The European Union’s General Data Protection Regulation (GDPR) goes into effect on May 25, officially changing the way EU businesses handle consumer data. Its effects will likely have far-reaching consequences, too, for both EU-based companies and those that operate outside the region.
Even with the deadline looming, many businesses are seemingly unprepared. Nearly 44 percent of small businesses and 41 percent of medium-sized companies have yet to take steps to ready themselves for the new rules, and preparedness is much lower among non-EU firms.
According to Ultan O’Carroll, assistant commissioner and technology advisor of Ireland’s Data Protection Commissioner (DPC), these companies could still fall under scrutiny by data protection authorities (DPAs), the regional agencies charged with reviewing GDPR compliance. He recently spoke with PYMNTS about the criteria to which companies will be held — regardless of their preparedness — and what, exactly, DPA-backed investigations will entail once GDPR goes into effect.
Ready or Not, Here Comes GDPR
Once officially live, GDPR will impact any company or organization that operates, stores or processes personal data belonging to a natural person — a “data subject,” in GDPR terms. Non-compliant companies could be in for a rude awakening when May 25 rolls around, particularly if they are subject to a DPA investigation.
“If they’re in the situation where they have not made processing operations compliant with GDPR during the past two years, they may well find themselves afoul of the law,” O’Carroll said.
A company’s data handling practices could come to the attention of DPAs in several ways. Data subjects may report its practices to the agency, or the company might have to notify the DPA in the event of a detected data breach. Under GDPR rules, firms are obligated to report breaches to their local DPAs within 72 hours of learning about them.
Once notified, the DPA’s team of 100 tech specialists, investigators and attorneys will look into the company’s data handling practices. That might involve a meeting where the firm’s IT officials or owners are informed of their business’ non-compliance. Each case will vary, O’Carroll noted, and the DPA will use the ensuing investigation to consider the severity of the problem and the appropriate actions to take.
Heavy fines could be levied in the severest cases. DPAs are authorized to impose financial penalties and sanctions of up to €20 million ($28 million USD) if they deem it necessary. It’s not likely that all investigations will result in fines, O’Carroll said, but companies may be told to cease performing certain data processing operations until they are in compliance with GDPR.
What Is Personal Data, Anyway?
One of the reasons many companies are unprepared for GDPR compliance stems from confusion around the definition of “personal data,” O'Carroll added. In the U.S., personally identifiable information (PII) covers data such as an individual’s name, address or phone number. Under GDPR, though, personal data includes any information that can be used to identify someone when matched with other readily available information.
“A name on its own might not be personal data,” O’Carroll said. “But, when combined with other information, like an address or phone number or something else, it allows that person to be identified and differentiated.”
The name John Smith might not mean anything on its own, but an email address like “firstname.lastname@example.org” would be considered personal data because it identifies a particular John Smith by his place of employment, he explained. (For the record, there is no one named John Smith currently employed at PYMNTS.)
“Personal data changes depending on the nature, scope and context, [and] based off the kind of processes that are going on,” O’Carroll said.
Playing by EU Rules
Companies based outside the EU are struggling the most with GDPR compliance, but these firms will be subject to the same requirements as EU-based companies.
Social media giant Facebook, for example, is facing intense legal scrutiny for how it shared users’ personal data with research firm Cambridge Analytica. Facebook’s headquarters is in the U.S., but it would still be required to follow the rules of GDPR because it has operations in the EU, including Ireland. This type of reach subjects even large corporations to the regulations’ terms. “For all intents and purposes, Facebook is a European organization,” O’Carroll said.
Facebook’s legal trouble highlights the need for both the GDPR and agencies like the DPC, both of which take meaningful steps to enforce and protect data subjects’ rights, he added.
“I think everyone is aware that data subjects are increasingly concerned about their rights around the use of their personal data,” O’Carroll said. “In an always-connected world — a world where personal data is used extensively to power online services, advertising and so on — they want to see their rights vindicated and upheld.”
Once GDPR takes effect, DPAs like Ireland’s DPC will be working diligently to ensure that the companies handling data understand their responsibilities and obligations — and the penalties for mishandling such information.
“We’re hoping that GDPR’s promise is the one that actually occurs, and that it materializes into something that does have, perhaps, a sea-of-change affect in [terms of] compliance of organizations,” O’Carroll said.
Companies operating in the EU will have to reckon with that sea of change once GDPR rolls out, or risk an investigation and potential financial penalties.
About the Tracker
The Digital Identity Tracker™, sponsored by Jumio, is a forum for framing and addressing key issues and trends facing the entities charged with efficiently and securely identifying and granting permission to individuals to access, purchase, transact or otherwise confirm their identities.