Obtaining and Using Personal Information on your Customers, Employees, and Vendors is Very Risky.

This article was originally posted on IG GURU on February 28, 2019

by Ross Federgreen, CIPM, CIPP/US, CIPP/E, CIPP/C, CIPP/G, FIP, and Fellow EPA

Today all businesses should be concerned about the impact of the General Data Protection Regulation EU Regulation (2016/679) on how they conduct business. Although this was originally written as a law for the European Union the effect of this law reaches directly into the United States, Canada and all other countries that obtain any form of an individual’s data (Data Subject) personal information (PI) who is a resident of any of the countries that make up the European Union. This is at least 500 million European adults.

Since the GDPR became effective in May 2018, a growing number of states in the United States and several Provinces in Canada have begun to adopt or have adopted these rules for their own citizens. The most dramatic example of this is the California Consumer Privacy Act (CCPA) which becomes effective on January 1, 2020.

The GDPR consists of eleven chapters which contain ninety-nine articles and 173 recitals which are commentaries on the content of the chapters. One of the most important and least understood elements of the GDPR is Chapter IV, titled, “Controllers and Processors” which consist of 19 Articles (Articles 24 to 43).

Article 4 of the GDPR provides definitions of key and critical terms.

A ‘controller’ means the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

A ‘processor’ means a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller;

Essentially Chapter 4 defines the various entities in the processing and handling of PI. It defines the relationships, responsibilities, and liabilities between the various participants. The chapter requires that any relationship between a controller and a processor must be such that the processor is GDPR compliant and further that a contract with specific requirements is executed between the controller and the processor.

Chapter 4, Article 28 of the GDPR defines the individual requirements for that contractual relationship between the controller and the processor as well as the processor and sub-processor. There are fifteen (15) specific requirements of this contractual relationship that must be stated and agreed to as to meet the requirements. These range from a duration of the processing, Article 28 (3), to the fact that processors must provide to the controller all necessary information to demonstrate compliance with the GDPR, Article 28 (3)(h).

Chapter 8, Article 79, titled “Right to an effective judicial remedy against a controller or processor” with commentary in Recitals 141 and 145 lay the legal groundwork to obtain significant financial penalty against both the controller and processor or sub-processor for violation. It is mandatory to understand that these rules are blind to the size of the entity by revenue, number of employees or any other characteristic. The only issue that matters is that the entity falls within the definitions of controller, processor or sub-processor as defined in Article 4.

There has been a cosmic shift in the desire to be a processor or sub-processor. Under the rules of the pre-existing Directive that the GDPR replaced there was no penalty for being a processor, and therefore the drive was for an entity to be a processor. Now that paradigm has completely shifted, and there is an explicit consequence for failure to comply as either a controller or a processor.

In the United States, there is a movement towards imposing the regulations set by the GDPR. To date, the most relevant new regulation is the California Consumer Protection Act (CCPA), which is effective as of January 1, 2020, and has been described as GDPR light. How “light” it is, is truly in the eye of the beholder. Multiple other states have either enacted or on the path to enact similar legislation. A key element in common with the GDPR and all these regulations is the long reach of these regulations. As a result, the application of these regulations is based upon the domicile of the data subject and not the location of the controller, processor or sub-processor.

Given the recent rulings at both the Federal level {865 F 3d 620 (DC Cir 2017)} with the denial of Certiorari (SCOTUS Feb 20, 2018) and state level {740 ILCS 14/1 (Supreme Court of the State of Illinois)} in terms of Article III, right of standing, the demands for compliance with these regulations and most importantly verification and validation is a mandate. Each controller must demonstrate that each of its vendors who act as processors or sub-processors demonstrate compliance with the variously applicable regulation. And again, it cannot be overly emphasized that the application of these regulations is solely based upon the domicile of the data subject.

Should the controller take on the requirement to validate and verify that the processor and sub-processors comply with the regulations inclusive of the contractual requirements? The answer is that there is no preclusion against self-validation. However, this opens the controller to a whole host of adverse consequence and potential charges of complicity if in fact the standards are not met. We strongly believe that a qualified arm’s length third party should be engaged to validate these relationships. The third party must have demonstrated experience, certifications and a deep understanding of the applicable regulations again based upon the domiciles of the various data subjects of the controller.

What to do

CSR Privacy Solutions (www.CSRPS.com)  provides a comprehensive controller and processor validation and verification services.

With vast experience and all necessary certifications, we are uniquely qualified to provide these services on a global basis. Currently, our validation and verification services are provided throughout North America, Europe, and Australia.