarding data access: Consumers will now have the right to access and review any data a company holds on them. Companies operating loyalty programs will need to create templates for consumers to request this data, and train employees on how to reply to those requests.
- What advice would you give those companies who will have to comply with GDPR? Are most companies prepared, or are they behind?
Armstrong: Companies are responding far too slowly. Surveys have shown that half of C-suite executives know little or nothing about GDPR. There's a certain amount of understandable regulation fatigue, but the problem is that the fines for non-compliance are draconian.
There may be less significance for US companies, but there is the potential for European consumers to seek material damages for GDPR violations through right of recourse. It's a mistake for those companies outside the EU to believe that GDPR will have no effect upon them. We live in global community, and data exchange is essential to modern commerce. Any US entity doing business with any EU-governed entity will be affected by these regulations.
Also, consumers are far more engaged with this issue now, and companies must recognize that they must be more engaged with the people whose information they hold. Their approach to data security and privacy will need to be different in root and branch. To marketers I would say, "Understand that you are the custodian of your clients' personal data – and embrace these changes."
Rick Ferguson is Editor in Chief of the Wise Marketer Group and is a Certified Loyalty Marketing Professional (CLMP).