A colleague of mine asked me, “Who in the auto dealer industry really cares about the General Data Protection Regulation?” I thought about titling this article “GDPR: Who Cares?” But upon further reflection, I thought that the GDPR might bring focus to data management and data protection and give a sneak peek toward future trends.
Let’s start with some background. The Equifax data breach of 2017 affected almost half of all Americans, approximately 142 million people. Nonpublic personal information (NPI) such as names, Social Security numbers, birth dates, driver’s license numbers, and other information was disclosed. In 2018, approximately 50 million Facebook users’ profiles, including personal information, was obtained by Cambridge Analytica in one of the largest known social media network breaches.
GDPR is a European Union data protection and privacy regulation which went into effect on May 25, 2018. GDPR establishes strict standards for consent and data breach notification (among other standards) and provides for penalties of up to 4% of global revenue.
In terms of data breach notification-based facts reported in the media, Equifax took 143 days to discover the data breach and 40 days after the discovery to notify affected individuals. Facebook is said to have discovered that users’ personal information was harvested some time in late 2015, but an announcement was not made until March 2018. (Note that Facebook claims that the harvesting of millions of user profiles by Cambridge Analytica was not a data breach.)
“The GDPR ‘sets the bar’ for data compliance. That bar is currently higher than contemplated U.S. standards.”
In the U.S., several bills on data breach have been introduced, most notably the Consumer Privacy Protection Act of 2017 and the Data Security and Breach Notification Act. The Consumer Privacy Protection Act of 2017 would establish a national standard for “comprehensive consumer privacy and data security programs” for larger companies.
While the FTC, the U.S. attorney general and state attorneys general would have enforcement authority, there is no private right of action. (A private right of action is a case brought by the individual consumer rather than a regulatory entity such as the FTC.) The legislation only provides for notification of a data breach “as expediently as possible” and “without unreasonable delay” rather than a specific time period.
The Data Security and Breach Notification Act also seeks to create a single standard rather than the current varying state requirements of data breach notification. The Data Security and Breach Notification Act includes a 30-day data breach reporting rule for larger companies (regarding non-healthcare data).
As opposed to the two proposed U.S. Acts above, the GDPR requires a 72-hour data breach notification. When this short timeline is combined with immense penalties, data security and management becomes much more important.
So, the answer to my friend asking who cares about GDPR is as follows: While most U.S. dealers will have few customers who are residents of the European Union or other factors subjecting them directly to the GDPR, the GDPR “sets the bar” for data compliance. That bar is currently higher than contemplated U.S. standards, but gives us all a look into the future.
The GDPR represents a change, on a global scale, in the acceptable methods for handling data across the world. The GDPR elevates compliance to center stage and has quantifiable standards and enormous penalties to ensure it will be taken seriously.
We in America have been, perhaps, too lax with our data standards — think unsecured credit applications, unaccounted-for deal jackets, or DMS and other vendor systems with unfettered NPI access — and, to paraphrase the immortal Sam Cooke, “A change is going to come.” The only question is whether your shop is prepared for it.
DISCLAIMER: Content provided in this article is intended for informational purposes only and should not be construed as legal advice and should not be relied upon or acted upon without you retaining counsel to provide specific legal advise based upon your particular situation, jurisdiction and circumstances. No duties are assumed, intended or created by this communication. No attorney- client relationship is being created by your review or use of this material.
© 2018 Robert J. Wilson, All Rights Reserved
Robert J. Wilson, Esquire (Bob) is a Philadelphia lawyer and is General Counsel for ARMD Resource Group. Bob is the principal of Wilson Law Firm and has over 30 years of experience both as a counselor and as a litigator in State and Federal Courts. Risk management, problem solving and dispute resolution are his core competencies. Bob’s practice is largely in the consumer finance space and he regularly consults with Lenders and contributes articles on various compliance related issues.