What are the implications of the provisions of the new EU General Data Protection Regulation (GDPR) on U.S. Businesses?

By Andrew Pery posted 04-04-2016 12:27


In December 2015, the European Parliament passed the long-awaited changes to the EU Data Protection Directive, which has governed EU privacy rights since it was ratified in 1995. While the provisions of the EU General Data Protection Regulations (GDPR) will not become binding until 2018, its provisions considerably expand privacy rights by imposing rigorous obligations on data processors and controllers that span breach notification, data anonymization and trans-border data transfers. These provisions will impose on U.S. companies additional obligations to implement processes to protect privacy rights with potentially “significant internal costs to align privacy practices and cause companies to completely rethink some of their key business practices.”[1]

Stricter breach notification provisions

Perhaps the most significant impact of the GDPR on U.S. businesses comes from the breach notification provisions. The new breach notification provisions have considerably more teeth with fines that may potentially be as high as 4% of annual revenues. The definition of “data breach” is defined broadly to include “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. This is in stark contrast to U.S. companies only reporting data breaches that may result in fraud or identity theft.

These enhanced data breach notifications require that data processors and controllers institute “appropriate technical and organizational measures” to protect “the rights and freedoms of individuals,” including encryption, confidentiality, integrity and accessibility of personally identifiable information. It also includes the requirement to notify data protection authorities within 72 hours of breach.

Expected outcome: Privacy impact assessment

One of the expected outcomes of the new regulations is that privacy impact assessment studies will be mandatory in order to ensure compliance and mitigate risk particularly “where processing operations present specific risks to the rights and freedoms of data subjects [individuals].”  Article 33 of the regulations defines specific risks that organizations ought to take into consideration in conducting privacy impact assessments, particularly if information is collected about a data subject’s health, race, biometric data, personal preferences and other sensitive information. In these circumstances, data controllers and processors will be required to produce a privacy impact report that identifies how such personally identifiable information is collected, managed and safeguarded in compliance with the regulations for the protection of personal data.

There are several jurisdictions that have developed formal methodologies and best practices associated with privacy impact assessment studies. A particularly useful resource is a study by David Wright Trilateral Research & Consulting, London that surveys the jurisdictions where privacy impact assessments are advanced.  

Privacy impact assessment assumes that organizations have developed information governance best practices and systems that manage information life cycle processes including the classification and preservation of personally identifiable information. Having in place well-defined and clearly articulated records management policies, procedures and systems enables organizations to classify information consistently, including personally identifiable and sensitive information, as well as mitigate risk in the event of a data breach, particularly in light of the imposition of much more onerous fines imposed by the new regulations. Intelligent capture and classification technologies provide a useful tool to accelerate records management processes.

Intelligent capture is based on understanding the meaning and context of document content. It enables the process of document classification in accordance with organizational business processes, including records management and privacy impact assessments, to be more efficient, predictable and defensible. Described by leading capture analyst Harvey Spencer as Capture 2.0, intelligent capture is proving to be of immense value to organizations as “Capture 2.0 technologies are designed to classify and extract relevant information for use by structured business processes including analytics, intelligence, customer service, records management and accounting.”