May 25, 2018 — mark the date. That’s the day when the EU’s General Data Protection Regulation comes into force. So why is this a big deal? The EU already has a data protection law that covers how data collected from citizens of its member states is stored and used. To use a cliche — this time is different.
The GDPR has been described as the world’s most comprehensive privacy law, covering virtually every way that data might be collected and used, and not just in the EU. The International Association of Privacy Professionals — an organization that serves the data privacy community — estimates that companies around the world will need to hire more than 75,000 Data Privacy Officers to ensure they are complying with the law. To put that in context, the IAPP’s membership today stands at about 26,000.
The biggest change the GDPR brings to data privacy is that its reach is global. The EU’s own description of this is “it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location” and “it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.” In other words, if your company is handling any data on a citizen of an EU member state, collected in the EU, then you are subject to the GDPR.
The DPO
A DPO can be a great job to have. The GDPR specifies that a DPO can insist upon company resources to fulfill their job functions and for their own training. They must be given access to the company’s data processing staff; significant independence; and a direct reporting line “to the highest management level” of the company. They also have job security — the GDPR expressly prevents dismissal of the DPO for performance of their tasks.
But a Data Privacy Officer has their work cut out for them. For one, not only must they ensure their employer complies with the GDPR, the law also requires that compliance includes complying with any unique data privacy requirements of the 28 EU member states. And it gets better: the GDPR includes a right for citizens to obtain an explanation of decisions made by algorithms and a right to opt out of algorithmic decisions.
So if your company has any software products used in the EU that help or make any decisions about people, then any affected person can demand to know the logic and rules used by the algorithms and ask to be excluded from any actions taken as a result. The law does not specify any boundaries on this requirement today so everything from digital marketing, loans and mortgages, to screening and matching done by an ATS is covered. Any products that incorporate AI will be more difficult to deploy. The EU specifies that doing business using a “cloud” hosted by a third-party does not exempt a company from compliance.
Hiring a DPO is not optional for many companies. The GDPR requires that any company that meets the definition of a “data controller and processor” employ a Data Privacy Officer. The definition of a data controller and processor is one whose “core activities require regular and systematic monitoring of data subjects on a large scale.” The IAPP considers this definition to cover:
- Any company with 5,000 or more employees.
- All companies engaged in transportation and storage (e.g., airlines); accommodation and food service (e.g., hotels); and professional, scientific and technical activities (e.g., accounting firms).
- All financial institutions.
- All companies involved in information services and communications.
The consequences of failing to comply with the GDPR are not trivial. Failure to comply can result in a fine of up to 4 percent of annual global revenues or €20 Million (whichever is greater). That’s the maximum for a serious violation, but even failing to have proper records can result in a fine of 2 percent. Hiring an inept DPO can cost your company a lot.
The EU Giveth and the EU Taketh Away
So why not get excited about finding DPOs? For starters, it won’t be easy. Given the law’s complexity, ambiguity, and global reach, it’s unlikely there’s any single person who is qualified to be an expert on all or even most aspects of it. Second, with little over a year left before the GDPR goes into effect, there are already plenty of companies scrambling to find DPOs. The IAPP’s estimate of the number needed is conservative at best. Virtually every country in the world does business with the EU, so the actual number of DPOs needed could be twice as big. It’s a sellers market, so expect to pay big.
Some analysts that have studied the GDPR think that compliance with the law could eliminate as many jobs as it creates … jobs that could be far more productive than a DPO. Given how overzealous the EU can be in enforcement of its directives, most companies are likely to go overboard in ensuring compliance rather than risk a fine, diverting money away from more value producing activities and jobs.
In Gone With The Wind there’s a scene where Rhett Butler says, “I told you once before that there were two times for making big money, one in the up-building of a country, and the other in its destruction. Slow money on the up-building, fast money in the crack-up.” Economic and job growth in Europe has been stagnant and the EU may be unravelling, but it’s still creating opportunities for those that are up to the challenge.
image from bigstock