Why Global 2000 Companies Should Be Focused on Third Party Compliance
The European Union’s General Data Protection Regulation (GDPR), which takes effect on May 25, 2018, strengthens data privacy rights for EU citizens and gives regulatory authorities greater powers to take action against companies that breach the law.
The regulation introduces some tough new penalties of fines of up to 4% of Annual Global Revenue or 20 Million Euros – whichever is higher. Just to put this in context for the Global 2000 (which have revenues between $1.6 Billion and $171.1 Billion according to Forbes), this means fines could potentially amount to between $64 Million and $6.84 Billion.
With this magnitude of enforcement potential, not to mention the reputational damage that comes from serious breaches of personal information, it is important to be ahead of this regulation.
Most companies that are impacted (that’s any entity that touches personal data on EU citizens, even if the entity did not collect that information itself) will have compliance initiatives underway. However, there’s one essential element that should not be overlooked or left until the last minute. And that’s your third party compliance.
Why Third Parties are an Important Point of Focus
The question needs to be asked – into whose hands are you placing your company’s reputation and exposure to significant financial penalty? More often than not, your third parties are your greatest area of risk exposure – for data security, and for regulatory compliance. How well do you know them?
Third parties are often the weakest link in a company’s data security, and are implicated in about 63% of all data breaches. Some of the largest financial penalties for data control failures to date, including those involving Home Depot, Target and AT&T, have been as a consequence of third party actions. These enforcements have already seen costs running into the hundreds of millions of dollars. Now, the GDPR has just raised the stakes even higher.
It’s also useful to look to other extra-territorial regulation and the trends in enforcement that have developed over time. Regulators generally tend to ‘bare their teeth’ and take prominent (often headline-grabbing) actions early. They telegraph (and even state explicitly) what their areas of focus will be. Elizabeth Denham, UK Information Commissioner, for instance, has already stated that the ICO will be looking at investigations that have the largest impact on the privacy rights of individuals, and that technology firms will be in the cross-hairs.
If you look to other regulation, such as the FCPA, the one thing that has been consistent across its history is that the vast majority of enforcements – around 93% - have been due to third party actions. Regulators often focus on the weakest link of compliance as this is where risk exposure is greatest, and more-often than not this has turned out to be third parties.
And finally, despite its elevated risk, third party compliance is too often overlooked or even placed in the ‘too-hard’ basket. With a focus on compliance within the figurative ‘four-walls’ of an enterprise, companies are failing to properly consider the impact of their ‘extended-enterprise’. But, under the GDPR and other regulation, not only do you need to keep your own house in order – you need to be confident in compliance of your third parties’ houses as well.
When it’s potentially many millions to billions of dollars of enforcement fines that your third parties could be exposing you to, it pays to have robust programs in place.
Key Roles and Definitions in the GDPR
The GDPR strengthens data privacy protections for EU citizens in the age of cloud computing, when personal data is collected easily by IT services and government agencies and sometimes used in ways beyond an individual’s knowledge or control. The law was passed by the EU Parliament’s Civil Liberties Committee on April 14, 2016 and takes effect on May 25, 2018, becoming the law of the land in all 29 EU Member States.
Building on earlier legislation, principally as the EU Data Privacy Directive (95/46/ec) which passed in 1995, the GDPR re-establishes an EU citizen’s right to know what personally identifiable information (PII) about them is being collected, why it is being collected, who is using it, and how. The law re-affirms EU citizens’ long-standing right to have their PII deleted (in most cases), data access rights, and establishes new rules for data portability, allowing citizens to request their data from one service provider so it can be transferred to another.
And what is PII? According to the GDPR, it is:
“any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
For example, PII could be a database record with a customer’s name, address, and phone number, or it could be as simple as the IP address or MAC address of a consumer’s laptop or smartphone. It could even be a consumer’s post on a social media site about politics, religion, health status, or mood.
Why Third Parties are an Important Point of Focus
Like the EU Data Privacy Directive (95/46/ec), the GDPR defines roles for citizens and organizations working with PII:
- A data subject is a citizen whose PII is being collected, stored, or processed; a data subject can be an employee or a client of a person or organization.
- A data controller is a person or organization who decides how data is to be stored and processed.
- A data processor is a person or organization who operates on or uses that data for business purposes. For example, if a retailer collects customer information, which it shares with a third-party call center, the retailer is the data controller, and the call center is a data processor.
The GDPR also defines a personal data breach, which is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” (Article 4)
How the GDPR Differs from the EU Data Privacy Directive
How is it different from the EU’s earlier data protection law, the Data Privacy Directive? Here are eleven key differences.
- A regulation vs. a directive.
As the R in GDPR reminds us, the GDPR is a regulation, not a directive. In the EU, a directive compels member states to establish laws in accordance with certain guidelines, but those laws can vary in strictness and implementation from country to country. This variation occurred with the Data Privacy Directive. As a regulation, the GDPR will apply universally across all EU Member States when it takes effect. For the first time, data protection law will be consistent across the EU.
- Broader scope.
The GDPR is more sweeping in its scope than the Data Privacy Directive, which applied to data controllers and data processors located in the EU. Article 3 of the GDPR, “Territorial Scope,” states that the regulation applies to:
- The processing of data by a processor or controller that is established in the EU, even if the processing takes place outside the EU.
- The processing of data belonging to EU citizens, regardless of whether that processing takes place in the EU, provided that the processing is related either to offering goods or services to those citizens (even without a fee) or monitoring the behavior of citizens as far as that behavior takes place in the EU.
The GDPR is truly global. If an enterprise, regardless of where it is based, is handling the PII of EU citizens, then that enterprise is under the jurisdiction of the GDPR, even if it is outside of the EU.
- An increased emphasis on consent.
To justify the processing of PII, data controllers must request and receive consent from citizens that is “freely given, specific, informed and unambiguous.” The request for consent must clearly explain what data is being collect-ed, how and why it is being used, and what rights and means a citizen has for reviewing or revoking the data. (For an example of a consent request form, see the UK home page for Google: www.google.co.uk) As the law firm White & Case points out: “The GDPR makes it considerably harder for organizations to obtain valid consent from data subjects. For organizations that rely on consent for their business activities, the processes by which they obtain con-sent will need to be reviewed and revised to meet the requirements of the GDPR.”
- Liability for data processors, not just data controllers.
The GDPR makes data processors liable for data privacy violations. Under the previous directive, only controllers were responsible for data privacy violations.
- A broader definition of data breaches.
Under the GDPR, the definition of a data breach expands to include any unauthorized disclosure. If an employee sees data that he or she is not supposed to see, that event should be logged and evaluated as a data breach under the GDPR.
- A stricter requirement for prompt data breach notifications.
When a data controller discovers that PII has suffered a data breach, it is required to notify a supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” In addition, “When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.” (Article 34)
- A right to be forgotten.
The GDPR establishes the right for data subjects to request that their PII be erased. Data controllers, including search engine companies such as Google, may need to comply with requests by individuals to be “forgotten.”
- The requirement for “privacy by design”.
The GDPR specifically calls for requirements associated with the regulation to be built into products, projects, processes and systems, rather than being tacked on as an afterthought. This is an interesting development, and one that companies should be paying attention to. It means that companies will need to design compliant policies, procedures and systems at the outset of any product or process development that involves touching personal data.
- Support for the pseudonymization of data.
To support “privacy by design,” the GDPR introduces a new concept in European data protection law: “pseudonymization”; that is, transforming data so that it is neither anonymous nor capable of directly identifying an individual. When data has been pseudonymized, the only way it can be linked to a specific individual is through the addition of other data that is held separately. Pseudonymization allows organizations to analyze data for trends without violating the core data protection rules at the heart of the GDPR. Organizations wishing to perform Big Data analysis of customer trends may need to implement pseudonymization schemes before the GDPR takes effect.
- The requirement for a Data Protection Officer.
The GDPR requires that Data Protection Officers (DPO) be appointed by public authorities and by all data controllers and data processors whose work involves the “regular and systematic monitoring of data subjects on a large scale” or the large-scale processing of “special categories of personal data” (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation, etc.). Many companies will need to add this position to their IT and compliance staff. (Early drafts of the GDPR limited the requirement for this officer to organizations with 250 or more employees, but the final draft removed this limitation.) The GDPR does allow for this position to be filled by third parties. It’s possible that many companies will hire law firms or other experts to meet their obligations for staffing DPO positions.
- Costlier fines for violations.
Penalties for infractions such as not notifying authorities of a breach and not conducting impact assessments can reach up to 2% of a company’s annual turnover. Penalties for more serious data privacy violations can reach up to 4% of a company’s annual turnover, potentially totaling hundreds of millions of dollars; even billions.
What Steps should Companies be taking now to Manage Third Party Compliance with the GDPR?
Clearly, the GDPR has sweeping ramifications for any organization providing goods or services to EU citizens. But those ramifications become broader when you consider all the third parties that are essential to any Global 2000 organization’s daily operations.
Third parties, which could range from marketing agencies, to debt collection agencies, to law firms, to individual contractors such as software programmers, must also comply with the GDPR if they are involved in any way with the collection or processing of PII for employees, customers or contacts.
Global 2000 companies need to be working on their GDPR Third Party Compliance Programs now. These can take some time to understand, develop and implement and, considering the third-party risks involved, should not be an afterthought.
Here’s five steps, together with some suggested timeframes, that you should be taking now:
- Partnering with your firm’s Data Privacy or Compliance Officer to map your data. Understand where your data is (which third parties have access to it), what data they have (categories of data) and what they are doing with it. Make sure you only collect the minimum required personal data necessary for the product or service, and review legal grounds for processing. (By 1H 2017).
- Ensure you have budget and resource allocated for completing GDPR assessments with third parties for 2017 and remediation projects in 1H 2018. (By 1H 2017).
- Review your contracts. GDPR contains new requirements for contracts with data processors, as well as between data controllers. Third parties should be categorized (as processors or controllers) and contracts should be reviewed for compliance with GDPR. (By 3Q 2017)
- Complete a Pre-Implementation Privacy Impact Assessment of all your third parties that have access to, handle or touch your client/personal data to ascertain:
- their awareness of GDPR
- that they have appropriate technical and organizational measures in place to comply
Having the assessment completed by 3Q 2017 will determine any high-risk suppliers for further review. (By 3Q 2017)
- Ensure that third parties are risk-scored according to assessments and other due diligence. For high-risk third parties, identify audit partners for the assessment of processes and to determine if on-site audits are required. Agree with your compliance team about the scope of remediation programs and on-going monitoring requirements. (By Q1 2018)
You will need to ensure that both your organization and your third parties have the policies, processes and technologies in place to support permissioning of client, contact and employee data. The technologies need to provide auditable consent, ability to withdraw consent to use personal data, deletion of all personal data, data access rights, and data portability. Based on the purpose of collecting this information, your firm may be required to store this client information in a separate digital warehouse.
Further, if you are a controller, you should be ensuring that policies and technologies are in place to detect data breaches and to notify supervisory authorities promptly should any data breaches or other violations occur.
The EU supervisory authorities will begin enforcing the GDPR in May of 2018.