This article originally appeared in the June 27, 2018 issue of the San Francisco Business Times. To view the original article, click here.
May 25, 2018 — the day that GDPR, the European Union’s new General Data Protection Regulation, became enforceable — came and went like any other day. That silenced a lot of the doomsday-esque predictions we saw in the business pages leading up to its implementation.
But while it’s true that it hasn’t been all fires and plagues since the regulation came into effect, businesses shouldn’t take the quietude to mean that GDPR is like those “speed limit enforced by aircraft” signs: intended to scare people into compliance, but not actually enforced.
In practice, any law or regulation is a combination of the written legislation, the interpretation of that text and how it’s enforced. We have no idea how punitive the European Commission’s enforcement will be, nor do we know how it will determine what constitutes adherence to provisions like Article 25, “Data protection by design and by default.”
We do know that the text states that first-time fines for non-compliance can be up to the greater of either 10 million Euros or two percent of annual global turnover of the previous year. We also know that genuine attempts to comply with new regulations still in their “break-in” period tend to lead to less harsh penalties.
For these reasons, business should continue to make GDPR compliance a top priority. Because while you might be reading a lot less about the regulation since it came into effect, it would be risky to assume on that basis that your business is compliant.
Does my business need a data protection officer (DPO)? What about a GDPR representative?
If your business processes the data of EU citizens — regardless of where that processing takes place — and your organization doesn’t yet have an answer to these questions, it’s unlikely that it’s GDPR-compliant. You’re not alone, though: Much of what I read and hear about GDPR suggests that these two rules aren’t well-understood. So to aid in that understanding, I’ve provided the following brief overview of these requirements.
The scope of GDPR
GDPR applies to businesses that process the personal data of EU citizens, even if that processing is outsourced to another company. The regulation applies to that business regardless of whether the processing takes place in the EU.
GDPR also applies to organizations that aren’t established in the EU, but process the personal data of people in the EU for the purpose of selling goods or services to them or for the purpose monitoring their behavior in the EU.
Considering various hypothetical companies can help make all this more concrete. For example, if a company is established in the EU or it engages in any one of these common activities, then it is subject to GDPR:
- The company sells to EU persons.
- The company’s service is used by EU persons.
- The company monitors persons in the EU.
Companies must appoint a data protection officer, or DPO, if their core activities include processing operations that require regular or systematic monitoring of people on a large scale. They must also appoint a DPO if their core activities include processing data related to criminal convictions and offenses or any other special categories of data.
These requirements are quite narrow, meaning that most companies don’t actually need a DPO. I should also note that if a company is composed of multiple subsidiaries, that company can appoint a group DPO.
If your company does need a DPO, however, know that by law that person must:
- Inform and advise the company and monitor compliance.
- Be given access to highest level of management (have access to the board of directors).
- Be provided with adequate resources.
Just as importantly, they cannot be dismissed for performing their tasks under GDPR and cannot have a conflict of interests (in other words, the DPO cannot also function as the organization’s general counsel).
The GDPR representative
If your company is required to comply with GDPR, but is not established in the EU, it must appoint a representative, unless the company’s data processing is only “occasional” and the company does not engage in large-scale processing of special categories of personal data. This is one of those areas I mentioned earlier in which interpretation of the new regulation has yet to be determined, as we currently have no clear guidance on what “occasional” means in this context. Consequently, organizations should make genuine attempts to comply with this provision and err on the side of caution when deciding whether or not their data processing counts as “occasional.”
A few final notes about representatives: The representative must have a specific written mandate from the company that appoints them giving them authority in all issues relating to data processing. The purpose of this mandate is to allow the supervisory body to liaise with the representative and to direct any fines to the representative. Lastly, remember that representatives are subject to serious fines for non-compliance.
GDPR is the most comprehensive piece of privacy legislation developed by any jurisdiction to date, and there’s far more to the regulation than what could be discussed here. If your organization is still searching for answers to your GDPR compliance questions, BPM encourages you to reach out to us. Our risk and advisory experts have extensive knowledge about GDPR and can help your company minimize your risk.
Ashwani Verma leads the risk assurance and advisory services (RAAS) group at BPM, one of the 50 largest public accounting and advisory firms in the country. He has over 17 years of experience providing internal audit, risk management, regulatory compliance and controls-related services. Contact Ashwani at 415.677.4502 or AVerma@bpmcpa.com.