Skip to main content

Upcoming EU regulation puts data protection front and center

Upcoming EU regulation puts data protection front and center

U.S.-based trade associations, professional societies that do business in Europe will likely need to take steps to ensure compliance

A European Union regulation taking effect May 25 will create tough new mandates for how businesses and nonprofit organizations store and handle personal data, and even U.S.-based trade groups and professional societies may not be able to escape its reach.

The General Data Protection Regulation vastly expands the scope of the EU's data privacy and breach notification requirements. There is little comparable in U.S. law, although other countries outside the EU have adopted data privacy regulatory requirements closer to that of Europe. That's why cybersecurity experts say it is good for any organization to review the policies and procedures in place for securing data about members or customers.

"One of the major changes with the GDPR is it is explicitly extraterritorial and it will reach organizations that don't have offices or employees in Europe," said Kelly DeMarchis Bastide, a partner in the eCommerce, Privacy, and Cybersecurity Group at law firm Venable. "If they offer their goods and services to EU individuals, there has been a little bit of puzzlement in how that applies."

The EU has had data privacy regulations in place since 1995. The GDPR updates the existing rules while adding substantial teeth to enforcement. Organizations could be fined up to 20 million euros ($24.6 million) for the most serious violations, although smaller fines for not maintaining proper records or failing to quickly notify individuals about data breaches are more likely.

EU privacy regulations also have concepts foreign to U.S. law, such as the right to be forgotten, which allows individuals to request their personal data be erased and no longer disseminated by an organization. The GDPR also strengthens requirements that organizations seek an individual's consent before collecting personal data rather than placing responsibility on the person to "opt-out" of such efforts, as is common in the U.S.

EU regulators are expected to release further guidance aboutapplicabilityof the regulation to organizations outside Europe, but ingeneralan association would have to engage actively in purposeful training or marketing for EU citizens for the GDPR to kick in, Bastide said.

"A really common misconception I see is this is just an IT issue. … It's not that simple and that's not actually asking the right question," she said.

Think ahead

How can organizations prepare for the GDPR or similar regulations? First, they should have someone whose job it is to find out the answer to such legal questions, usually legal counsel, said Ryan Phelan, vice president of marketing insights at Adestra, a developer of email marketing software.

"I know a lot of companies that just use their attorneys for lawsuits and contracts and that kind of stuff, but you really need to say to your attorney, ‘Okay, we need to expand your scope to look at our business within the global landscape of legislation,'" Phelan said.

Second, groups should consider joining organizations with missions to stay abreast of developments concerning data privacy law and regulation, Phelan said. One example is the Email Sender and Provider Coalition, of which Adestra is a member. The group has briefed and prepped members on the GDPR and similar data protection laws in Canada, he said.

Third, just be aware of data protection issues and pay attention to developments in the field, Phelan said.

"I wonder if we haven't had our head in the sand about privacy because it hasn't been an issue until the last three or four years," he said. "That's because of the propagation of data, the accessibility of data, the propagation of apps and the web. This is moving so fast that this is just one of the byproducts of that."

Domestic policy

One thing U.S.-based associations probably don't need to worry about is something like the GDPR becoming federal policy anytime soon, according to Michelle Reed, a partner at law firm Akin Gump who specializes in cybersecurity and data protection compliance.

The U.S. has strict data protection laws for specific industries, the best known perhaps being the Health Insurance Portability and Accountability Act, which covers medical information. But lawmakers have generally resisted enacting overarching data privacy laws. For example, Congress has yet to pass a federal data breach notification law, leaving the matter up to states and territories.

"What regulation applies to you is just based on what type of business that you have, what you do and what sector you're in," Reed said. "I frankly don't see the U.S. changing from that. It is embeddedintoour system and coming up with a broader approach would require so many people getting on the same page that it would be very difficult for Congress to get that through."

Organizations that want to reduce their legal liability regarding data privacy can take a couple steps, Reed said. First is to pick up a copy of "Start With Security," a free publication by the Federal Trade Commission that summarizes U.S. case law on data protection. The publication is available for download from the FTC website.

Second, talk to whoever handles IT at the organization and ask what they are benchmarking their cybersecurity against, she said. There are many security frameworks available, but the most common is the NIST Cybersecurity Framework, which was first developed by the U.S. National Institute of Standards and Technology in 2014 and has since been updated.

"So have a conversation with someone in information security and say, ‘Here's the framework. Where are we on this? How are we benchmarking? How are we tracking? Are we following up on red flags and improving as we mature?' Those are the conversations that need to be had," she said.

KEY PROVISIONS IN DATA RULE

Extraterritorial scope. The European Union's new General Data Protection Regulation will apply to all companies and organizations processing the personal data of European Union citizens, regardless of an organization's location.

Expanded penalties. Organizations face penalties of up to 4 percent of their total annual revenue or 20 million euros, whichever is greater. Most penalties will be substantially less.

Consent. The regulation strengthens existing regulations mandating that organizations must seek out user consent before collecting data. The language spelling out those terms must avoid "long illegible" terminology and conditions full of legalese.

Data breach notification. Organizations must alert individuals that their data may have been accessed within 72 hours of becoming aware of a data breach.

Expanded digital rights. EU citizens have the right to access their data, the right to have their data "forgotten" upon request, and the right to have all of their data collected by an organization transferred to another company, organization or entity.

Privacy by design. Systems used to collect and store data must incorporate data protection at the very beginning of their design and not as a feature added later.

Data protection officers. Organizations that store and process large amounts of data will need to employ or contract a data protection officer to oversee how personal data is handled and secured. This provision probably won't apply to most nonprofit organizations.

Source: EUGDPR.org

.