The Journal The Authority on Global Business in Japan

Concerns over the safety of its citizens’ private data—such as through the leak of sensitive information from computer systems or breaches of cybersecurity that result in individuals’ personal details falling into the wrong hands—have prompted the European Union (EU) to replace member states’ piecemeal information security legislation with the General Data Protection Regulation (GDPR).

The new rules went into effect on May 25 and impact any company that does business in an EU nation or with another corporation or organization with a digital footprint in Europe. Given the global nature of modern business and the importance of Europe as a market to virtually all multinationals, the broad reach of the GDPR means it applies to a high percentage of US companies with operations that go beyond the borders of the United States.

And the massive punishments that it legislates for companies that fail to comply with its fine print mean that one would be wise to play by these new EU rules.

“The GDPR represents a major change in how European lawmakers and authorities think about privacy, and the rules affect almost all the ways in which organizations process personal data,” Dr. Detlev Gabel, a partner with international law firm White & Case LLP who is based in Frankfurt, Germany, told The ACCJ Journal.

Gabel, who is head of the company’s data privacy and cybersecurity practice, identified the three critical challenges that the GDPR poses for businesses:

  • Scope
  • Compliance
  • Penalties

“First, it comes with a wider, global scope,” he emphasized. “Every business that is established in the EU is subject to the GDPR. In addition, companies that are not in the EU are still subject to the GDPR if they customize their offering of goods or services in the EU, for example by using local EU languages, currencies, or web addresses, or if they monitor the behavior of individuals in the EU, for example by way of online tracking.”

That means something as simple as an online shop in Japan that has customers in Europe will have the processing of its customers’ data subject to the terms of the GDPR.

“Second, the GDPR raises the bar for compliance signifi­cantly,” Gabel said. “It requires greater open­ness and transpar­ency. It imposes stricter limits on the use of personal data and it gives individuals more rights to enforce the rules against businesses.

“And, third, the GDPR dramatically increases the penalties for non-compliance to €20 million [$23.36 million] or 4 percent of the organization’s worldwide revenue, whichever is higher,” he pointed out. Gabel added that the penalties “were deliberately set at that high level to attract board-level attention.”

Bojana Bellamy, president of the Centre for Information Policy Leadership, a think tank with offices in London, Washington DC, and Brussels, told The ACCJ Journal that the EU had introduced the GDPR to “ensure harmonized rules across all 28 member states and to bring the data protection law into line with 21st-century technology and expectations.

“But, also, one of the main drivers was to ensure people have more control over their data, and organizations are more diligent about respecting their obligations.”


ACCOUNTABILITY

The GDPR puts more emphasis on accountability of organizations, stressed Bellamy. Companies will now need to have a data privacy compliance program and, in many cases appoint a data privacy officer. They will need to conduct data protection impact assessments for new technologies and all processing that may represent high risks for people. And, when there is a data breach, they must notify regulators and individuals, she said, adding that the regulations also bring some new and strengthened rules on the rights of individuals, such as data portability and erasure.

“In Europe, data protection is a funda­mental human right, and the GDPR really puts individuals in the center,” she added. And it obligates companies to act.

“They can’t ignore the new rules and must conduct gap analysis to understand what the new requirements are, which of their functions and activities will be impacted, take a risk-based approach, and concentrate compliance on the areas that could lead to higher risk and harm to individuals.

“In particular, they must have a legal basis to process personal data in the first place. They must maintain a record of processing activities, inform individuals about data process­ing, conduct [Data Protection Impact Assessments], take measures to protect EU data if handled by third-party vendors, keep data secure and not use it for other incom­patible purposes, and have mechanisms in place to ensure proper legal mechanisms for data transfers from the EU to countries outside the EU.”

If all that sounds a gargantuan task, Bellamy has some words of comfort for US companies. “I often find that US companies are quite diligent about legal compliance in any case, and now this has to be delivered in respect of processing and use of personal data.”

BEST PRACTICES
US companies, including those operated by US nationals residing in Japan, are broadly understanding of the EU’s motivations.

“I think it’s a good change, as we are believers in protecting customers’ privacy,” said Joe Peters, managing director of iSearch Worldwide KK. “I’ve heard from others that they have actually been taking steps to protect their customers’ data—regardless of where the customers are from—for a few years now. Many, in fact, already have strong compliance in place that meets or exceeds the EU’s requirements.

“While it does take time and resources to plan and execute properly, it shouldn’t cause all that much disruption to companies that are already using best practices for protecting their customers’ information.

“The companies that understand the regulations—and comply—do not seem to be worried,” he added. “With confusion still about, it is not so likely that the regulators are going to be crawling through the web looking for minor infractions. They will, most likely, focus their attention on the big players where that 4 percent fine could be $100 billion or more.”

Peters has paid particular attention to the legislation. He purchased a company in the United States that started operations about 16 years ago and has, over the years, built up a database of more than 1 million users. Because the company previously had offices in Europe, many of those in the database live in European nations.

“The company was in sleep mode for a number of years,” Peters said. “As I plan to revamp and restart soon, we ran our proprietary e-mail list through a list cleaner. That knocked out about two-thirds of the list, but there are still some customers in the EU. To accommodate the fact that we do have some customers in the EU, we have updated our privacy policy as well as our terms of use policy.”

CRITICAL CAUTION
Many companies have sent messages in recent months requesting that users click and confirm that they still wish to receive e-mail and marketing information, while others have asked the recipient to read and confirm receipt of a new privacy policy.

“That is probably due to over-caution on the part of some, uncertainty on the part of others,” Peters said, adding that still others may not really know why they are doing it. “In our case, since we don’t share our customers’ information with anyone, we feel that updated policies on our website are sufficient at this time.”

Experts caution that it is critical for companies to factor the new regulations into their operations and understand the requirements.

Under the GDPR, data must be processed in a manner that ensures the appropriate security of that data, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, said White & Case’s Gabel. Depending on the nature of the processing, the relevant technical or organizational measures may include things such as encryption of personal data, redundancy, backup facilities, and regular security testing.

Under the GDPR, each business is responsible for, and must be able to demonstrate that it is has taken steps to ensure, compliance with the law. One way of doing this—as has long been the case with other regulations—is to demonstrate adherence to an acknowledged certification mechanism.

In addition, the GDPR provides for further measures aiming at a higher level of data protection, such as requiring businesses to conduct prior risk assessments in relation to new high-risk processing activities. By doing so, businesses may identify and address risks that would otherwise not have been detected.

Also, businesses using service providers for the processing of their private data must only use providers that guarantee GDPR compliance. The agreement with the provider must be in writing and meet certain minimum requirements.

The new regulations are clear on the steps that a company must take in the event of a data breach. Any irregularities must be reported to the competent data protection authority without undue delay, but within 72 hours of the company becoming aware of it in any case. The only exception is where the data breach is unlikely to lead to any harm to the individuals concerned.

Gabel admitted that the 72-hour timeline is “extremely challenging,” meaning that “it is highly advisable for businesses to plan for these things in advance.”
And for companies that are not yet in compliance, Gabel has a checklist of five steps to take.

“First of all, don’t panic. The rules are complicated, but companies can make good progress on the most important issues by prioritizing certain activities. To start with, create a compliance roadmap with clear tasks, responsibilities, and milestones, and start building awareness of the GDPR and its business and operational impact throughout your organization.

“Secondly, set up an appropriate data protection team, which may include—either on a mandatory or on a voluntary basis—the appointment of a data protection officer or a similar role.

“Thirdly, prioritize issues that are likely to be the focus of attention for media, consumers, and authorities, and that might lead to high penalties, such as the handling of data breaches.

“Fourthly, generate quick wins by meeting easy-to-reach requirements, such as updating or creating privacy policies, notices, contracts with vendors, and other key documentation.

“And, fifthly, seek advice if required. It seems obvious, but asking questions of experts in the field will often save your business a lot of time and money.”

6 Questions to Help Understand Personal Data You Control

1. What type of personal data do you gather?
Are you gathering sufficient data for the purpose; are you gathering too much irrelevant data for the purpose? Can you identify ways to minimize the data you gather?

2. Why do you gather it?
What is the purpose? Have you specified the purpose to the individuals? Do they have full knowledge and understanding of what happens to their data once it passed to your organization?

3. Do you regularly review the data for accuracy?
Do you have a procedure in place for auditing the data you hold and updating it where necessary?

4. How do you store it?
Do you have appropriate physical and technical security measures in place to keep the data safe and secure? Is access to the data in your organization restricted to only those who process it? Do you have an off-site back-up server? Where is it located? Do you hold data in the Cloud, and if so where is the Cloud server located?

5. How long do you keep it?
Do you have measures in place to ensure you do not hold data for longer than is necessary for the specified purpose? Do you have a Data Retention Policy?

6. Can you readily comply with individuals rights to access, erasure and portability?
Is your system of storing and filling suitable for easily identifying all data you hold so you can respond fully to individuals’ requests, and within statutory deadlines where applicable?

Source: GDPR.

Julian Ryall is Japan correspondent for The Daily Telegraph.
One of the main drivers was to ensure . . . organizations are more diligent about respecting their obligations.