What is “GDPR”?
The General Data Protection Regulation 2016/679 (“GDPR”) is a directive under European Union (“EU”) law addressing data protection and privacy in the EU and wider European Economic Area (EEA) linking the EU member states with the three European Free Trade Association states (Iceland, Liechtenstein, and Norway), as well as the transfer of personal data outside the EU and EEA. GDPR is generally considered to be the toughest privacy and security law in the world. The GDPR framework came into force on 25 May 2018, and it applies equally in all EU Member States. Since the departure of the United Kingdom (“UK”) from the EU, known broadly as “Brexit”, the UK has incorporated a near identical data protection regime, which is commonly referred to as the “UK GDPR”. For the purposes of this blog we refer to both the EU and the UK regimes jointly as “GDPR”.
Most of the world’s developed and developing countries outside the EU and UK are now engaged in formulating a data protection regime modelled at least to some extent on GDPR.
Who do GDPR regulations apply to, and what are the risks of non-compliance?
Essentially, any organization in the world MUST be aware of and be compliant with all aspects of GDPR if it meets any of the two criteria below:
-
It is operating a business in the EU/UK, and therefore collecting (“processing”) personal information (”data”) from employees, customers, contractors, or 3rd parties, OR
-
Even where it has no operational EU/UK base (for example, it could be operating exclusively from the US), if it is collecting personal information from EU/UK residents
Concerning the latter, GDPR has what is known as “extra-territorial reach”, which means that it is possible for EU/UK data authorities to pursue an organization for data infringements even where the infringing organization has no EU/UK establishment. The test essentially is not where an organization is established or is operating, but whether it processes personal information of EU/UK residents.
CEOs and CFOs of businesses should note that under GDPR it is possible for financial penalties of EUR €20 million or even more to be imposed for infringements of its regulations. If an organization’s global turnover (revenue) exceeds EUR €20 million, then authorities in the EU/UK can impose penalties of up to 4% of an organization’s global turnover. Since the introduction of GDPR in 2018, a number of very large financial penalties have been imposed on defaulting organizations. Each Member State of the EU together with the UK has its own national data regulatory authority, but while they are all subject to the same over-arching legislation within GDPR, it is open to each national authority to exercise discretion as to what level of penalty to impose for breaches, up to the maximum of EUR €20 million, or 4% of global turnover if greater.
As just one example, in July 2019 British Airways was informed by the UK regulator that it would be fined £183 million GBP for serious infringements of its GDPR. Various other very large fines have been imposed by other EU data authorities, and routinely authorities in the EU/UK impose much lower fines that are still running to several hundred thousand Euros, plus legal costs and other expenses. GDPR should not be taken lightly, and most certainly should not be ignored! It is very risky for an organization to assume that they are too small or not in a sufficiently significant sector to attract the interest of these governmental authorities, all of them hungry for income no matter where it comes from.
How can a business comply with the requirements of GDPR, and avoid the risks and financial penalties of non-compliance?
GDPR is a legal compliance framework established to protect the processing of personal information. In broad terms, there are two main aspects to achieving compliance with GDPR, thereby avoiding the risk of incurring a large financial penalty.
First, it is necessary to have a number of specific GDPR policies and other documents prepared (and, of course, these policies must be adhered to once they are put into place!). These will include:
-
An organization’s internal data protection policy,
-
An appropriate web-based external data protection policy
-
A data retention policy
-
An amending of an organization’s template contracts with customers and third parties so they all include the required GDPR language for situations where the contracts are relevant to the EU/UK
-
A GDPR referenced ‘Notice’ template prepared, as it is a legal requirement under GDPR to serve an appropriate, very specialized Notice on all employees and new hires as they join
Second, on the technology side it will be necessary for an organization’s IT department to ensure that all systems internally, and interfacing externally, are technologically compliant with the strict requirements of GDPR, to ensure the security of data.
Where an organization operating a business within the EU/UK is also transferring data outside the territory (for example, back to the US), it is essential under GDPR to ensure there is an appropriate compliance mechanism in place to validate those international transfers of data. This is a fundamental legal compliance requirement under GDPR, and the data authorities within the EU/UK have the discretion to impose large financial penalties for breaches of this requirement.
It should be noted that, uniquely for businesses operating in the UK, it is necessary, in addition to being compliant with the provisions of GDPR, to also be publicly registered with the UK national data protection authority. This additional requirement equally applies to an organization not based in the UK (for example, based exclusively in the US) which nonetheless is collecting the personal information of UK residents. In these instances, it would, for example, be the US ‘Inc.’ that registers with the UK data authority.
How can HSP help clients avoid the potential risks and consequential financial penalties of failing to be in compliance with the requirements of GDPR?
HSP has a dedicated support team with considerable expertise and years of experience advising organizations on all aspects of achieving compliance with GDPR. Our “GDPR Team” also has many years of experience advising on data protection matters in most countries in the world outside of the EU/UK.
Our most popular solution is our fixed price, turnkey, two-step GDPR Compliance Assignment. This engagement is especially popular with venture capital backed technology companies, and other emerging growth businesses, who may have only recently reached a point where they believe that GDPR compliance may likely apply to them but are not certain of what all the requirements are, or whether they are in full compliance. This engagement includes:
-
GDPR Phase 1 - Carrying out a full initial assessment for a client’s business on their status of GDPR compliance, and reporting back accordingly
-
GDPR Phase 2 – depending on the results of Phase 1, undertaking all aspects of drafting and putting into place needed elements for full GDPR compliance, including the preparation of all required GDPR policies and documents (internal data protection policy, web-based external data protection policy, data retention policy, template contracts that include required GDPR language, and/or a GDPR referenced ‘Notice’ template)
Summer 2021 would be a great time to get things in order relative to overseas expansion, including GDPR requirements, given the expected strength of the global economy in the second half of this year and on into 2022. If you would like to learn more about how HSP Group’s GDPR Compliance Assignment can be of assistance, reach out and contact one of our experts at GDPR@hsp.com.
