Professional Services Firms And GDPR
Last time we considered the absence of federal legislation in the US that matches the General Data Protection Regulation (GDPR) and, as a consequence, some US states have legislated or proposed their own data privacy laws. Now we examine the responsibilities of professional services firms concerning the imminent and pervasive institution of state data privacy laws, risks of inadvertent breach of the GDPR, penalties for breaching the GDPR, and measures required of the professional services firm to conform with GDPR or GDPR-like laws.
Advent of US Legislation Similar to The GDPR
To restate, organizations outside the EU, particularly in the US, can do well to discipline themselves according to the Art. 40 of the GDPR codes as they will be able to anticipate the strictest and most comprehensive measures for data privacy and processing. Also, they will be prepared for the inadvertent handling of EU data subjects. Already we have seen, in earlier posts in this series, in the US that several states, California, Colorado, and Virginia amongst others have legislated on data privacy and processing, emulating the GDPR.
Risks of Inadvertent Breach of The GDPR
Non-European firms can find themselves entangled in the GDPR web through their relationships with third-party suppliers and subcontractors, and through accounting or legal matters in several ways: engaging in contracts with EU-based third-party suppliers or subcontractors without data processing agreements that comply with GDPR requirements; inadequate management of vendors, who process or have access to personal data of EU residents, to ensure that these third parties adhere to GDPR standards; failing to conduct due diligence on third-party suppliers and subcontractors to ensure they have robust GDPR compliance measures in place; failing to address GDPR compliance in contracts and legal operations; and failing to understand the GDPR.
Penalties For Breaching The GDPR
Non-European firms that inadvertently violate the GDPR can face a range of penalties, which are determined based on the nature, gravity, and duration of the infringement, whether the violation was intentional or negligent, and whether any actions were taken to mitigate the damage suffered by individuals. The potential penalties are:1. Warnings: In cases of likely infringement, a warning may be issued without a monetary fine, especially if the non-compliance appears to be inadvertent.
2. Reprimands: A reprimand may be given for infringements, which is a formal expression of disapproval but does not include a financial penalty.
3. Fines: Monetary fines can be imposed and can reach up to €20 million, or 4% of the firm’s total annual worldwide turnover, whichever is higher. For less severe violations, fines can be up to €10 million, or 2% of the annual turnover.
4. Temporary or Definitive Ban on Processing: The Data Protection Authorities (DPAs) can impose a temporary or definitive ban on data processing, which can severely impact a company’s operations.
5. Civil Law Claims: Individuals who have suffered material or non-material damage due to a GDPR violation have the right to receive compensation from the controller or processor responsible for the breach.
6. Corrective Measures: DPAs have the authority to order corrective measures such as the rectification or erasure of personal data or restriction of processing activities.
Importantly, even inadvertent violations are taken seriously, and the penalties are designed to be “effective, proportionate, and dissuasive.”Measures Required of Professional Services Firms
GDPR applies to any professional service firm that processes the personal data of individuals in the EU or EEA, regardless of where the firm is located or where the data are processed. Professional service firms may process personal data of their employees, clients, potential clients, contractors, or other third parties in various situations, such as providing legal, accounting, consulting, or auditing services, managing human resources, conducting marketing activities, or maintaining IT systems. Therefore, professional service firms must comply with the GDPR rules and obligations regarding the collection, processing, storage, and transfer of personal data, and respect the rights and requests of data subjects.
The measures required of professional service firms to comply with the GDPR may go beyond those expected of a website, depending on the type, purpose, and scope of the data processing activities. Some of the specific issues that professional service firms may need to address include:
Security and breach notifications: Professional service firms must implement appropriate technical and organizational measures to ensure the security and confidentiality of personal data, and report any data breaches to the relevant authorities and data subjects within 72 hours. Professional service firms may face higher risks of data breaches due to the nature and sensitivity of the data they handle, such as confidential, financial, or legal information. Therefore, they may need to adopt more robust and comprehensive security measures, such as encryption, firewalls, access controls, backups, etc., and have a documented and well-rehearsed breach response plan.
Data Minimization: Collect only the data that is strictly necessary for the intended purpose and limit access to personal data within the organization.
Supplier arrangements: to repeat, professional service firms may engage with various suppliers or subcontractors to provide or support their services, such as cloud providers, software vendors, outsourced service providers, etc. In such cases, professional service firms must ensure that their suppliers or subcontractors comply with the GDPR, and enter into written contracts that specify the roles, responsibilities, and obligations of each party concerning the data processing. Professional service firms may also need to conduct due diligence and audits on their suppliers or subcontractors and monitor their performance and compliance on an ongoing basis.
Accountability and governance: Professional service firms must demonstrate compliance with the GDPR by implementing appropriate policies and procedures, conducting data protection impact assessments, maintaining records of processing activities, appointing data protection officers (DPO,) and cooperating with supervisory authorities. Professional service firms may need to establish a clear and effective data protection governance structure, and allocate sufficient resources (including audits) and training to ensure compliance across the organization. Professional service firms may also need to review and update their existing policies and procedures, such as data retention, data minimization, data quality, data subject rights, etc., to align them with the GDPR requirements.
International issues: Professional service firms may operate or provide services across different jurisdictions, and may need to transfer personal data to third countries or international organizations outside the EU or EEA. In such cases, professional service firms must ensure that the third countries or international organizations offer an adequate level of data protection, or provide appropriate safeguards, such as binding corporate rules, standard contractual clauses, or certification mechanisms. Professional service firms may also need to comply with different or conflicting data protection laws or regulations in different jurisdictions and may face challenges or uncertainties in determining the applicable law or the lead supervisory authority.
Consent: Professional service firms may rely on consent as the legal basis for processing personal data in some situations, such as sending marketing communications, using cookies, or processing sensitive personal data. However, the GDPR sets a high standard for consent, which must be freely given, specific, informed, and unambiguous, and indicated by a clear affirmative action. Professional service firms may need to review and revise their consent mechanisms and practices and ensure that they provide clear and transparent information, ask for active opt-in, keep records of consent, and respect the right to withdraw consent.
So, the GDPR is a complex and comprehensive law that may require more specific or additional actions depending on the context and circumstances of each professional service firm. The advent of US state privacy and data legislation implies that professional services firms can do well to adopt Art. 40 GDPR Codes of Conduct. Non-European firms run the risk of becoming entangled in the GDPR web through their relationships with third-party suppliers, and subcontractors, and through accounting or legal matters in several ways and can face a range of penalties. Professional service firms must comply with the GDPR rules and obligations regarding the collection, processing, storage, and transfer of personal data, and respect the rights and requests of data subjects. Therefore, it is advisable to consult a legal or data protection expert (GDPR Compliance Consultant) for further guidance and assistance. Next time, we look at the requirements of websites according to the GDPR.
–Richard Thomas
Previous, Part VI
Next, Part VIII
