US businesses need to start preparing for the European Commission's General Data Protection Regulation, which is up for a final regulatory vote Thursday, and if passed would result in massive fines for non-compliance.
The rules would be enforced starting two years from Thursday. Regulators, after performing privacy audits, can penalize a business up to Euro 20 million or 4% of annual revenue, whichever is more.Businesses will be required to only store personal data if people opt-in, honor requests for personal data erasure, keep track of personal data in auditable ways, provide breach notifications within 72 hours, and make all personal data portable. It's a replacement forthe 1995 Data Protection Directive, and applies to all companies conducting business in Europe, regardless of where the companies are based.
"It is the biggest event that will take place in my lifetime as a data privacy lawyer," said Lisa Sotto, a privacy expert at international law firm Hunton & Williams. Sotto, based in New York, is a member of Hunton's European Data Protection and Privacy team.
"We are starting now with many of our clients to create a work plan to get into compliance with this," Sotto explained. "There is no leeway here," she noted. She said there won't be any escape, because European regulators routinely get complaints from citizens who are generally more conscious of privacy rights than people elsewhere, including those in the US, she said.
Sotto's team created a detailed overview document (PDF) of the new regulation.
Businesses are definitely taking note, said Omer Tene, vice president of research and education at the nonprofit International Association of Privacy Professionals (IAPP), which is based in New Hampshire.
During the next two years, "Businesses should use that to adapt their systems and their practices to some of the new rules," Tene said. There will be approved transfer mechanisms for personal data, he said.
"Being upset is not relevant here. Europe is a huge trading block, it has 500 million citizens, and it's a bigger economy than the United States. We have to live with their laws," Tene said. "It an investment, and businesses will have to work and comply with it. It is definitely a big compliance undertaking. There will be a lot of hours invested."
To help, the IAPP published a short video and partnered with TRUSTe, which sells an online service for businesses to perform data privacy assessments. TRUSTe, in San Francisco, produced a version of its software for IAPP members and is planning to update the software this summer.
"New TRUSTe Assessment Manager functionality is being developed to address a wide range of data privacy management use cases. We have just released a new ISO 27001 assessment template and later this month Assessment Manager will be integrated with TRUSTe Website Monitoring and EU Cookie Consent Management technology," spokeswoman Eleanor Treharne-Jones said.
"June will see the launch of Asset Manager, an online inventory management solutions for systems, applications, and products undergoing or requiring assessment."