• by Ray Schultz , Columnist, December 27, 2017

Did you know that only 11 countries protect personal data in line with European Union requirments, and that this “does not include the United States?”

That’s the word from Bryan Thompson and Sean Hoar, attorneys with of the law firm Lewis Brisbois Bisgaard & Smith LLP. It’s worth pondering as we near the drop-dead date of the EU’s General Data Protection Regulation.

If our counting is correct, we’re now 149 days away from GDPR implentation. As alarmists have reminded us,  you could end up paying ruinous fines of up to 20 million or 4% of your global gross for violations.

Maybe it isn’t as bad as it sounds. For now, U.S. companies can hide behind the EU-U.S. Privacy Shield, “a voluntary mechanism administered by the U.S. Department of Commerce for firms to self-certify compliance,” Thompson and Hoar write.

Granted, this was negotiated during previous a U.S. administration and under an earlier EU rule: the Data Protection Directive. For our part, it tasks several departments, including Commerce, State, Transportation, Justice, the FTC and the director of National Intelligence with enforcing compliance, the authors continue.  

In theory, the FTC could fine you for unfair and deceptive trade practices if you fail to document your obedience.

But that’s unlikely if you’re not an out-and-out phishing artist. A review by the EU and U.S. last October found that the Shield is working just fine for now, although that could change.    

Given that it was negotiated under the Data Protection Directive, “it is likely that European regulators will carefuly examine the role of U.S. regulators in the context of GDPR’s requirement once it formally replaces the Data Protection Directive on May 25, 2018,”  Thompson and Hoar write.

But what’s the worry? Let’s say you make an inadvertent error in your cyber-security protection, or due diligence of vendors. It looks as if the EU will be generous in handling such mistakes.

For example, it will take into account the depth, scope, harm to individuals and degree of negligence, according to an analysis by John Whelan, Claire Morrissey, Davinia Brennan, John Cahr and Mark Rasdale, of the law firm, A&L Goodbody.

This team took a deep dive into the newly issued Guidelines on Administrative Fines from the EU’s Article 29 Working Party, and they conclude that fines will be “effective, proportionate and dissuasive.”

For example, penalties must be based on “an assessment of whether “this is an isolated event or symptomatic of a more systematic breach or lack of adequate routines in place,” the authors report.

In addition, regulators will consider whether the “duration of the infringement may be illustrative of: (a) willful conduct on the controller's part; (b) failure to take appropriate preventive measures, or (c) inability to put in place the required technical and organizational measures,” the authors continue.

Meanwhile, there has been a steady stream of new GDDR product announcements. Just today, D2 Legal Technology debuted a “new solution and remediation service” to help UK businesses comply and observe best practices.

Cheer up. It may cost you a million or two to get in shape, but you can build that into your branding. You’re GDPR compliant!