Starting May 25, 2018, U.S. companies who sell products or services in the European Union must ensure compliance with another data privacy law—this time from across the Atlantic. If your business touches Europe, you have likely heard of the EU’s General Data Protection Regulation (“GDPR”). The GDPR seeks to harmonize EU Member States’ patchwork of regulations protecting personal data, and account for technology changes that impact data collection, storage, and use. The GDPR broadly defines “personal data” as information, in any form, that can directly or indirectly identify a natural person. This expansive definition of personal data coupled with other requirements that exceed the scope of existing U.S. privacy laws means U.S. companies are going to need to examine and modify their data protection policies—or face significant penalties for non-compliance.
The GDPR, passed in 2016 and effective on May 25, 2018, supersedes the 1995 Data Protection Directive, an EU regulation which regulates the processing of personal data. Some of the major changes include:
- Extra-territorial Scope. The GDPR applies to all companies that process personal data of individuals who reside in the European Union. Does your business rely on the internet to sell goods or services? If so, you probably have EU residents using your website, and if you are collecting or storing their information the GDPR pertains to you.
- Increased Penalties. Failure to comply with the GDPR may be expensive. Some of the lesser penalties include warnings and reprimands, or temporary or permanent bans on data processing. Higher penalties include fines of €10million or 2% of the total worldwide annual turnover (whichever is higher), for neglecting the organization’s obligations, including actions taken after a data security breaches. A direct infringement of an individual’s privacy rights can result in larger penalty of €20million or 4% of the total worldwide annual turnover (whichever is higher).
- Requirements for Gaining Consent. Companies collecting personal data must first obtain the data subject’s consent. A request for consent must be freely given, specific, informed and unambiguous. The days of pre-ticked boxes, “silence as consent,” or consent by inactivity are over. These new rules also allow a person to withdraw their consent at any time and in an easy and user-friendly way. This change is significant, and will be covered in detail in a subsequent blog post.
- Mandatory Data Breach Notifications. Companies will have 72 hours to notify the Member State’s Supervisory Authority if a data breach is likely to risk the rights and freedoms of individuals.
- The Individual’s Right to Access Collected Personal Data. The GDPR allows individuals the right to request, and receive, information about whether, where, and why a company is processing their personal data. This rule also requires companies to provide an electronic copy of the data processed to individuals free of charge.
- Privacy By Design. Privacy by design essentially requires that systems that collect personal information be designed with privacy requirements in mind. This concept, which focuses on preventative rather than remedial protection of data, is not new or unique to the GDPR. Compliance issues may lurk, however, because the phrase is undefined in the GDPR and exact requirements are not enumerated.
- Data Protection Officer (“DPO”). The GDPO requires that public authorities and companies that systematically process and monitor data subjects on a large scale, or who process certain classes of data subjects appoint a DPO. The DPO will be responsible for helping companies ensure appropriate policies and procedures exist to deal with transparency, accountability, and provisions protecting individuals’ rights. Obvious examples types of companies that would be required to appoint a DPO include Google and Facebook, but whether a company processes or monitors data on a sufficiently large scale to trigger the DPO requirement remains ambiguous under the regulation.
Compliance with the GDPR is daunting task for many companies because it imposes new requirements on organizations to minimize the risk of a data breach and maximize the security of personal information. But there is some good news. A careful examination of the GDPR reveals simpler ways to ensure compliance. Please review Ward & Berry’s future postings about how companies can comply with GDPR with minimal changes to their existing policies.