GDPR: A Compliance Quagmire, for Now

The European Union’s General Data Protection Regulation (GDPR) has gone into effect – but questions as to what compliance actually means are far from settled.

While the GDPR is a European regulation, it affects any organization that handles data on E.U. citizens, whether they be customers or partners. That means any entity in the U.S. is subject to enforcement actions, such as fines, if they do business with any E.U. citizen. In other words, it’s an E.U. law, but has global applicability.

For U.S. consumers, while they aren’t protected by the regulation when it comes to non-E.U. companies, the law could either spur similar regulation on this side of the pond, or, more likely, create an environment where industry voluntarily implements GDPR-like protections in response to consumer demand.

The GDPR is widely considered the most comprehensive regulation on the protection of personal data in the world, with a sweeping set of requirements that promise to transform global debates on any number of grand levels: It’s about privacy, cybersecurity, the role of technology and technology companies, the value of innovation and, of course, the future of the transatlantic economy.

It’s also a widely known fact that many companies aren’t prepared for the regulation. The GDPR contains a series of articles that lay out a complex set of requirements for those handling E.U. citizen data. Yet, in terms of what compliance actually looks like in real terms, there are several areas of uncertainty that will only play out and become clarified over time.

The Broad Strokes

The GDPR applies to any organization that collects data about E.U. residents, whether or not that organization has a physical presence in the E.U. – including American companies. While Europe has had data privacy frameworks in place since the mid-1990s, the GDPR changes things first and foremost by applying to data collected about E.U. residents by organizations located anywhere in the world for the first time – leaving many companies outside the E.U. scrambling to overhaul their processes.

Facebook, for example, has taken several steps in an attempt to give people more control over their privacy and explain how it uses data. For instance, people are asked to choose whether they want Facebook to use data from partners to show them ads. They can also choose if they want Facebook to use political, religious and relationship information on profiles to target ads and content, among other things.

In many cases, U.S. consumers win here too. Some companies (not just Facebook) are overhauling their processes across the board, so even though the changes are targeted to E.U. residents, U.S. users will benefit from a halo effect.

“This is an opportunity to make sure that we’re treating people and information with respect, and make sure our partners do,” said Daniel Sepulveda, vice president of global government relations at MediaMath. “It’s obvious that [U.S. and other global] businesses have to work collaboratively with colleagues in Europe and with regulators, hopefully in a way that pushes the open digital economy and open internet forward.”

Further, enforcement actions promise to be a financial deterrent. Violations can incur fines of up to 4 percent of global turnover or 20 million Euros, whichever is greater.

As a result, many firms around the world are thinking strategically about their relationship with the personal data they collect on their users, including information gleaned from websites, account registrations, social media, advertising and marketing efforts, newsletters and list rentals, data brokerages, public sources of information and more. For U.S. companies, this presents not only an operational challenge, but an institutional one. The E.U. definition of “personal data” is far broader than what is typically understood in the United States.

Under the GDPR, consent must be obtained before any data is collected, let alone kept or used for follow-on purposes, such as targeted advertising. This profoundly changes the way an American company, such as Google’s subsidiary DoubleClick, profiles and targets ads to internet users in the E.U.

Basic Articles of the GDPR

Beyond the main outlines, the legislation contains a number of specific data-handling requirements that will be new for the thousands of U.S.-based companies that will need to comply with the GDPR thanks to having E.U. customers or partners.

For one, GDPR specifies how consent must be obtained. This includes requiring transparency in privacy policies – i.e., no legalese allowed. The information related to data processing should be in a “concise, transparent, intelligible and easily accessible form, using clear and plain language.”

Companies are also tasked with implementing privacy by design, which means that they are required to only collect data that fulfills the functions of their business. The GDPR thus demands companies implement measures such as data minimization, which means only asking for what one needs, and for a specific use and timeline. Keeping personal information indefinitely, or maintaining databases of information that doesn’t have an immediate use, is prohibited.

Pseudonymization (or data masking), is another new requirement. It is similar to the anonymized data sets used today to protect individual privacy while allowing insights on demographics across large data sets. It enhances privacy by replacing most identifying fields within a data record by one or more artificial identifiers, or pseudonyms.

GDPR also adds a data-breach notification requirement that mandates notification to authorities of an incident within 72 hours of its discovery. This is a marked departure from U.S. practices, which are determined on a state-by-state basis; most statutes simply say that notification should occur “without undue delay” or “as quickly as possible.” A handful of states do specify time frames, such as Alabama (45 days).

Also, the GDPR gives E.U. individuals a slew of “data subject rights” that affected American companies will have to comply with, including the right to receive records of data processing. E.U. citizens can ask to get information on what personal data is being collected and for what purpose – many regulatory experts see this as a requirement to eventually create information portals for individuals to query for this information on a self-service basis. For now, an E.U. data subject will need to file a “subject access request” (SAR) that in the form of an email, fax or letter asking for their personal data. Companies – including U.S.-based organizations subject to the GDPR – now have to respond within one month of receiving the request.

“How do you give data subjects the ability to self-manage their requests for information?” said Matt Klassen, Cherwell Software’s vice president of product marketing. “Especially when it comes to data access, data rectification (making corrections), portability and the right to be forgotten.”

As a related piece, E.U. citizens also gain the right to erasure (to be forgotten), which means that companies must provide a mechanism for erasing any personal data concerning the subject upon request, “without undue delay.”

Other rights that American companies will now have to guarantee E.U. citizens cover data portability, which allows users to port data from one service to another.

Meanwhile, individuals also have a right “not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her,” according to the law.

“Consumers now have the right to know the logic in how companies process automated decisions, including job and credit applications, and how the algorithms for targeted ads work,” said Susan Ness, a distinguished fellow at the German Marshall Fund, which is a think-tank devoted to transatlantic policy.

As for redress and compliance, E.U. individuals are also authorized to file complaints about data misuse, and the GDPR outlines the procedures for doing so. Many companies in Europe are expected to appoint data protection officers to fulfill an accountability requirement. These individuals are tasked with overseeing and ensuring compliance.

In other words, the GDPR represents plenty of overhead. But with 500 million tech-savvy customers in the E.U., it’s obvious that companies with multinational aspirations will need to take it seriously.

Devil in the Details

Taken together, the main tenets of the GDPR make up a hugely complex set of requirements – however, they’re not necessarily prescriptive. That means that there are a number of areas where implementation and compliance are only fuzzily defined – a state of affairs that will lead to long-term conversations and clarification over time (and which will probably delay enforcement actions).

Peter Chase, a senior resident fellow at the GMF, said that it remains to be seen how the automated processing piece of this will play out. For instance, there could be a chilling effect on artificial intelligence development.

“The challenge is when AI is used, consumers may not know the direct reason for a decision that was subject to algorithmic direction, somewhat independently,” he explained. “Applicability and usability of new technology like this is in question; these conversations will have to play out post-effect.”

He also noted that there’s a potential problem in opening the kimono to consumers when it comes to proprietary technology.

“The GDPR demands transparency, but for many companies, there’s a secret-sauce level of how they deliver advertising that this will affect,” Chase said. “On the other hand… different data protection authorities will have their own interpretation, and this means that things will have to be clarified and will likely be clarified in court.”

It also remains to be seen how companies should implement the information access pieces of the GDPR while still remaining compliant.

A good example of this is ICANN’s WHOIS service, which serves a phonebook-like purpose of making contact information available for those who have registered internet domains. ICANN contractually requires the collection of three sets of contact data by over 2,500 registrars and registries around the world. Some in the E.U. have refused to continue to collect that much information, for fear of running afoul of the “data minimization” tenet of the GDPR. ICANN has filed a suit in the E.U. to gain clarity on the issue.

There’s also a grey area around accountability and proof of data-handling compliance. “The GDPR requires that you can show evidence that you’ve received a request and taken action in an appropriate timeframe,” Klassen explained.

And that, he explained, carries its own set of new privacy considerations, many of which will be challenging for U.S. companies looking to comply with the regulation.

“It gets tricky,” he said. “When an individual makes a request, the company has the right to ask for proof of identity, because after all, that could be catastrophic if they erase the wrong person’s information or return a different person’s information. So for instance, Google requires you to take a picture of your passport—then the question becomes whether you’re giving them information that’s more sensitive than the data you’re looking to access.”

Further, companies can’t erase that proof of ID.

“A data subject can say, that wasn’t me, prove that it was,” Klassen explained. “So if they don’t have that proof, they’re in trouble.”

There’s also a question of what information is being handled in digital environments, and to what extent that provides an exposure point to organizations.

“Companies are generally trying to control as much as they can internally, while figuring out where they don’t have control,” said Alex Calic, chief strategy and revenue officer of the Media Trust. “The real risk is not knowing what they don’t know. You can take an audit of internal systems and that will be about 10 to 25 percent of what’s there. The rest is in digital environments that they don’t have direct control over.”

As part of this, many companies don’t realize that there could be a large risk from the code that runs on their websites, for instance. The GDPR’s broader definition of consumer data includes digital footprints such as IP addresses, cookies, unstructured data and the like, but questions remain as to how best to bring these aspects into compliance.

“These are things that track users for content marketing, or widgets that display stock prices or even the scripts that allow visitors to comment on and forward posts,” Calic said. “You don’t control what they display, and also, most of this is based on where the person is located, so a company in the U.S. has no idea what this widget is showing on the site when an E.U. visitor comes to it. So companies need to do vendor risk management, applied to digital world, so if the E.U. ever comes a-knocking, you have a nice set of things to show them, an audit trail that shows you have control over my digital environment.”

There are even more simple unknowns, such as how compliant the “Log In with Facebook” function on websites is.

“The GDPR is concerned with scope – so in that example, it comes down to, do you give me (Facebook) consent to share this information with a third-party website?” Klassen explained. “For GDPR compliance, each piece of data has to be associated with a specific purpose, and has to be transparently presented. So then we get to, how long am I giving you consent for? Open-ended consent (i.e., ‘remember me on this computer’) is no longer okay.”

GDPR Preparedness Still Lags, Questions Loom over Enforcement

Despite the massive overhead and risk posed by the GDPR, awareness is lagging in the U.S. as is preparedness – the latter driven by compliance uncertainty as well as the complexity of the implementation.

Courtesy: Crowd Research Partners

In preparation for the GDPR enforcement deadline, a 2018 GDPR Readiness Survey from CompliancePoint found that of those U.S. companies polled, 26 percent of respondents noted that they are unaware of the GDPR, while 44 percent said they were somewhat aware and only about a third (29 percent) were fully aware.

CompliancePoint also asked respondents which issues were preventing their organization from becoming GDPR compliant. The majority of businesses said they were waiting to see what enforcement comes from the regulation (45.6 percent).

“There’s a lot of speculation around how much rigor is being applied on the enforcement front,” said Javaad Malik, security advocate at AlientVault. “Regulators may go in and try to make an example early on, by going after a big company to enforce a heavy fine and put a scare into the industry. Or, will they go after a local business, like a surgery, that holds very sensitive and personal information, but they see themselves as being too small to count or too small to be a problem… At the moment it’s just a lot of guesswork.”

“There is a raft of uncertainty in terms of how quickly regulators will clamp down,” added Páraic Hayes, senior vice president of the West Coast U.S. at IDA Ireland, an Irish government agency focused on bringing foreign investment to the Emerald Isle. “There are too many cases for them to do it straight away in an even-handed manner, so I think the triggers for enforcement will be where a complaint has been made, or, if a specific regulator takes an interest in a specific vertical.”