GDPR: The Reg, the Myth, and the Impact on Relocation
Posted by: Pam Uhl, VP & Associate General Counsel
The new EU General Data Protection Regulation (GDPR) will replace the 1995 Data Protection Directive. A “regulation” in the EU is applied in full to each member country, while a “directive” requires each country to enact legislation to meet the objectives of the directive. So, GDPR will become directly applicable to each member country on its effective date of May 25, 2018.
Understanding GDPR and its Impact on Relocation
While the United States, most notably California, has led the world in data breach notification requirements, the EU has long been the leading force with respect to privacy regulations. The European Commission states that the GDPR is an attempt by it to both “strengthen citizens fundamental rights and facilitate business by simplifying rules” for companies. GDPR will apply not only to companies with a presence in an EU country, but also those which process personal data of EU residents and citizens.
Much has been said and written about GDPR—seminars, white papers, blogs, checklists, guides, recommended practices—often from companies looking to sell expensive products and/or services to aid in compliance. And GDPR violations can carry heavy fines of up to 20 million Euros, or 4% of a company’s total worldwide annual turnover, whichever is greater. But Elizabeth Denham, the UK's information commissioner, who is in charge of data protection enforcement in the UK, says she is frustrated by the amount of "scaremongering" around the potential impact for businesses. She says of GDPR that "It's still an evolution, not a revolution.” She adds that for businesses already complying with existing data protection laws, the new regulation is only a "step change.” The purpose of this blog post is to try and cut through some of the myths and legends about GDPR and provide an overview of some important areas where Cartus is focusing in order to comply with the Regulation.
A few definitions are helpful In order to understand GDPR:
Personal data is any information relating to an identified or identifiable natural living person (a data subject). This is a broad definition that will encompass even work email and business contact information.
Processing includes obtaining, recording, storing, transmitting and destroying personal data.
A controller controls the purposes and means of using personal data, and a processor processes data on behalf of the controller. In general, in Cartus’ world, the client is the controller, and Cartus and its supply chain are all processors. It is possible for an entity to be both a controller and a processor; and that is the case when Cartus is performing its home buyout service. As another example, a company that processes payroll for other companies would be a processor in that capacity, but a controller when processing payroll and benefits for its own employees.
What are some of the myths of GDPR?
Some of the most common myths about GDPR include:
Myth #1: The right to be forgotten means a company has to delete a data subject’s personal information upon request.
The right to be forgotten is not absolute. It must be balanced against freedom of expression, the public interest, and the exercise or defense of legal claims. However, personal data should be deleted if it is no longer necessary for any legitimate purpose (i.e., after a legally required data retention period). And if a business has made personal data public and the data subject request that the data be deleted, the business is expected to take reasonable efforts to inform third parties to whom it passed the data that deletion has been requested.
Deletion of data is an area where there is no black and white answer. Decisions will need to be made on a case-by-case basis and in reliance upon future guidance from the regulators. In addition, a data subject also has the right to request restriction on processing of personal data (other than storage) in certain circumstances.
Myth #2: Myth: Every company that processes personal data must appoint a Data Protection Officer (DPO).
Private companies only need to appoint a DPO if their “core activities” involve processing operations which require regular and systematic monitoring of data subjects on a large scale, or large scale processing of sensitive data (race, religion, health information, etc.) or data relating to criminal convictions and offences. However, even if a DPO appointment is not mandatory, the EU authorities encourage voluntary designation of a DPO.
A voluntary DPO can help guide compliance with data protection laws, and be available for inquiries from data subjects and supervisory authorities. The DPO can be an individual or a “DPO team.” A mandatory DPO has many rights, such as direct reporting to the highest management level, the right to sufficient resources, and continuous training and may not be dismissed or penalized for performing DPO tasks.
Myth #3: Every breach of personal data must be reported to the regulators within 72 hours of the incident and must include all the details of the event.
Notification to the applicable supervisory authority is the responsibility of the data controller “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” (Emphasis added). Further, notification is not required if the “personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” In most cases, if the high risk standard is met, the controller must also notify the data subjects. A data processor must notify the controller of any personal data breach (even if the breach is not likely to result in risk) “without undue delay” after becoming aware of the incident, but does not have further reporting requirements. Although details are required to be provided to the supervisory authority, the GDPR recognizes that some details may not be available at first and can be reported later.
Myth #4: Every company needs to perform a Data Protection Impact Assessment on all of its systems and operations.
Data Protection Impact Assessments are a useful tool to understand and mitigate risk to personal data when performing processing operations. However, they are required only when the processing may carry a high risk to the rights and freedoms of data subjects. The supervisory authorities will publish lists of processing operations for which DPIAs should be carried out by the controller.
What is Cartus doing to assist our clients?
Following are some of the main topics that Cartus is working on in our role as a processor for our clients to aid their readiness for GDPR compliance.
- Data Subject Rights. With respect to the “right to be forgotten,” Cartus has reviewed and revised our data retention policies to ensure that we are not retaining data for longer than needed based upon applicable laws. Cartus will continue to aid our customers’ and clients’ needs for data portability. Currently, transferees can access and rectify their data held at Cartus via CartusOnline; and Cartus can produce standard and customized reporting for clients. Our online privacy statement and consent forms explain to customers what data we collect, how we use it, and with whom we share the data. Our U.S.-based company, Cartus Corporation, has self-certified with both the EU-U.S. and the Swiss-U.S. Privacy Shield Frameworks, and follow their principles for cross-border transfers of data.
- Data Collection, Quality and Purpose Limitation. Cartus has historically followed the principle of least data. We strive to collect and store only the data needed to provide our services. Data minimization eases the task of inventory of applications, which Cartus has completed. Cartus is prepared to provide our clients with records of the categories of personal data processing activities carried out by us. We are exploring enhanced tools to provide transparency for clients and customers with respect to what personal data is collected and where it is used. Cartus continues to align and implement our Security controls with ISO 27001 to ensure consistency with industry recognized practices and processes. Additionally, Cartus is working with its parent company, Realogy, to enhance the security posture of the company, as well as implement shared security services such as the companies’ Security Operations Center.
- Data Protection Officer (DPO). Cartus has appointed a DPO for Germany, as required under the current German legislation, and Switzerland, which operates under a similar legislative framework, and is assessing whether or not we will appoint an overall DPO, and whether that will be an individual or an office for the DPO.
- Breach Reporting. Cartus has updated our security incident response processes and tracking. We continue to educate our workforce with respect to information protection, and emphasize the need to report incidents to our interdisciplinary response team. We are prepared to report breaches to the data controller, and aid the controller in case notice to a supervisory authority is required.
Cartus is committed to doing its best to protect the personal data entrusted to us by our clients and their relocating employees, and welcomes GDPR as another “step change” to reassess our privacy processes and enhance our data protection measures.