The Evolving World of Data Privacy Laws, Part 1: The GDPR

The Cambridge Analytica Quandary

The use and protection of data has garnered a massive amount of attention in recent history. The headlines set off a race to regulate in the international and domestic landscape. The true costs of compliance and enforcement remain to be seen, but we have a few pragmatic suggestions that can guide businesses on the journey. Don’t set fire to your current practices quite yet!

Don’t Brexit, the EU Will Fix It!

The Global Data Protection Regulation (GDPR) went into effect in May 2018. The GDPR is both a data privacy and data protection law, and its underpinning is that companies must have a legitimate business purpose for the collection of personal information. It also distinguishes between personal information and sensitive information. The law contains a prohibition on collecting sensitive information, such as social security numbers and account information, but then has exceptions to that general prohibition. Leading up to its effective date, our inboxes were practically overcome with notices ringing alarm bells about compliance. Most of the initial resources didn’t contain guidelines on how to comply, but rather were designed to garner business for consultants seeking to handle the soup to nuts compliance process. This would be an incredibly expensive endeavor! It is true that the GDPR has expansive territorial reach, stringent contracting requirements, and hefty penalties, but a more moderated view develops after a full reading of the law.
As an initial matter, companies should carefully consider whether their business is covered by the GDPR. One can read the provision on territorial scope twenty times, diagram it and still not be perfectly clear about whether it applies. Conservative practitioners may encourage clients to assume they are covered by the GDPR, but a careful analysis may save time and money.
The GDPR defines controllers and processors of data and carefully differentiates their obligations under the law. Controllers determine the purpose and means of the processing of the personal data, while processors process the data on behalf of a controller. These terms are used in very specific ways to narrow the territorial scope of the GDPR. First, controllers and processors located inside the EU are within the scope of the law, even if the processing occurs outside the EU; second, controllers located outside the EU are subject to the law if they are processing data in a place where member state law applies; third and finally, controllers and processors that are located entirely outside the EU are covered if they are offering goods and services to EU data subjects or are involved in monitoring the consumer behavior of EU data subjects. The scope of this law seems more limited than originally imagined as a result, and companies that are processing data of EU data subjects, if they are both located outside the EU and they are not offering goods and services to EU data subjects or monitoring the online consumer behavior of EU data subjects may not be covered. Because the geographical footprint and structure of each business is unique, it is still necessary to present this question to a lawyer with expertise, but clients will be empowered by a more nuanced view on GDPR applicability.

The Law’s Unintended Consequences: Contractual Hot Potato

Another GDPR landmine to carefully navigate is the mandatory contracting between controllers and processors. Controllers have the lion’s share of liability for compliance with the law. Processors have more limited liability and more limited obligations. We think about privacy law in two distinct buckets: first, “privacy practices,” by which we mean companies’ obligations vis-à-vis consumers; and second, “data security” or how that data is protected from unauthorized access and distribution after it is collected or received. Under the GDPR, the obligations regarding privacy practices – interfacing with data subjects and permitting them to access, correct, and delete their data – rest solely with the controllers. In fact, when you read the law, many of the requirements begin with the phrase “controllers shall…”.
Processors, on the other hand, are primarily responsible for protecting the data once it is received, and, provided processors don’t use the data in a manner that is outside the explicit scope of their processing, and they adequately protect the security of the data, they do not have liability under the GDPR. The GDPR does require that controllers and processors have written contracts that set forth the scope, purpose, and duration of the processing. This has resulted in an interesting dynamic where many controllers seek to pass through their obligations and liability for compliance to processors. We encourage you to resist this effort, as it defies understanding to suggest that controllers must pass through their obligations in order to comply with the law.

Breathe Deep, Inform Thyself, Build Your A-Team

Approaching both the evaluation regarding territorial scope and contracting in an intentional and well-informed manner is essential. As always, the best bet to effectively maneuver GDPR landmines is to hire consultants, including legal advisers, that understand the nuances and complexities of your business. No two companies will reach the same conclusions in this complicated and evolving area of the law. It’s safe to say that even if your reading of the territorial scope provision leads you to conclude that you aren’t within reach of the GDPR, you will still see an impact.
Next week we will discuss one significant development that could be read as a reaction to the EU’s regulatory activity: the California Consumer Privacy Act (CCPA).

THIS BLOG POST AND ASSOCIATED MATERIALS ARE PROVIDED FOR INFORMATIONAL PURPOSES ONLY AND NOT PROVIDED FOR THE PURPOSE OF PROVIDING LEGAL ADVICE. YOU SHOULD CONTACT YOUR ATTORNEY TO OBTAIN ADVICE ON ANY PARTICULAR ISSUES. THE OPINIONS AND VIEWS EXPRESSED IN THIS POST REPRESENT THE OPINIONS AND VIEWS OF THE INDIVIDUAL AUTHORS AND MAY NOT REFLECT THE OPINIONS OR VIEWS OF A PARTICULAR COMPANY.

About the Author

Margaret E. Redman,
J.D., ARe

Ms. Redman practiced commercial real estate law for 11 years in Atlanta, Georgia. After developing expertise in title insurance, she joined a leading title insurer based in Santa Ana, California. While in this position, Ms. Redman developed expertise in privacy regulation. In January 2019, Ms. Redman will join Fidelity National Title as Senior Vice President, where she will interface with clients and customers on a variety of subjects, including underwriting and reinsurance.

Contributors

Mike Thompson
Managing Partner/CEO
ICSynergy International LLC

Steve Scherer
Chief Security Architect
ICSynergy International LLC

ICSynergy CyberSecurity Services

ICSynergy International LLC has provided CyberSecurity strategy and implementation services for over 15 years. Since our early days of delivering world-class Identity Management solutions, we always look at Cybersecurity through a people, process, and technology lens. This approach becomes even more important when looking at the repercussions of a GDPR or CCPA breach. Let ICSynergy’s team of privacy and security professionals help you formulate your approach to GDPR and CCPA.

Want to talk with an expert?

Requesting a case study?

Let’s talk advisory & consulting (and more):

Let’s talk end-to-end solutions (and more):

Let’s get started on your IAM solution together:

Okta Advisory & Consulting

Advisory Services

Integration

Managed Services

Why ICSynergy?

ICSynergy is agile in moving through customer purchase processes and has deep ties within Senior Okta Sales, Product, Operations, and Customer Success teams