Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
The European Union’s new privacy regime will spotlight cloud providers, data analysts, information technology services, and other companies that process data on behalf of others, privacy professionals told Bloomberg BNA.
Meeting the new compliance obligations of the EU General Data Protection Regulation (GDPR), which takes effect May 25, 2018, is a challenge to both the data controller companies that determine how personal information is collected and used, and the data processing and storage companies that carry out those functions on the controllers’ behalf.
One critical component of ensuring GDPR compliance is establishing clear privacy and data security responsibilities in contracts between data controllers and data processors.
The GDPR will replace privacy laws that now focus primarily on data controllers and expand privacy compliance obligations to include data processors. Data controllers will also face stronger obligations to ensure that data-processing companies under contract are protecting privacy.
Companies that offer data storage solutions in Europe, such as Walldorf, Germany-based SAP SE and U.S.-based Amazon.com Inc.'s Amazon Web Services, are among the data processors that would likely face new privacy compliance obligations under the GDPR. Amazon, which has data centers in Germany, Ireland, and the U.K., is the fourth largest technology company in the world with a $455.8 billion market capitalization, Bloomberg data show. SAP, which has data centers in France, Germany, the Netherlands, and Russia, is the third largest enterprise software company in the world with a $126.4 billion market capitalization, Bloomberg data show.
The new obligations facing data processors include providing notice of data breaches, objecting if a data controller orders processing not authorized by the GDPR, and keeping extensive records on decisions about whether particular processing of information complies with the new EU privacy regime.
“For most organizations, the accountability is a sea change,” Mary J. Hildebrand, chair of the privacy and information security practice at Lowenstein Sandler LLP in Roseland, N.J., told Bloomberg BNA.
Data processors must also consider changes to their risk-assessment decisions, as the GDPR dramatically raises potential fines to as much as 20 million euros ($22.4 million) or up to 4 percent of a company’s worldwide revenue, whichever is higher.
Despite the significant new privacy obligations and the potential for large fines, it isn’t clear whether data processors are ready for the GDPR. Privacy and security professionals told Bloomberg BNA that at least half of companies considered data processors may not be aware of the new requirements.
Jan Henderyckx, managing partner of Belgian data consulting company Inpuls, told Bloomberg BNA that as a “rough estimate,” 50 percent of EU data processors are “really aware and working on things.” However, awareness is “much, much lower” outside the EU among companies that process data coming from the EU, he said.
Bo Holland, CEO of AllClear ID, which advises companies on data breach response, said the proportion of informed companies is much lower, at 20 percent. “The word is starting to get out, but the awareness level is pretty low,” Holland told Bloomberg BNA.
The GDPR will require data controllers to take steps to ensure the privacy and security of personal data sent downstream to companies they contract with to carry out data-processing functions. Such contracts should be watertight so data controllers minimize their own exposure, the privacy pros said.
“These contracts are going to be put into place in the next year,” a process that is likely to involve “a rather steep learning curve” for some processors, Hildebrand said.
Contracts will need to cover arrangements in case of data breaches, the pros said. Under the GDPR, processors will be required to notify the relevant data controllers of breaches “without undue delay”—and failure to do so could expose processors to claims from data subjects and data controllers.
“It’s a dramatic shift,” and processors could be particularly in the line of fire in case of a data breach because they “may have thousands of controllers who are clients,” Holland said.
Processors and controllers are “starting to negotiate on who is going to be responsible for what” should a data breach happen, Holland added. “It’s very important that each party looks at these new obligations so that the expectations are clear.”
The new compliance obligations may shake up the data-processing market, with controllers choosing their processors more carefully, the privacy pros said.
Data controllers may hesitate to do business with data processors who don’t have “adequate answers” on GDPR compliance, Henderyckx said. And some processors are seeing compliance “as a value proposition towards their customers,” he said.
“The ones that will survive are the ones that make the mind shift,” Henderyckx said.
Hazel Grant, partner and head of privacy, security and information practice at Fieldfisher LLP in London, told Bloomberg BNA that, for data processors, the “evaluation of the risk of taking on a contract changes hugely.”
Under the current EU privacy regime, a controller is required to “carry out due diligence on a processor, but in practice hardly anybody did that,” Grant said. That will change under the GDPR with potential market-wide implications, she said.
Grant also predicted more data-protection litigation, with disputes between controllers and processors and the possibility of actions on behalf of groups of individuals filed by consumer organizations on top of heightened enforcement by privacy regulators.
Detlev Gabel, a partner at White & Case LLP in Frankfurt and head of the firm’s data, privacy and cybersecurity practice, told Bloomberg BNA that EU privacy regulators will likely pursue enforcement actions under the new data-processor obligations when they take effect in order to set an example and to educate processors and controllers about the new GDPR obligations.
To contact the reporter on this story: Stephen Gardner in Brussels at firstname.lastname@example.org
To contact the editor responsible for this story: Donald G. Aplin at email@example.com
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)