Here Come the New EU Rules on Data Privacy

Background on GDPR

MR. STONE: One of the things I was hoping you could help us understand is how and why these rules came about.

MR. ANTONIPILLAI: I came into the Obama administration into the agency that was the lead for privacy rights after the Snowden disclosures. What we saw is that privacy isn’t one of these things that you’re going to see at the lower end of the priority chain.

It has become a trade issue. It has become an issue that comes up as a market issue. And for folks that are on the security side, it is going to be a critical part of your portfolio for the next couple of years.

Read more of our premium in-depth coverage designed to help industry professionals monitor and act on decisions that influence policy.

• Sign up for a free trial
• HBO, Uber Incidents Shed Light on Ransoms Without Ransomware
• Uber Likely to Face a Barrage of State Legal Action After Breach
• Facebook: We’re Investing in Security, and it Will Hurt Profits
• Why Companies Should Prepare for More Data Breach Lawsuits
• Irish Data Commissioner Preparing for Expanded Authority Under GDPR

MR. ARORA: This is an extension of what the EU already has had in place since about 1994. They’ve been talking about taking it to the next level and making it more modern for many years. Even the mind-set of U.S. corporations versus EU corporations is very different. In the EU, they have chief privacy officers. In the U.S., we have chief security officers.

The tendency to look at cybersecurity here is from a “How am I protecting my corporate data from the outside world?” approach. In the EU, it is more about privacy of the individual. They’re at conflict.

U.S. companies are going to have to understand that it isn’t just a change in technology or even process.

MR. STONE: Which industries in the U.S. are going to be hit the hardest when GDPR comes into place?

MR. ANTONIPILLAI: It is kind of everybody, but the ones that will be really a focus are financial services, health care, advertising analytics.

The reason this is going to hit so many isn’t just that the fines are so massive. It is that there are thousands of companies that have no idea that you’re actually covered by this law. Under old European law, if you kept the data in Europe it was covered under European law, and if you kept it in the U.S., you were under U.S. law.

Now, it is if you offer a service in Europe, which could be as little as offering your app in the EU app store. So there are going to be companies located in Silicon Valley, and they’re directly covered by this.

In addition, if you do certain kinds of things, you actually have to hire an independent auditor that works for your company whose entire job is to make sure you’re compliant with this law.

AJAY ARORA | ‘The regulators I’ve spoken to have stated very clearly they will make examples of companies.’ Photo: Andy Davis for The Wall Street Journal

MR. ARORA: The number one thing I hear is that the initial reaction is, “That is an EU thing. I don’t have to worry about it.” But it is a very low bar to be able to say that you’re subject to the GDPR as opposed to the previous safe-harbor acts, because you could just be a processor of data. You might have any kind of data that you contain, any kind of analytics information that you contain. There is a right to notify. There is a right for the individual to be able to withdraw from it.

The wake-up call is saying that, “You don’t have to be doing direct business with an organization in the EU. If any part of what you’re doing touches some individual data there, then you are subject to the governance of the GDPR.”

And the regulators I’ve spoken to have stated very clearly they will make examples of companies. Large, medium and small, within the EU and outside of it, because they want to make sure.

Ready or Not

Where companies in the U.S., U.K. and Japan stood this summer in preparing for the European Union’s General Data Protection Regulation, and what it cost them

Amount spent by those that

finished preparations

Stages of preparation

Less than $1 million

11%

Finished operationalizing preparations

25%

Started operationalizing preparations

13%

More than

$10 million

21%

Completed assessment

$1 million to

$5 million

40%

29%

19%

36%

Started assessment

$5 million to $10 million

Not yet started preparing

7%

Amount spent by those that

finished preparations

Stages of preparation

Finished operationalizing

preparations

Less than $1 million

11%

Started operationalizing

preparations

25%

13%

More than

$10 million

21%

Completed assessment

$1 million to

$5 million

40%

29%

19%

36%

Started assessment

$5 million to $10 million

Not yet started preparing

7%

Amount spent by those that

finished preparations

Stages of preparation

Finished operationalizing

preparations

11%

Less than $1 million

Started operationalizing

preparations

25%

13%

More than

$10 million

21%

Completed assessment

$1 million to

$5 million

40%

29%

19%

36%

Started assessment

$5 million to $10 million

Not yet started preparing

7%

Stages of preparation

Finished operationalizing

preparations

11%

Started operationalizing

preparations

25%

21%

Completed assessment

36%

Started assessment

Not yet started preparing

7%

Amount spent by those that

finished preparations

Less than $1 million

13%

More than

$10 million

$1 million to

$5 million

40%

29%

19%

$5 million to $10 million

Source: PricewaterhouseCoopers survey of 300 CPOs, CIOs, general counsels, chief compliance officers, and VPs in related departments, completed in July 2017

Three days

MR. STONE: Can you walk us through some of the implications of the requirement to notify affected users within 72 hours of a breach?

MR. ARORA: The regulations vary a little bit. There are two broad categories of these regulations when you’re dealing with a breach.

One is, are you mishandling the data? Has it been mishandled? Or is there something that is more deliberate? Are you misusing the data? Whether it is mishandling or mismanagement versus misuse, there are two different kinds of bars for that.

So the first thing, when an organization realizes that there has been a breach, it isn’t just a knee-jerk, “you inform.”

You have to figure out what kind of breach it is, who’s affected, what kind of information’s affected before you’ll be able to do that.

Now, if you think about all the things that have to happen before that 72-hour window, you have to have the ability to be able to identify the breach happened, what was impacted, who was implicated, what articles were potentially breached and what to inform.

So there have to be a lot of things in place before you even think about sending out a notification broadly, or to the regulators or anything like that.

That set of capabilities have to be put in place a priori, and not post facto, on this thing, to be able to say, OK, something happened. Quickly classified. Quickly identify. And then decide whether or not to put it out there.

MR. ANTONIPILLAI: There are a bunch of qualifications to it that demonstrate why some engagement with the regulators is important.

It is 72 hours from when you know there is a breach, and that is pretty hard to tell. It has to relate to a data store that has personal information. This is why data-flow mapping is so critically important.

And it relates to when you are in fact the controller. Because if you’re the one who has the customer relationship fundamentally, you’re responsible for making sure that the entire chain that has access to that data actually can let you know in that 72-hour window.

That means you have to do due diligence to make sure that they understand when the breach has occurred. If you’re handing your data off to a company that is doing your customer-relationship management work or your human-resources work or any of that kind of stuff, that responsibility’s ultimately on you for the notification window.

Write to reports@wsj.com