Cybersecurity Regulations Are Ready for You, Even If You’re Not Ready for Them

Texas Bar Today Top 10 Blog PostUPDATE: We’re happy to report this post made the Texas Bar Today’s list of the Top 10 blog posts of the week

How does a $20 million fine sound to you for violating European regulations with activities conducted entirely within U.S. borders? On May 25, 2018, the new European General Data Protection Regulation (GDPR) takes effect. This makes significant changes to privacy and cybersecurity requirements applicable to companies that collect, process, or store any personally identifiable information of European Union (EU) citizens and residents – even if the processing and storage is done outside EU borders.

The new rule reaches the U.S. and other countries Kelce Wilson

The GDPR was written specifically to have extraterritorial reach – not only in its applicability, but also in the calculation of fines. Even American companies that have customers or even a presence within the EU must comply. The fines for non-compliance can reach €20 million (currently, approximately $20 million) or up to 4 percent of worldwide revenue, whichever is greater.

So, having only a small income stream from Europe or a small presence there won’t limit your exposure. Your entire global annual income can become the basis for a fine calculation.

Replaces the Data Protection Directive

The GDPR replaces the earlier Data Protection Directive (DPD), under which you may be currently operating. If you have customers in the EU, or data subject to DPD requirements, you are likely using model contract clauses that had been vetted against the DPD, or less likely binding corporate rules (BCR).

If you’re thinking that, because your contract will extend past May 2018 and you won’t be making any changes to it, that those contract clauses will continue to define your obligations, you’re incorrect. Whereas the DPD relied upon a contractual agreement for enforcement, the GDPR is regulatory fiat. Stricter GDPR requirements will supersede your DPD-compliant contracts, leaving you subject to expensive fines – unless you adjust to the new GDPR requirements.

Challenging new requirements

The GDPR has myriad complex new rules. There’s a requirement for companies to have a Data Protection Officer (DPO) on staff, with specified duties and competencies. The DPO must meet competency in privacy requirements, as well as cybersecurity threats and defenses. They must also be readily accessible to receive reports of suspected privacy and security incidents and have rapid access to company leadership. Fortunately, the GDPR permits the DPO to be an entity rather than a single individual. They can also be outsourced, or even located outside the EU. For example, a law firm or specialized company within the U.S. can provide contracted DPO services.

Additionally, the GDPR imposes new data breach notification requirements that could subject you to short-fuse reporting requirements where, previously, you would have had none at all. There’s also a new right to erasure, which is a modification of the earlier right to be forgotten, and requirements for data portability that may be onerous for some companies. 

Get started on compliance efforts NOW

If you are not already sufficiently familiar with the new requirements, either start educating yourself, or find someone to guide you. The new requirements are significant, and one of the first things you might discover is that you’re already far too late getting started.

According to one study by the International Association of Privacy Professionals (IAPP), the number of DPOs required by May 2018 could exceed 25,000. Many organizations are predicting an acute shortage of qualified DPOs, and expect that many companies may be driven to use an out-sourced DPO. Perhaps it’s best to start looking to either fill that in-house role soon, or get on a contract DPO’s client list before it fills up.

This update is for informational purposes only and should not be considered legal advice. Each situation is different, could change any time, and should be analyzed by an attorney.

 

 

 

 

By | 2017-09-08T16:21:13+00:00 September 7th, 2017|

About the Author:

Kelce Wilson

Kelce Wilson is a registered patent attorney with a PhD in electrical engineering, and experience in patent prosecution, litigation, and portfolio management strategy. He leverages prior security testing work for a growing cybersecurity practice. Kelce also serves as pro bono general counsel to North Texas InfraGard, which assists the FBI with disseminating threat intelligence to companies providing critical civilian infrastructure services. Kelce can be reached at kwilson@gchub.com.