This article originally appeared in the December 2017 issue of E-Scrap News. Subscribe today for access to all print content.
The “butterfly effect” is the name commonly assigned to the phenomenon where a seemingly localized event has widespread ramifications. As it is usually characterized, a butterfly flaps its wings in one part of the world, eventually causing a thunderstorm thousands of miles away.
In the coming months, a very significant butterfly in the realm of data security – a European Union policy called the General Data Protection Regulation (GDPR) – will be flapping its wings in Europe. It’s unclear what storms may result in North America, but one thing is clear: Stakeholders here will need to be prepared.
This article describes the dramatic impact GDPR’s stringent approach to data security will have on service providers in the EU and U.K. as well as around the world, and why it’s a golden opportunity for reputable e-scrap and ITAD entities.
Not limited to any border
Though the GDPR is not effective until May 25, 2018, its impact is already being felt across Europe and around the world. It is fair to say that no electronics recycler will escape its influence and for two good reasons.
First of all, the GDPR itself is not limited to any border. Any organization touching information that pertains to an EU citizen is required to comply. Further to this point, it is illegal under the GDPR to send or share such information with any person or organization that is not compliant, no matter where that company is located. There are few, if any, multinational corporations, financial institutions, government offices, insurance companies, hotel chains, airlines, and other major businesses where such information is not recorded on their electronic media.
The second reason the GDPR is sending ripples around the world is less tangible but in some ways more powerful.
The EU is the perceived leader in the area of data protection as a human right, much of which stems from the continent’s development two decades ago of the initial Data Protection Directive. It’s hardly surprising then that other countries are already holding the GDPR as the example for their forthcoming policy amendments.
The list of countries currently involved in major revisions to their data protection regulatory frameworks that are vocally extolling the virtues of the GDPR include Australia, Canada and Japan, among others. And it makes sense. As written, the GDPR is the most serious revision of a data protection regulation ever, and if the rest of world is going to have to comply in order to do business in Europe or with European entities, then why would those countries not defer to it? The alternative is to pursue some treaty-like approach along the lines of the U.S.–EU framework mentioned above.
Clearly, the policy is an important one for any company that handles equipment that could hold personal information. The obvious question for North American recyclers is: What exactly does GDPR entail?
Tightening up a pioneering policy
The GDPR replaces the EU’s Data Protection Directive (DPD), which was enacted in 1995.
Though it was not the first data protection law, the DPD was the first to clearly define privacy and data protection in a manner that limited abuse, assured personal rights and included strong enforcement provisions. However, being a forerunner in this arena meant it also underestimated what it would take to truly address the protection of personal information.
It is understandable that an initial attempt to deal with protecting personal information rights would tread softly. Legislators chose to mandate the protection of personal information as a “directive” rather than as a “regulation,” meaning that each EU member country was instructed to create its own law that met certain loose parameters. As a result, the countries were afforded considerable latitude in what their final laws looked like. This approach, in turn, led to inconsistent cross-border implementation in almost every aspect of personal information protection, including enforcement and penalties.
The degree to which personal information would be put at risk today and the enormity of the harm done to constituents was unfathomable in 1995. Identity theft, hacking and data security breaches were more theoretical than real. In the decades that followed, other countries, including most notably the United States, learned the hard way that much clearer direction and considerably stronger enforcement were needed for organizations to take proper precautions.
Over the years, as the steps necessary to address data protection challenges became clearer, European heads watched and waited (and some clamored). And, though the region waned as a leader in the area of personal data protection, policymakers learned from the experience of others what did and did not work. Those lessons are reflected thoughtfully in the GDPR, and it is now the rest of the world taking cues.
Being an EU “regulation,” as opposed to a “directive,” the law is much more specific about its requirements: Countries have considerably less latitude in interpreting and implementing what is demanded of them, and the GDPR achieves standardization when it comes to enforcement (and the level of fines tied to enforcement).
Possibility of hefty fines for violators
The requirements of the GDPR fall into three categories:
- Enhancements to directives from the DPD.
- Elements introduced by other data protection regulations.
- New requirements unique to the GDPR.
Topping the list of enhancements to existing provisions are the sanctions, which in the past have been varied and often weak.
Under the GDPR, those penalties are set at a maximum of 4 percent of annual gross revenue. The maximum fines would likely only be applied in the most egregious violations, but the mere possibility of such punishments means even less egregious violations are likely to be met with significantly higher fines than they are presently.
Further, under the existing directive, service providers (such as computer recyclers) are responsible to safeguard data on behalf of their clients; however, there is often marked differences in the way country-specific laws are applied. Under the GDPR, data controllers (those primarily entrusted with the care of client data) and data processors (vendors hired by data controllers to protect the data) are subject to all requirements and penalties without discrimination. The focus of this article is too broad to fully explore the full impact of this regulatory perspective, but readers should keep in mind any requirement or fine mentioned here (or in the GDPR) applies to both customers and their service providers equally.
Other legacy requirements for which the rules and enforcement have become more robust include assignment of a data protection officer (DPO), maintenance of an employee training program and written procedures approved and enforced by the organization’s DPO (see sidebar above).
Among the upcoming requirements within the GDPR, there is really only one that has been developed in other parts of the world and is being borrowed for the EU policy. Under the GDPR, any organization in possession of the personal data of EU citizens must report any data security breaches to the affected individuals as well as to regulators. Breach notification has been around more than a decade in the U.S.; the need for it in the EU is the primary reason for the escalation of enforcement and penalties.
Let’s face it, it is difficult for policymakers to ignore headline after headline. Once a light is shed on such breaches, it is impossible for regulators to ignore their obligation to issue appropriate fines.
Two subtle areas of importance
In addition to upgrading existing provisions and borrowing effective strategies developed elsewhere, EU policymakers have broken new ground in the GDPR in two unique, subtle ways.
The first has to with new requirements in terms of demonstrating compliance.
When there is any report or complaint related to a potential data security breach, the first thing regulators do is of course look for evidence suggesting non-compliance. Sometimes finding evidence of compliance (or lack thereof) is difficult to establish. For instance, if a regulation requires due diligence in the selection of a service provider (which the GDPR does), it may not be obvious after the fact whether or not proper due diligence was used. So, under the GDPR, data controllers and data processors are required by the law to be able to demonstrate compliance. This may seem like a minor point, but it is the first time in any data protection law that the inability to clearly demonstrate compliance is in and of itself considered a violation of the law.
The second area in which GDPR enters relatively uncharted territory is its integration of certifications.
Data protection regulations around the world have many components in common, one being that they require clients to verify the capabilities and compliance of their data processing vendors (including recyclers). However, most clients don’t know they have this obligation, and even if they do know about this demand, they might not know what due diligence looks like.
The GDPR is the first data protection regulation with a built-in mechanism for approving industry certifications that will make it easier for covered entities to identify a qualified service provider. In order for a certification to earn this seal of approval, the certification has to apply and receive approval from the European Data Protection Authority.
Provided the certification qualifies, data controllers will be able to use the certification status as a means to vet prospective vendors.
A world of opportunity
To be sure, many electronics recovery stakeholders will see the GDPR as just one more challenge, one more governmental boondoggle, one more expense.
However, the rollout of the data-protection effort contains significant promise for electronics recyclers in Europe and around the world that embrace the full scope of GDPR.
Strong data protection laws are in fact the best thing that can happen to reputable electronics recyclers – not only because the emphasis on data protection brings the ability to offer value-added services, but because the marginal providers will never respond to the pressure. It’s not in their DNA. This should allow companies that focus on the privacy needs of society to flourish.
Bob Johnson is the founder and CEO of the National Association for Information Destruction (NAID). He can be reached at rjohnson@naidonline.org.