GDPR: Key Changes from DPD 95/46/EC

Like anything major changing in (just about) any fashion I've been finding so many postings, incomplete articles, and inaccurate "counsel" being provided by a significant volume of sources. Here is a high-level list of the primary topics altered with the implementation of GDPR versus what was known as DPD 95/46/EC:

1. Increased Territorial Scope (extra-territorial applicability). As noted by so many others, GDPR is intended to be applicable to any place, location, or interaction where any PII of an EU citizen is in scope. To me, this is a clear example of the EU's intentional steps to force the entire world to submit to the EU in every way, shape, and form. Essentially, the EU is telling the world that, in order to do business with or interact with (even if outside of the EU), companies around the world must do exactly what the EU tells them to...or pay the price. However, I think that, if a case like this were taken to court (on US soil), these fines would be difficult to enforce. I'm all for data protection, security for personal data, etc...but, to me, this part of GDPR takes it just too far with a very heavy hand in governmental control over business...especially attempted control over businesses (and even countries) that are not subject to the EU's requirements.
2. Penalties. Financial fines are a major reason so many companies are giving in to the EU's demands. Threatened financial fines can reach as high as 4% of gross annual revenue or 20M Euros (whichever is higher) and are based on a tiered fine cap based on the alleged violation. While I firmly believe in, and agree with, a fine-based compliance system, there should also be some sort of oversight (or a type of Board of Reviews) ensuring the EU isn't simply attempting to enforce fines on companies that are unjust, unwarranted, and inappropriate.
3. Consent. This is one adjustment I'm fully behind and support: the requirement for all consent to be requested in a clear and concise fashion in easy-to-understand means removing the legalese and loopholes. I'm also incredibly supportive of the requirement for the removal of consent to be as effortless as it is for companies to gain consent.
4. Breach Notification. Standard reporting requirements, across the board, for a maximum 72 hour period following being "aware" of a breach. Here's a question aimed at a critical point to this requirement: what's the definition of "aware" in these scenarios? Are breaches supposed to be reported at the point of being a "suspected" breach or the identification of an "actual" breach? My hunch is that the EU will attempt to force notification at the point of "suspected" breaches but that aspect (if that is, in fact, where the EU is intending to go with this) can do more harm than good...especially for the scenarios where breaches are proven to not have taken place and now the public and reputational negative impacts of improper notification have already been done to the business in question. I'm hoping, however, that the EU will be seeking this mandatory universal time frame for notification based on "actual" breaches. Other issues I have with this universal notification period is that these time periods may not be possible for some companies (and depending on each scenario's unique set of circumstances) which would include contractual allowances/obligations that might extend beyond the 72 hour limitation or even allow for "reasonable" notification periods. Personally, I'm all for improved consistency, but I'm afraid that this type of limitation will be extremely difficult to implement (on a global scale) and equally difficult to enforce and monitor.
5. Right to Access. This is a good thing, for sure! Transparency in who/where/what PII is being used/stored/processed/retained by an organization is a good thing. However, in all that I've read about this topic, I'm only finding information detailing how companies must be forthcoming when asked...and not being proactive in letting people know what information they've already got. To me, this will be very difficult for individuals to identify which companies to contact in order to find out where their information really is. Yes, this puts some burden on a company to be transparent but does not do enough to empower the individual people with the "right" amount of information to know how, or where, to inquire.
6. Right to be Forgotten. I firmly support this portion of the Regulation. However, this requirement doesn't seem to account for a company's legal or regulatory obligations to retain specific types (and volume) of PII for specific reasons such as transaction records retention requirement for US tax purposes imposed by the US IRS on companies. Example: If a data subject provides written direction to a US-based company that recorded a transaction 6 months ago and now directs the company to erase and remove his/her PII, then this portion of GDPR is requiring the company to do so. Issue here being is that the IRS recently required transaction records to be retained for 7 years following the date of transaction. In this particular example, the company would be abiding by the EU's demands for compliance to GDPR but would now be violating US IRS requirements for records retention. Which regulation is the company supposed to choose to comply with and which requirement is supposed to be ignored or violated?
7. Data Portability. Portability, in these cases, can be a good thing, when it comes to accountability between a Data Controller and a Data Processor. A Controller, as defined here, means "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” and a Processor means "a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. Portability, as it's written in the overview sense of the new Regulation, allows a Data Subject to direct the transfer of his/her PII from one Controller to another. When this happens, the initial Controller is supposed to remove and destroy existing records of the Data Subject's PII (going back to the points above regarding records retention issues) from the initial Controller's databases. What is good about this new requirement is the additional requirements for integration with 3rd, 4th, and even 5th parties being utilized by the Controller. Many of the items noted in an article found on GDPREU.org detail contractual requirements that are already commonplace in the US and will help improve existing issues.
8. Privacy by Design. To me, this is another topic that's fairly commonplace in the US and US-based companies should not have too much of an issue here. This requirement documents the need for app, website, and network development to include privacy considerations during the development and design of these tools and not to be an afterthought once the design of the app/site/network is completed.
9. Data Protection Officers. Similar to the appointment of a CISO, the DPO's are accountable to reporting requirements with the Data Protection Authority's (DPA) expectations, as appointed by the EU. These DPA's function as a type of Regulatory body enforcing data security requirements and even hold responsibility to impose fines based on GDPR requirements.

Other than these high-level key changes GDPR still encompases the core of DPD 95/46/EC. I'll discuss each of these additional topics in subsequent articles; to view these topics, please click here. Please send me a private message if there's a specific topic you'd like me to discuss prior to others or if there's specific aspects of each topic you'd like me to focus on or expound upon in my articles.

Please also feel free to contact me for opportunities to guest-author blogs, articles specific to your company's product(s)/industry, guest speaking engagements, and other special interests impacting US veteran employment and mental health.