On May 25, 2018, the General Data Protection Regulation (GDPR), the European Union’s new data privacy and protection law, goes into effect. The most striking aspect of GDPR is that it applies not only inside the European Union but anywhere personal data of individuals located in the EU is being used or accessed. If that does not catch your attention, the fines for non-compliance – up to 4% of global revenue – certainly should.
Even at this late date, many companies are not close to being in full compliance with GDPR. This Article addresses some of the most important questions and concerns about GDPR faced by U.S. companies.
DOES THE GDPR APPLY TO U.S. COMPANIES?
Yes. GDPR applies to any U.S. company that accesses, collects or stores personal data of persons located in the EU or that markets goods or services to such persons. Also, if a U.S. based company has employees in the EU, then the company likely will have personal data of its EU employees in its U.S. locations.
WHAT INFORMATION DOES THE GDPR COVER?
GDPR applies to the “personal data” of persons located in the EU. “Personal data” is data that relates to “identified” or “identifiable” living persons (or “data subjects”). Examples of personal data include:
- a name
- a residence address
- a Social Security number
- an Internet Protocol (IP) address
- a credit card number
- GSP location data
WHAT DO SOME OF THE OTHER KEY TERMS IN GDPR MEAN?
- Data Controller – a person or entity that determines how personal data will be processed
- Data Processing – collecting, using, sharing, retaining, deleting personal data
- Data Subject – a data subject is a living person who resides in the EU
- Data Processor – a person or entity that processes personal data solely on behalf of, and as directed by, data controller
WHAT ARE THE MAIN PRINCIPLES OF DATA PROTECTION UNDER GDPR?
GDPR lists the seven principles that govern data protection:
- Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject. For example, it must be clear to any data subject whose data you process how you are going to use their data. Among other things, U.S. companies will need to revise their Privacy Policies and/or adopt GDPR Compliance Statements.
- Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. When it comes to using someone’s personal data, you must say what you do, and do what you say.
- Personal data must be adequate, relevant, and limited to what is necessary to achieve those purposes. This principle means, quite simply, that you may not collect more personal data from a data subject than you need.
- Personal data must be accurate and kept up to date. You should provide data subjects with an easy way to keep track of their data and you should take affirmative steps to ensure that their personal data is current and accurate.
- Personal data must be stored no longer than necessary to achieve the purposes for which it was collected. This means that as soon as you no longer need the personal data for the original purposes, you must get rid of it. Many companies are having difficulties with this principle because in their opinion this principle is incompatible with data backup procedures. It may be exceedingly difficult to remove all traces of personal data from a system or network.
- Personal data must be properly secured against accidental loss, destruction, or damage. GDPR does not specify what steps a company must take to protect and secure data, but this principle makes it clear that companies should take appropriate steps to protect any personal data in their possession or control.
- Data controllers are responsible for and must be able to demonstrate compliance with the above stated principles. This is known as the “accountability principle.” GDPR places more emphasis on accountability than the prior “EU Data Directive”
WHAT ARE THE CORE RIGHTS OF DATA SUBJECTS UNDER GDPR?
As a corollary to the seven principles discussed above, GDPR lists the following seven data subject rights:
- Right of Access. Data subjects have the right to obtain from a data controller a copy of their personal data that is being processed by the data controller as well as a right to know how and why their data is being processed as well as whom it has been shared with.
- Right to Rectification. Data subjects have the right to require a data controller to rectify inaccurate or incomplete personal data.
- Right to Be Forgotten. Data subjects have the right to require data controllers to erase all of their personal data.
- Right to Restriction of Processing. Data subjects can require a data controller to restrict processing of their personal data.
- Right to Data Portability. This right requires data controllers to make it easy for data subjects to take their personal data with them to another organization.
- Right to Object. Data controllers whose lawful grounds for processing personal data are legitimate business purposes must allow data subjects the right to object to the processing of their personal data. The data subject’s request must be respected unless the data controller has a more compelling interest in processing the personal data.
- Right to Object to Automated Decision-making. The GDPR provides that data subjects have the right not to be subject to a decision based solely on an automated process, including profiling.
WHAT IS THE REQUIRED NOTICE PERIOD FOR DATA BREACHES UNDER GDPR?
GDPR requires that data controllers notify appropriate governmental data protection authorities within 72 hours of a data breach. If the data breach “is likely to result in high risk to the rights and freedoms [of data subjects],” the data controller must notify affected data subjects without “undue delay.”
MUST DATA SUBJECTS CONSENT TO THE PROCESSING OF THEIR PERSONAL DATA IN ADVANCE?
Yes. Under GDPR, a data subject’s consent must be specific, freely given, informed, and not ambiguous. Most importantly, a positive opt-in is required and consent cannot be implied by inactivity (e.g. pre-ticked boxes, silence). Requests for consent must be separate from other contract terms and must be in clear, plain language.
WHAT ARE THE CONSEQUENCES TO A U.S. COMPANY FOR NOT COMPLYING WITH GDPR?
GDPR enables the European Data Protection Authorities to impose fines of up to 4% of global sales per violation or 20 million EUROs, whichever is greater, for violation of GDPR. But can EU authorities directly impose a fine on a U.S. company for violating GDPR? The current answer is “maybe.”
For U.S. companies with a physical presence in the EU, the GDPR can be enforced directly. Things are a bit murkier for companies without a physical EU presence. There currently is no EU-US negotiated civil enforcement mechanism for the GDPR to be enforced by U.S. authorities, but the EU and U.S. agencies have been cooperating in related areas in recent years. One example is the EU-US Privacy Shield, which governs the transfer of personal data from the EU to the U.S.
WHAT ARE THE KEY STEPS FOR A U.S. COMPANY TO BECOME GDPR COMPLIANT?
While a detailed list of compliance steps is beyond the scope of this Article, we recommend the following:
- Make a careful assessment of what kinds of EU personal data come into your organization, how you use that data, with whom you share it and how long you retain it.
- Become familiar with the requirements of GDPR and train your staff.
- Engage qualified legal counsel to help guide you through the compliance process.
- Evaluate whether your company is required to appoint a Data Protection Officer.