While companies in the EU are readying themselves for the upcoming General Data Protection Regulation (GDPR), many outside Europe are not – especially in the US.
With data now flowing effortlessly through borders, European companies are having to be more and more clear about how they would be vulnerable to non-compliance because of a foreign partner. One requirement of GDPR is that foreign-based vendors with no office or assets in the EU must appoint an EU-based member representative, who can be held directly liable if the vendor is found to be non-compliant with the regulation. This is because, when the rules were crafted, it was decided that it might be difficult to penalise a foreign vendor.
A hard-hitting law
Perhaps unsurprisingly, there have not been many takers in the EU for the job of member representative, says Katherine Gardner, a partner at US law firm Gunderson Dettmer. The penalties for non-compliance are onerous: at the highest level, €20m or 4% of global revenues a year, whichever is greater. Also, individuals can be held responsible for the bill, although the regulation gives regulators some discretion if a fine would be a disproportionate burden.
This is just one fact that is giving EU companies which use foreign-based vendors pause for thought. Indeed, the rules call for companies to take specific steps to ensure their partners are able to comply with GDPR.
The GDPR will replace the Data Protection Directive of 1995, and its aim is to unify and strengthen data protection for EU residents. However, most foreign vendors are also taking the regulation seriously, especially those with multinational clients, says Ms Gardner. “In general, European vendors are a bit more ahead in terms of having the training, having the technology and having some of the processes in place to be compliant,” she adds.
But even if an EU company uses a local vendor which is more familiar with the regulation, there are still many risks looming with GDPR, which comes into effect in May 2018. One risk is that data has become so pervasive in the economy that even a company which believes it is ready for the regulation could be caught unawares. Another is the widespread concern that even in the EU not many companies are fully prepared. These risks are magnified when a third party, whether a foreign vendor or partner or a local one, enters the mix.
Even companies which are generally well prepared might be surprised by the type and range of data that falls under the regulation. For example, information collected from self-driving cars – for example, about driving patterns – could be subject to the GDPR, according to Lokke Moerel, senior counsel at law firm Morrison & Foerster in Berlin and a professor of global ICT law at Tilburg University.
“This type of data will be considered personal data relating to the drivers or owners: where they live, where they work, where they have been,” she says. “Under the regulation, you will have to treat all that data as personal data because it may be impossible to determine or separate out what is personal and what is not.”
Likewise for the use of Internet of Things (IoT) in factories, Ms Moerel adds. “Industrial machines are now equipped with sensors for all types of reasons, including maintenance. But those machines are operated by individuals and in most cases, the management knows who was operating the machine at what moment in time. This gives information about how efficient the relevant employees work, whether they are often distracted, and their productivity. So that means you have to be careful about transmitting this data as well, because it contains personally identifiable information and thus falls under GDPR.”
Both of these scenarios are most likely to handled by a vendor, and if the IoT-enabled factory or self-driving car is deployed overseas then that vendor could well be a local one not versed in GDPR’s global reach and the consequences of non-compliance for its customers.
Are companies ready?
Even leaving aside the arcane subjects of IoT and autonomous vehicle data, there are still signs that most vendors in most countries are, to some degree, not quite ready for full compliance by the deadline of May 25.
“A higher percentage of European-based companies are on course to be prepared for the GDPR than non-EU companies, but I would not necessarily say that most companies are on course to gain compliance,” says Behnam Dayanim, a partner in the Washington, DC office of law firm Paul Hastings. “That’s not to imply a lack of effort,” he adds – in most cases, companies are working assiduously to achieve compliance – but it is a formidable undertaking. “Some may have underestimated the amount of work involved, or may have started late. Others may be struggling to understand precisely how to implement the requirements; the guidance from the regulators has been quite staggered.
“So there are a lot of reasons why a company may not achieve compliance by the implementation date,” he says. A foreign vendor lagging on the regulation is just one of them.
Fortunately, according to Bret Cohen, a partner at law firm Hogan Lovells, Europe-based companies’ awareness of the possible vulnerability posed by foreign vendors is strong. “We are seeing a number of companies enhancing their vendor procurement procedures to increase consideration of data privacy and security issues,” he says.
Latecomers could suffer
But if a company has not yet started efforts to become GDPR-compliant, Mr Dayanim has bad news: it is already too late. “What I would suggest to a company that came to me now in such a state is: target the most important and achievable milestones for GDPR compliance. Do everything possible to get those in place by May and then continue to backfill the rest, as soon as possible, after the implementation date,” he says.
“The hope would be that you can get everything done before a regulator starts asking questions. But if the regulator does look at you and you are not ready yet, you’ll at least be able to present a good story about your timeline.”