The European Union’s General Data Protection Regulation (GDPR) takes effect on May 25, 2018, and represents a significant new legal regime for protecting personal data that will impact organizations worldwide. GDPR sets out a regulatory framework governing the collection, use, storage and destruction of personal data of European Union (EU) residents and applies even to entities outside the EU that process the personal data of EU residents in connection with offering goods or services to such residents or monitoring their behavior within the EU.
Unlike for U.S. citizens, personal data protection is considered a fundamental right for EU citizens. The existing data protection regime in the EU dates back to its Data Protection Directive of 1995 (the Directive), which was implemented by each of the EU Member States. In light of significant advances in information technology over the intervening years – including the globalization of digital communications and information processing – and in the interest of harmonizing personal data protection legislation and enforcement, the European Parliament adopted the GDPR, giving it the force of law.
Notably, penalties for violating GDPR may include fines up to 4 percent of annual global revenues or €20 million, whichever is greater.
Does GDPR Apply to Your Business?
Officers and directors of many U.S. businesses that have no subsidiaries or facilities in Europe may instinctively believe that GDPR will have no effect on them. However, it is important to understand that the scope of GDPR is very broad and its terms should be interpreted carefully. Companies and other organizations that store or process personal data of EU residents or engage other companies or organizations to do so in connection with offering goods or services to such residents or monitoring their behavior within the EU may be subject to GDPR and face the risk of private actions and fines from supervisory authorities for violating it.
To illustrate GDPR’s reach, commentators have suggested that simply using cookies (the ubiquitous bits of text stored on users’ computers by their browsers to capture preferences), or tracking the IP addresses of EU citizens may meet the definition of monitoring activity governed by GDPR. Enterprises that assume GDPR does not apply to them because they are “not in Europe” proceed at their own risk.
What Does GDPR Provide/Require?
GDPR confers various rights on data subjects (natural persons) regarding their personal data (i.e., data by which they can be identified) that is being processed, including:
• Right of access (including as to purpose of processing, categories of data, parties to which data is disclosed, and/or being provided with a copy in a common format)
• Right to rectify inaccuracies or deficiencies
• "Right to be forgotten” (to demand erasure of personal data no longer necessary in relation to the purpose for which it was collected)
• Right to object to processing (including for direct marketing or profiling)
• Right to grant consent for processing personal data and to readily withdraw consent at any time
• Right to lodge a complaint with a supervisory authority and bring a private cause of action against a data controller or processor for infringement of rights under the Regulation
• Implementing appropriate technical and organizational measures to adhere to Regulation (“data protection by design”)
GDPR imposes corresponding obligations on data controllers (party determining purposes and means of processing personal data) and data processors (party processing data on behalf of controller), including:
• Implementing appropriate technical and organizational measures to adhere to Regulation ("data protection by design")
• Ensuring protection of data subjects’ rights
• Respecting basic principles of personal data processing (including lawfulness, fairness, transparency, purpose, minimization, accuracy, integrity, confidentiality and accountability)
• Securing consent to process personal data (when required) “in an intelligible and easily accessible form, using clear and plain language”
• Processing personal data pursuant to a binding (e.g., contractual) obligation, only on documented instructions from controller to processor (with no unauthorized subcontracting)
• Employing requisite security measures (e.g., pseudonymization/encryption, integrity of processing systems)
• Deleting personal data upon conclusion of processing services
• Maintaining records of processing activities
• Notifying supervisory authority and data subject of a personal data breach, within 72 hours if feasible
• Appointing a data protection officer (for data controllers and processors engaged in monitoring on large scale or of special categories of information)
• Requiring appropriate safeguards and enforceability of data subject rights for cross-border transfers
• Non-EU businesses may need to appoint a representative in EU
What Should Your Business Do?
Different organizations are responding in different ways to the changes that GDPR is bringing, and such responses should reflect the particular circumstances applicable to each. Nonetheless, there are some basic considerations that should inform the approach of most organizations to GDPR, including:
Assess your data/conduct
• Are you storing or processing personal data of any EU resident?
• Is your business marketing its goods or services in Europe or tracking European consumer behavior? Are any of your vendors doing so for you? (Do you know?)
Assess your data processing/storage practices
• What (if any) procedures do you have in place today for managing personal data, breach notification, etc.?
• Are they followed? (Do you know?)
For parties with potential obligations under GDPR:
Develop a Plan
• Assess and update data collection, retention, privacy and security policies
• Review relevant contracts with third parties
• Identify responsible individuals and outline tasks
• Appoint a data protection officer, if necessary
• Undertake appropriate communications and training within your organization
• Conduct regular data protection reviews/assessments
• Adopt “data protection by design” principles suitable to your business
With the GDPR effective date fast-approaching, we recommend assessing immediately whether your business activities are subject to GDPR and, if so, taking proper steps to become compliant. As with any major new legal regime, much is unknown about how GDPR will impact businesses in the near term and how its provisions will be enforced. What does seem clear at this point, however, is that regulations governing European data privacy are becoming more exacting and complex. (See, e.g., the European Commission’s draft Regulation on Privacy and Electronic Communications.) Forward-looking U.S. businesses are taking proactive steps to ensure they are not made an “example” by an aggressive European supervisory authority.
If you would like to discuss whether your business may be subject to GDPR and, if so, how to get ready for GDPR, please contact us.