By Elisabeth Kohoutek, associate at King & Spalding and Tim Robinson, general counsel at MediSpend
Despite efforts to maintain the highest level of data security, companies sometimes experience data breaches. Keeping received data protected has always been good business practice. After all, a breach is a surefire way to lose the trust of the public.
Now, however, the European Union’s General Data Protection Regulation (GDPR) is raising the stakes for the handling of personal data. GDPR commencement began on May 25, 2018. It applies in all 28 member states of the EU so that all companies established in the EU are subject to GDPR . In addition, all organizations either within or outside the EU that offer goods or services to EU citizens or monitor the behavior of EU subjects are responsible for complying.
Why GDPR Compliance Is Vital
Companies spent much time and money preparing for the official enactment of the law in May. They have good reason to comply with GDPR. With this new law comes higher administrative fines than you could find in individual European Union member countries so far. Germany, for example, could only fine up to 300,000 euro for a data privacy violation. Whereas now serious GDPR violations can cost up to 4 percent of total revenue or 20 million euro.
Definitions That Matter
In addition to stipulating the proper use and maintenance of data and the rights of individuals, the legislation lays out rules for data breach notifications. To begin, you must understand the parties involved
- Data processor - This can be an agency or group or an individual who reports to the controller and processes data on the controller’s behalf
- Controller – This is the person who determines the means of processing data and its purpose. Ultimately, this is who is in control of the data that has been processed.
What Happens If You Have a Data Breach
GDPR provides a framework for the chain of events that must take place once a data breach is recognized. First, the data processor must notify the controller (assuming he or she is the one to realize the problem) with undue delay. Then, the controller must notify the supervisory authority within 72 hours of becoming aware of the breach.
What’s positive for compliance and risk managers is the fact that GDPR spells out the requirements. Notification of a data breach must include the following:
- Nature of the breach
- Name and contact of the data protection officer or another contact at the company
- Description of the consequences of the breach
- Description of the measures taken or proposed to address the breach
You may also be required to notify individuals affected. Transparency is always a smart move in crisis management, so you may want to share what happened with individuals who may have been victims of the breach anyway.
The Pros of GDPR
In fact, GDPR gives individuals many more rights than they have had in previous carnations of data privacy law in Europe. Companies, as a result, must have the necessary technology platforms to address the requests data subjects can make. For instance, a data subject can request the removal of his or her data.
Before you lament another law, consider the positives of GDPR. Because there is a universal set of standards, the playing field is level for all companies. In addition, across Europe, the rules are the same. The law invokes stronger individual rights. And it ensures added security of personal data. Frankly, companies should want to comply because it makes good business sense, too.