Did you know that one of Wisconsin’s biggest trading partners is the European Union? According to the U.S. Census Bureau, Wisconsin exported more than $3.8 billion to the 28 European Union (EU) states in 2017 and imported just under $7.9 billion from them. As Mark Maley of the Wisconsin Economic Development Corporation states, “To put this in perspective, that is just over 17 percent of our exports and just over 28 percent of our imports, respectively.” Thus, many Wisconsin businesses likely will fall under the EU’s new privacy rule, the General Data Protection Regulation (GDPR). The GDPR took effect on May 25, 2018, and has a global impact.

The GDPR replaces the 1995 Privacy Directives. The GDPR contains new protections for EU citizens, known as “data subjects,” and new obligations on such matters as data subject consent, data anonymization, breach notification, trans-border data transfers, data-privacy impact assessments, and appointment of data protection officers, to name a few. The GDPR requires companies handling EU citizens’ data to make major operational changes.

The GDPR gives data subjects the right to have their data forgotten or corrected or to ask a company for access to all the personal data they hold on them. Complying with such requests will not be easy. Companies need to know what types of customer data they are collecting, where it sits, and who has access to it. The regulations will fundamentally change the way customer data is acquired and managed.

Since May 25, many people have sought to determine where their data is kept, and companies must know how to respond accurately and timely. A recent survey by 7stars found that 34 percent of United Kingdom residents expect to use their “right to be forgotten” under the GDPR. That is likely to be the case throughout much of the EU.

In the event of a data breach, the regulations require that companies disclose the breach to their supervisory authority within 72 hours. If the data breach poses a serious risk to the data subjects, then they too need to be advised of the breach within 72 hours. Failure to comply with this requirement or others can result in fines, civil actions, and criminal penalties.

People and Businesses Affected by the GDPR

Lawyers in the United States might wonder why they should care about a European regulation. Many businesses outside the EU are affected due to the requirements of protecting, storing, and processing customers’ personal data – regardless of location. And though each organization uses data differently, the outcome of using data and how it is handled will be the same.

If you process data about individuals in the context of selling goods or services to citizens in EU countries, then you will need to comply with the GDPR. Compliance is required if your organization:

• Monitors the behavior of EU data subjects;

• Processes personal data of data subjects residing in the EU; or

• Holds or stores personal data of data subjects residing in the EU.

It does not matter if you are a small business with a few employees or an organization with thousands of employees in Wisconsin. If you possess personal data of EU residents, you are subject to the GDPR.

If you are a small shop in Cedarburg selling cooking equipment to locals and happen to have a couple of EU customers, then the GDPR might not apply. But if EU customers are a big chunk of your revenue and you actively seek them, you must comply. But how can regulators tell the difference? If you answer “yes” to any of the following questions, then you probably are subject to the GDPR.¹

• Do you list your product price in Euros?

• Do you have a .de, .fr, or any other .eu website domain?

• Do you have websites or send out catalogs in a language used in an EU country?

• Do you promote EU case studies or articles in your website?

• Do you have sales offices, operation centers, European phone numbers, or branches in EU countries?

• Do you regularly travel to conferences and shows in the EU to sell your products?

Your organization is likely dealing with personal data, whether or not you know it. Commercial printers, marketers, software developers, financial institutions, importers and exporters, and so on all may be considered to possess personal data. Consider what is defined as “personal data.” It includes not only bank details, home addresses, phone numbers, and email addresses but also IP addresses and Facebook, Twitter, and Instagram profiles.

Penalties and Enforcement

The fine for organizations in noncompliance with the GDPR can vary, because a tiered approach exists. The maximum fine is the greater of 4 percent of annual global revenues or €20 million. EU citizens can also bring claims in courts. In the case of intentional noncompliance, a director or officer of a company could even be jailed.

Enforcement of the GDPR will be done by supervisory authorities (one agency for each EU state). Article 51(1) of the GDPR states:

“Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (‘supervisory authority’).” (Please see the accompanying sidebar, Supervisory Authorities for EU Member States.)

For companies that are processing data from several EU states, the GDPR provides for a leading supervisory authority to be the central regulator in cross-border data-processing investigations.

Table: Supervisory Authorities for EU Member States

Data Protection Officer Requirements

Data controllers and processors alike must designate a data protection officer (DPO). Under Article 37, DPOs must be appointed when the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or the entity conducts large-scale processing of “special categories of personal data” (such as that revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and the like, see Article 9).

Article 37 does not establish the precise credentials a DPO must possess, but it requires that the person have “expert knowledge of data protection law and practices.” The level of expert knowledge “should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor.”

Under Article 39, the DPO’s tasks include:

• Informing and advising the controller or processor and its employees of their obligations to comply with the GDPR and other data-protection laws;

• Monitoring compliance with the GDPR and other data-protection laws, including managing internal data-protection activities, training data-processing staff, and conducting internal audits;

• Advising about data-protection impact assessments when required under Article 35;

• Working and cooperating with the controller’s or processor’s designated supervisory authority and serving as the contact point for the supervisory authority on issues relating to the processing of personal data; and

• Being available for inquiries from data subjects on issues relating to data-protection practices, withdrawal of consent, the right to be forgotten, and related rights.

DPOs have many rights provided by the GDPR and responsibilities. They may demand company resources to fulfill their job functions and for their own ongoing training. They must have access to the company’s data-processing personnel and operations, significant independence in the performance of their roles, and a direct reporting line “to the highest management level” of the company.

DPOs are expressly granted significant independence in their job functions and may perform other tasks and duties provided they do not create conflicts of interest. Job security is guaranteed. The GDPR expressly forbids dismissing or penalizing the DPO for performance and places no limitation on the length of tenure.

In the EU, the GDPR is about privacy and the rights of individuals to control how their personal data is used and by whom.

A company with multiple subsidiaries (a “group of undertakings”) may appoint a single DPO so long as he or she is “easily accessible from each establishment.” The GDPR also allows the DPO functions to be performed by either an employee of the controller or processor or by a third-party service provider.

If a company has a “main establishment” in the EU, then putting the DPO in that same location makes sense. The DPO will be able to have a closer relationship with the regulator, speak the same language, and understand that member state’s interpretation of the GDPR.² Several American multinationals with data-processing and related decision-making services centralized in the United States are placing the DPO at their American headquarters.

Data protection has been a legal function in Europe. Because legal knowledge will be a critical success factor for DPOs, many European companies are placing the DPO in the legal department. American companies are sometimes following this trend, but also many are putting the position under their chief privacy officer, or with internal audit, enterprise risk management, or ethics and compliance departments.

Many businesses outside the EU are affected due to the requirements of protecting, storing, and processing customers’ personal data – regardless of location.

Given the GDPR requirements, putting this position into IT, such as a chief information officer or chief information security officer, is not the best fit. These roles are primarily focused on technology security, and the DPO should collaborate and communicate between IT, legal, and compliance departments and so on and not be solely focused on technology solutions.

Putting in Place a GDPR Solution

You can’t buy a GDPR solution. There is no such thing as a GDPR-compliant tool in a box. The GDPR is about privacy more than security. Technology plays a part, but there is not a product that will solve all GDPR challenges. Americans tend to view privacy through a security lens and as a technology problem. In the EU, the GDPR is about privacy and the rights of individuals to control how their personal data is used and by whom.

If your organization did not make efforts to comply with the GDPR already, you may now find yourself in noncompliance. If so, and you are subject to the GDRP, you must begin the process of training your employees on the GDPR and assessing your data. You also need to determine if your privacy policies need to be revised to comply with the GDPR and perform a data privacy impact assessment (DPIA) (different than a privacy impact assessment, which many people in the United States are familiar with) and appoint a DPO. The chart in this article (please see accompanying sidebar, Checklist for GDPR Compliance) is just a partial checklist. There is a lot to do and little time to do it as the regulators will be looking for examples of noncompliance.

Do you want a Wisconsin company to be the first USA company embarrassed or worse by being noncompliant?

Conclusion

You can have the best security in the world and if you do not otherwise comply with the GDPR, you will be in violation of it. The GDPR is a privacy regulation! Many Wisconsin companies are subject to the GDPR and, if not compliant, must become compliant as soon as possible. It is not easy nor quick to comply with the GDPR, but companies have had years to prepare.

This article is an overview of the GDPR and is not meant to be exhaustive.

Endnotes

¹ One more thing, if you have a visitor book in your lobby or at a sales conference that includes names, address, phone number (and perhaps, email addresses) of EU citizens, that book contains GDPR data!

² For multinationals with European operations centralized in the UK, Switzerland, or Norway, the advantages of a main establishment are not possible because these countries are outside the EU or soon will be.