Privacy Shield and GDPR: Sorting Out the Business Obligations
The global transfer of data between entities and across national borders is increasingly at the heart of digital business. Today’s Wall Street Journal article (access may require a subscription) explores the troubled status of transfers between the EU and the USA – the second and third largest economies by GDP, respectively. (China was first in 2015, evidently.)
The WSJ article notes that:
“The ability of companies to transfer everything from payroll files to social media posts to the U.S. from Europe could be in jeopardy, tech executives and European officials worry, should the Trump administration consider removing existing privacy protections for Europeans.”
Those existing protections have been formulated in the so-called “Privacy Shield,” which replaced the “Safe Harbor” framework that was overturned by the EU’s top court in 2015 due to concerns over mass surveillance by U.S. intelligence agencies.
But the question of data transfers is a relatively minor element compared to the broad impact of the EU’s General Data Protection Regulation (GDPR).
The GDPR affects any company, anywhere in the world, that has practically anything to do with any EU resident. It has been called a “paradigm shift,” a “revolution,” and a ticking time bomb in the plumbing of digital advertising and marketing.
Violations of the GDPR invite massive fines – 20 million euros, or 4% of a company’s global gross revenue, whichever is greater. (For example, that’s about 445 million euros for Estee Lauder; 3 billion euros for Unilever, and 10 billion euros for Royal Dutch Shell.)
The GDPR requires that companies adopt an entirely new posture and culture when it comes to collecting and processing personal data of EU residents. For example, the legislated principle of “data protection by design” dictates that companies must use the smallest possible amount of personal data, for the shortest possible period of time, and delete it as soon as possible. (Oh yeah, and also expose it to as few employees as possible.)
In short, a proper response to the GDPR is not just about compliance – it requires a system-level, organization-wide response.
This is just the beginning; yet you can already see how disruptive the GDPR will be – even without the additional headache of Privacy Shield’s questionable fate.
Confused about GDPR, Privacy Shield, and your company’s obligations? Attend our webinar on March 1 during which we’ll explore how GDPR will transform business practices across the organization. Download our FAQ on compliance essentials. And contact us if you’d like to start planning to avoid those big fines that will come with non-compliance in May 2018.