Articles

By:  Ed Patton

With President Donald Trump’s additional $200 billion dollars in trade tariffs on China now in effect, the focus turns to their impact. The tariffs, which began on Monday, encompass a wide variety of goods, ranging from seafood and vegetables to auto parts and construction material. And while they began at 10 percent, tariffs will increase to 25 percent on January 1, 2019. Effects of the tariffs will vary depending on what is purchased, with consumers seeing greater price increases on more expensive items such as televisions, cars, or homes and home renovations, due to increased costs on construction materials.

And businesses, some of which have been dealing with increased taxes on imports like steel and aluminum for months, will see costs increase further. The intent of tariffs is to help domestic companies by making their domestic product more affordable than the foreign alternative, but they don’t always have the desired effect. Manufacturers can end up being forced to lay off workers or increase prices for customers to offset their own price increases.

Whether President Trump’s latest tariffs on China will do anything to address the trade imbalance between the two nations remains to be seen; China responded by imposing penalties on $60 billion of U.S. products.

By:  Jen Horn

Companies that take reasonable cybersecurity precautions against data breaches will have a distinct advantage starting in November. That’s because Ohio’s Data Protection Act, which Governor John Kasich signed in August, formally takes effect November 2nd.

The Act, the first legislation of its kind in the country, creates a legal incentive for businesses that maintain a recognized cybersecurity program. (Other states, such as New York, require a certain level of compliance with cybersecurity standards, but don’t offer any incentive to do so). Provided that its cybersecurity plan conforms to a certain framework, a company may invoke a “safe harbor defense” in Ohio to a cause of action that alleges a failure to implement reasonable IT security controls that resulted in a data breach.

In order to qualify for this legal defense, the business must implement a written cybersecurity plan that clearly does the following:

• Protects the security and confidentiality of personal information;
• Protects against anticipated threats or hazards to the security or integrity of personal information; and
• Protects against unauthorized access to and acquisition of personal information that is likely to result in a material risk of identity theft or fraud.

This is not a one-size-fits-all type of plan. It may be based on a company’s size, the nature and scope of its activities, the sensitivity of any personal information protected under the cybersecurity program, and the cost and availability of tools to improve IS and reduce vulnerabilities.

The one thing that any cybersecurity program must do, however, is “substantially comply” with one of eight industry-recognized frameworks, which include:

• Center for Internet Security’s Critical Security Controls for Effective Cyber Defense;
• Federal Information Security Modernization Act;
• Federal Risk and Authorization Management Program’s Security Assessment Framework;
• Gramm-Leach-Bliley Act’s Safeguards Rule;
• Health Information Technology for Economic and Clinical Health Act;
• International Organization for Standardization (ISO)/International Electrochemical Commission’s (IEC) 27000 Family – Information Security Management Systems Standards; and
• National Institute of Standards and Technology’s (NIST) Cybersecurity Framework.

The Act does not provide companies with blanket immunity to a data breach lawsuit, and businesses do still have the burden of proving that their cybersecurity program complies with the law’s requirements. But as long as a business can establish compliance, the Act gives it an affirmative defense to tort actions (including invasion of privacy and negligence) that it might be facing following a data breach that involves personal or restricted information.

As we advise clients time and again, no-one is immune from the threat of a data breach, and companies should approach data security as a question of when a breach will happen, not if. The new Act will give Ohio businesses an advantage if they take the time to evaluate things like what data they create, maintain, or share, and create a cybersecurity program that is appropriate for their company.

By:  Jen Horn

Q:       I keep hearing about various data privacy regulations being passed, but my company does not do business overseas. Should I still be thinking about doing anything, and if so, why?

 A:      Yes, absolutely! The General Data Protection Regulation (GDPR) that took effect in May arguably has gotten the most press because of its global reach and implications. But just because your business doesn’t operate on a global scale doesn’t mean that you shouldn’t be proactive in addressing data privacy and/or cybersecurity issues.

First and foremost, as discussed in the article above, Ohio recently approved legislation that will provide a legal incentive for businesses with a cybersecurity program meeting certain criteria. Because data breaches and cybersecurity issues have unfortunately become a matter of when, rather than if, the smartest thing you can do is make sure your company has a plan in place. And if you already have a plan in place, make sure you set aside time annually, at a minimum, to review and update it in order to ensure compliance.

Ohio isn’t the only state taking measures to address data privacy and cybersecurity issues, however. California also passed legislation, the California Consumer Privacy Act of 2018 (CCPA), at the end of June. This new regulation, which is the first major data privacy law passed in the United States, will formally take effect on January 1, 2020. The CCPA gives “consumers” – defined as natural persons who are California residents for tax purposes – several key rights with respect to their personal information:

• The right to know what personal information a business has collected on them, how it was collected, what it is being used for, and whether it is being disclosed or sold, and to whom;
• The right to “opt out” of having a business sell their personal information to a third party; and
• The right to have a business delete their personal information entirely, subject to some exceptions.

So why is the CCPA worth paying attention to? First, because it will affect an estimated 500,000 small to medium U.S. businesses – many of whom may not fall under the GDPR’s reach. But second, because California historically has been the first state to address privacy issues. In 2002, it became the first state to require notifications of data security breaches, and in 2004, it passed the first law requiring websites to have privacy policies. In other words, the CCPA could well be the first of many other state data privacy laws, or potentially even start the conversation on establishing national privacy legislation; it is a strong indicator of things to come.

Though the CCPA has been compared to the GDPR, don’t assume that being in compliance with GDPR means your company automatically complies with the CCPA – the two laws are not all that similar. For example, the CCPA defines “personal data” much more broadly, gives California consumers greater rights to access their personal data, and is stricter on data sharing for commercial purposes.

As things currently stand, the CCPA will apply to for-profit businesses that collect and control California residents’ personal information, do business in the State of California, and (1) earn $25 million or more in annual revenue; or (2) hold the personal data of 50,000 or more California residents, households or devices on an annual basis; or (3) obtain at least half its revenue selling personal data of California residents.

Penalties for noncompliance with the CCPA are divided into two categories: Intentional and unintentional. Intentional violations are $7,500 per violation; unintentional violations are subject to a $2,500 fine per violation. Additionally, companies could be ordered in civil lawsuits to pay statutory damages between $100 and $750 per California consumer and incident, or actual damages – whichever is greater – on top of any other court-ordered relief.

For now, it would be wise for any business to start paying attention to how Ohio’s law is implemented in November, and to watch for changes to the CCPA prior to its 2020 execution. Furthermore, if you haven’t already, start tracking all personal information you might collect, use, and store, and what your corporate privacy policy says about personal information. Being proactive and assuming that the CCPA could become law across the country could save you significant time in the long run

By:  Jeff Embleton

WHITE PAPER

Continuing an effort to reverse or modify many of the employee and union-friendly policies promulgated by his predecessor, the NLRB’s General Counsel, Peter Robb, announced new guidance on handbook rules and policies following the NLRB’s decision in the Boeing Company (2017).

Many employers may recall that the former General Counsel of the NLRB, Richard Griffin, issued GC Memorandum 15-04 in March 2015 which resulted in most employers having to carefully review and revise handbook rules and policies in response to the Memorandum.  Griffin’s Memorandum also resulted in increased investigation enforcement activities by the various Regional Offices of the NLRB involving handbook rules and policies.  Specifically, in the GC Memorandum 15-04, the former General Counsel, following the Board’s decision in Lutheran Heritage Village – Livonia (2004) decided to emphasis the first prong of the three prong test announced in Lutheran Heritage:

Even if a rule does not explicitly prohibit Section 7 activity, however, it will still be unlawful if (1) employees would reasonably construe the Rule’s language to prohibit Section 7 activities; (2) the Rule was promulgated in response to union or other Section 7 activity; or (3) the Rule was actually applied to restrict the exercise of Section 7 rights.

Indeed, the new emphasis on the first part of the Lutheran Heritage standard resulted in number of enforcement charges against even facially neutral rules if the rule “could” be interpreted to have a chilling effect on employees and Section 7 rights.

However, under the Robb Memorandum, the new General Counsel said two very important things: (1) since the repudiation of the first prong of Lutheran Heritage in the Boeing Company case, the focus will now be on balancing the Rule’s impact on the employee’s ability to exercise their Section 7 rights and the Rule’s connection to the employer’s right to maintain discipline and productivity in the workplace; and (2) the Regions have been directed that ambiguities in Rules are no longer interpreted against the employer. In essence, the new guidance moves away from prohibiting rules that could be interpreted to impact Section 7 rights to reviewing the rules that would impact Section 7 rights. The Memorandum further described the three categories of Rules and how they will be reviewed:

Category 1. Rules that are Generally Lawful to Maintain.

 The Memorandum directs that these Rules are generally going to be considered lawful either because the Rule does not prohibit or interfere with the exercise of Section 7 rights or because the potential impact on Section 7 rights is outweighed by the business justification associated with the Rule. Interestingly, the Memorandum spends most of its focus on providing guidance on rules that will be considered lawful, even if they could cover Section 7 activity. Those Rules include:

1. Civility rules. Rules that regulate conduct in the workplace that has been a focus of attention by the former General Counsel and the Obama Board. For example, rules that regulate negative or disparaging remarks; rude behavior; offensive language and the like were fair game under the Obama Board. However, the new guidance makes clear that policies that are otherwise neutral will be considered lawful unless misapplied.
2. No-photography and no-recording rules. This was a very controversial area as the Obama Board took the position that any blanket rules prohibiting video or audio recording were, on their face, unlawful because they tended to chill employee’s rights to record protected activity. Under the new interpretation, “no-recording” rules will be considered lawful (unless used for unlawful reasons). In rationalizing the change in the interpretation, the General Counsel recognized the employer’s legitimate and substantial interest in limiting recording and photography on their property because of security concerns, protection of property, protection of proprietary, confidential and customer information, avoiding legal liability and maintaining the integrity of operations.
3. Rules against insubordination, non-cooperation or on-the-job conduct that adversely affects operations. After the issuance of GC15-03, rules that prohibited insubordination towards a manager or the company were universally held to be unlawful because they tended to chill employee’s Section 7 rights. However, under the new Memorandum, where the Rule prohibiting insubordination or lack of cooperation lacks any reference to Section 7 activity, the Rule will be considered lawful. The Memorandum was careful to note that there may be some activity that could warrant individual scrutiny, such as rules prohibiting disparagement or criticism of an employer. In other words, the rules may not be unlawful as written but may be unlawful as applied.
4. Disruptive behavior rules. Similar to the discussion above, rules that prevent “fighting, roughhousing, horseplay, tomfoolery, and other shenanigans” generally will be considered lawful as well as workplace rules that prohibit “yelling, profanity, hostile or angry tones, throwing things, slamming doors, waving arms or fists, verbal abuse, destruction of property, threats or outright violence.” However, rules that prohibit walk-outs may invite additional scrutiny.
5. Rules protecting confidential, proprietary, and customer information or documents. Rules that prohibit dissemination of the company’s or employee’s private information, trade secrets or other confidential information will generally be considered to be lawful under the new interpretation. Recognizing that “employers have an obvious need to protect confidential and proprietary information, as well as customer information,” the General Counsel concluded that on balance, the business justification outweighed any potential Section 7 concerns. However, rules that prohibit employees from discussing wages, benefits or working conditions will be considered on unlawful on their face.
6. Rules against defamation or misrepresentation. With the explosion of social media, many employers have been subject to damaging statements and criticism by some of their own employees. Under the new interpretation, blanket rules which prohibit defamatory, false or misleading statements about an employer will generally be considered to be lawful. The General Counsel felt that while blanket rules against defamation or misrepresentation may possible cover some Section 7 activity, it was concluded that a majority of the behavior is unrelated to the National Labor Relations Act and, on balance, the business need for such a rule outweighed any concern over the impact on Section 7 rights. Of course, even a facially neutral rule, if improperly or unfairly applied, can result in a violation of the National Labor Relations Act.
7. Rules against using employer’s logos or intellectual property. Rules that prohibit the use of the company logo or intellectual property without the company’s consent will not be considered to be lawful on their face.
8. Rules requiring authorization to speak for a Company. Recognizing employers have an interest in insuring that only authorized representatives speak for a company, rules that prevent employees from responding to media requests or prevent employees from commenting on behalf of an employer will generally be considered to be lawful on their face.
9. Rules banning disloyalty, nepotism or self-enrichment. Rules and policies that prohibit employees from engaging in conduct which is damaging to a company, disloyal to a company, competes with a company or interferes with the business of the company will be considered to be lawful.

Again, it is important to note that Category 1 Rules will be deemed to lawful on their face which is a change from the previous General Counsel’s interpretation. However, keep in mind that even facially neutral rules can result in violations of the NLRA if improperly applied.

Category 2. Rules Warranting Individualized Scrutiny.

 In describing this Category, the Memorandum gave several examples of rules that would require additional scrutiny to determine the legality of the rules. Examples include: rules regarding disparagement or criticism of an employer (as opposed to rules that prohibit disparagement of employees), rules generally restricting employee’s right to speak to media or third parties (as opposed to a rule that prohibits from speaking to a media on behalf of the employer), rules prohibiting making false or inaccurate statements (as opposed to rules prohibiting making defamatory statements).

These rules are more difficult to define, but also tend to be much broader in their context. These likely will be decided on a case-by-case basis.

Category 3. Rules that are Unlawful to Maintain.

This Category considers rules and policies unlawful that would prohibit or restrict protected activity under the National Labor Relations Act and where they impact on the Section 7 rights outweighs any business justification. Specifically, these rules include:

1. Confidentiality rules specifically regarding wages, benefits or working conditions. It has long be accepted that rules that prohibit employees from discussing salaries, wages, benefits or the terms and conditions of employment are unlawful. Likewise, rules that prohibit employees from disclosing to any “media source” information regarding an employer’s wages, benefits, or working conditions would be considered to be unlawful.
2. Rules against joining outside organizations or voting on matters concerning employer. This, of course, strikes to the heart of union organization and rules that prohibit such activity have universally been considered to be unlawful.

CONCLUSION

The General Counsel’s newly issued interpretation promises to offer clarification for employers and organizations and a clear road map for professionals who write and interpret these policies and rules. We think this also continues the trend under the Trump Board of pulling back and overturning many of the Obama Board decisions which favored employee and union rights over rights of employers.  However, we invite everyone to stay tuned as these cases unfold before the NLRB.

By:  Ken Smith

The Supreme Court of the United States recently issued a major decision in the case Epic Systems Corp. v. Lewis that upholds the rights of employers to require its employees to pursue individual arbitration for resolving employment disputes.

In Epic Systems, a company employee sought to file a lawsuit against his employer in federal court for failure to pay overtime wages under the Fair Labor Standards Act. The employee tried to file the case as a class action – in other words, on behalf of himself and similar employees who also were allegedly not paid overtime.  Traditionally, because individual claims generally don’t have high value, employees and their lawyers have filed class actions on behalf of a much larger group of employees to leverage settlements and increase legal fees. However, in this case,  the employee had signed an arbitration agreement that explicitly stated any claims relating to his employment would be subject to individual arbitration, and that any claims pertaining to different employees would be heard in separate arbitration proceedings. In other words, the agreements specifically prohibited class actions.

The employee challenged the arbitration agreement, in part, by alleging that the agreement violated the Fair Labor Standards Act. Specifically, the employee pointed to a part of the FLSA that allows for class action lawsuits and claimed that this conflicted with law authorizing the arbitration of employment disputes. The employee also alleged that forcing him to go to individual arbitration violated the National Labor Relations Act, which provides employees the right to engage in “concerted activities” for collective bargaining or other mutual aid or protection.

But the Supreme Court held that when Congress passed the Federal Arbitration Act in 1925, it evidenced a liberal federal policy favoring arbitration. In light of this policy favoring arbitration, the Supreme Court found that there was no conflict between the FLSA and the arbitration agreement. In order to escape from individual arbitration, the employee would have had to demonstrate that the arbitration agreement was entered into fraudulently, or that he was placed under duress when he signed the agreement, or that the agreement was so unfair that it should not be enforced. The employee did not claim any of those defenses.

Moreover, the Supreme Court found that the National Labor Relations Act focuses on the rights of employees to organize unions and bargain collectively. It does not say anything about class action lawsuits or that it overrules the Federal Arbitration Act.

Bottom line, the Epic Systems case is a strong endorsement from the Supreme Court that arbitration agreements are lawful and can be used for a wide variety of employment disputes. Even where employees seek to band together to bring a class action lawsuit in the court system, each employee who signed an arbitration agreement can instead be compelled to litigate his or her  claims in a separate arbitration proceeding. Epic Systems is a big win for employers who prefer the generally quicker, less costly arbitration process over being tied up in court. Employers are encouraged to consider arbitration clauses as part of their employment agreements and policies.

Mansour Gavin Shareholder John Monroe was recently quoted in a front-page article that appeared in the Cleveland Plain Dealer on August 12, 2018 regarding membership interest sales used to transfer title to real estate. When asked about recent legislative efforts to “close” the alleged legal loophole, Monroe opined that such efforts were “wrongheaded.” Monroe stated, “I’m not sure I see the need to close a loophole versus valuing property correctly.” He observed what many Northeast Ohio property owners have seen in their recent property revaluations, that “some properties in Northeast Ohio are dramatically undervalued while others are sharply overvalued, with little apparent logic.” Monroe suggested that “public officials should turn their focus away from entity sales and onto two things: better appraisals and broader tax reform.”

By:  Jim Budzik

Ohio’s public sector landscape will likely be changing dramatically, thanks to yesterday’s 5-4 U.S. Supreme Court vote in Janus v. American Federation of State, County, and Municipal Employees Council 31.  The Supreme Court overturned a 1977 decision that allowed “fair share,” or “agency,” fees to be collected from all public employees, regardless of whether they had joined a union. The rationale was that all employees benefitted from non-political activities, such as a union’s collective bargaining agreement or contract administration, even if certain employees were not members.

This ruling now means that non-union members in approximately two dozen states – Ohio being one of them – cannot be forced to pay fees to unions that represent public employees. Until yesterday, a public employer whose employees were represented by a union could require any employee to pay fees to the union where the collective bargaining agreement authorized such deductions.

The case was initially brought by Mark Janus, an Illinois public employee – and non-union member – who sued the American Federation of State, County and Municipal Employees Council 31 over the collection of fair share fees. Janus’s position was that the Illinois statute that allowed for the collection of such fees violated his right to free speech and free association under the U.S. Constitution’s First Amendment.

In siding with Janus, however, the Court stated that while the ruling “may cause unions to experience unpleasant transition costs in the short term,” that had to be weighed against all of the funds taken from non-union employees and transferred to public sector unions. This ruling now deprives unions of a key revenue stream, and could affect their ability both to attract new members and spend in political races.

Unions, which won both in district court and in the Seventh Circuit before the case was appealed to the Supreme Court, had argued in favor of keeping the fair share fees requirement for the following reasons:

• Illinois law regarding collective bargaining includes non-political issues, such as wages, hours, vacations, parking; therefore, political lobbying is not implicated.
• Agency fees are imperative, because ruling in favor of Janus would significantly increase the number of free riders and it would be impossible to adequately fund the activities needed to fully represent constituents and all bargaining unit employees. Inasmuch as unions have to represent all bargaining unit members, union dues paying members should not have to subsidize non-paying members.

Specifically in Ohio, the Court’s ruling means that Ohio House Bill 53, introduced in late 2017, now will change parts of Ohio’s collective bargaining law. The law currently allows a contract to contain a fair share fee provision. That provision is now invalid. House Bill 53 may also eliminate the “free rider” argument, because the bill would require employee organizations to only represent employees who are dues-paying members of the exclusive representative. Thus, only public employees in an appropriate bargaining unit who are members of the union would be eligible to collectively bargain with the Ohio public employer.

Finally, collective bargaining agreements would govern the wages and working conditions of only the employees who are members of the union. This could result in employees in the same job classification receiving different compensation and benefits, because union employees would be subject to the contract, while non-union employees would be subject to wages and working conditions set by the public employer.

The Janus ruling certainly stands to result in a measurable impact for a number of states, including the prohibition of fair share fees in public sector contracts across the United States.

In other words, stay tuned for further developments in the area.

By:  Jeff Embleton

The new General Counsel of the National Labor Relations Board, appointed by President Donald J. Trump, rolled back controversial handbook rules promulgated under the Obama Board. General Counsel Peter Robb has announced new guidelines on interpretation of handbook policies and rules. These new guidelines overturn a number of controversial decisions under the Obama Board that found facially neutral policies unlawful because of a “possible” chilling effect those rules might have on employees’ rights under Section 7 of the National Labor Relations Act. The new guidelines give greater clarity to businesses, HR professionals, and legal advisors who are responsible for writing, maintaining and interpreting handbook policies and rules. The Memorandum issued by Robb specifically repudiates the former General Counsel’s attack on employer handbooks which resulted in increased enforcement efforts against businesses for handbook violations. A white paper describing the Memorandum is available here for further review.

For months, you likely have been seeing articles or receiving e-mails on the topic of the European Union’s (EU) new privacy regulations, termed the General Data Protection Regulation (GDPR), which go into effect on May 25^th. You may have skimmed them, or you may have hit “delete,” thinking they don’t apply to your small business. But are you sure?

The GDPR is designed to improve and harmonize data privacy laws across Europe, and will apply in each of the EU’s 28 member states. Unlike its predecessor law, however, the GDPR’s obligations extend to any U.S. company that handles the personal data of EU citizens. This would include, for example, any U.S. company that has an Internet presence and markets its products or services over the web, regardless of whether a financial transaction or sale takes place. So if your company collects “personal data” of an EU citizen even as part of a marketing survey, for example, then the data would have to be protected pursuant to the GDPR. And personal data can be something as simple as someone’s name, e-mail address or mobile device ID.

Along with the GDPR’s increased territorial scope, there are also other key changes that U.S. companies should be aware of:

Consent – The requirements for consent to collect personal data have been strengthened. Any request for consent now must be given in an intelligible and easily accessible form, and must be clear and distinguishable from other matters. It also must be as easy to withdraw consent as it is to give it, and once consent is withdrawn, any “data subject” (the person whose data is being collected) also has the right to have his or personal data completely erased.

Rights of data subjects – A data subject now has the right to ask for confirmation that their personal data is being processed, where, and for what purpose. Further, any data subject can request, and a company must provide, a copy of the personal data to him or her, free of charge, in an electronic format. Additionally, notification of a data breach will become mandatory if the breach is likely to “result in a risk for the rights and freedoms of individuals.” Under that scenario, notification must occur within 72 hours after a company becomes aware of the breach.

Penalties – Last but not least, the maximum fines for the most serious infringements are steep. Companies in breach of the GDPR can now be fined either (1) up to 4% of their annual global revenue or (2) up to €20 Million (approximately $24 million USD), whichever is greater. Second tier fines for lesser offenses could be either (1) up to 2% of a company’s annual global revenue, or (2) up to €10 Million (approximately $12 million USD).

While all of this may seem imposing, the reality is that many small companies can comply with the GDPR’s regulations simply by having a good plan in place. What are three basic steps to take?

• First, evaluate what personal information your company might be collecting, via its website or otherwise, and err on the side of caution that it could include data of EU citizens.
• Second, ensure any website content clearly asks for consent, and provides information on how consent may be withdrawn.
• Third, review, update, and/or create a comprehensive internal policy that covers privacy, data protection, and a process to follow in the event of a data breach. A comprehensive policy should be reviewed by members of your HR, IT, and marketing teams, as well as your legal counsel. It also would be a good idea to schedule an annual review of your policy, because certain aspects of the GDPR will become more clear as the regulation is implemented and interpreted.

For a more in-depth look at the GDPR, please click here to access a more comprehensive publication on the topic. If you have any questions, or would like to discuss the applicability of the GDPR to you or your company, please do not hesitate to contact Jennifer Horn, Brendon Friesen or Ed Patton in our Corporate Law and Business Services Group at (216) 523-1500.

In less than three weeks, the new General Data Protection Regulation (“GDPR”) will go into effect. Are you ready? More importantly, do you understand what the GDPR means and whether (or how) it might affect your company?

Starting on May 25, the GDPR will apply in each of the European Union’s 28 member states. The GDPR’s aim is to protect all EU citizens from privacy and data breaches in a world that has changed significantly from 1995, when the original Data Protection Directive was implemented. But while the new GDPR is designed to improve and harmonize data privacy laws across Europe, its obligations now extend to any U.S. company that handles the personal data of EU citizens.

KEY CHANGES

With new requirements on everything from data subject consent and breach notification to appointment of data protection officers, the GDPR isn’t a regulation to be taken lightly. Its major changes are as follows:

• Increased Territorial Scope – Arguably the biggest change from the 1995 Directive is the extended jurisdiction of the GDPR, as the GDPR now applies to all companies that process the personal data of data subjects who reside in the EU, regardless of the company’s location. Previously, the territorial scope was ambiguous. Now, not only will the GDPR apply to any data collected in the EU, but it will also apply to the processing of personal data by controllers or processors located anywhere, provided that the data collection relates to: (1) offering goods or services to EU citizens (regardless of whether payment is required), and (2) the monitoring of behavior that takes place in the EU.
• Appointment of a “Data Protection Officer” – Going along with the increased territorial scope, any non-EU business processing the data of an EU citizen could also have to designate a specific Data Protection officer (DPO). But which companies actually need to do this? The GDPR states that any controller or processor of data must appoint a DPO if their “core activities” require “regular and systematic monitoring of data subjects on a large scale. All public companies are subject to the DPO requirement. However, privately-held and/or small companies have some flexibility; they need to evaluate their level of risk and decide whether a DPO might be necessary. Privately-held and smaller companies would also have the option of using a DPO in the form of a purchased service over appointing a specific person for the role; one DPO can serve multiple companies.
• Consent – The conditions for consent to collect personal data have been strengthened as well. Any request for consent must be given in an intelligible and easily accessible form, and must be clear and distinguishable from other matters. It also must be as easy to withdraw consent as it is to give it, and once consent is withdrawn, data subjects also have the right to have their personal data completely erased and no longer used for processing.
• Penalties – The maximum fines for the most serious infringements are steep. Companies in breach of the GDPR can now be fined either (1) up to 4% of their annual global revenue, or (2) up to €20 Million (approximately $24 million USD), whichever is greater. Second tier fines for lesser offenses could be either (1) up to 2% of a company’s annual global revenue, or (2) up to €10 Million (approximately $12 million USD).
• Rights of Data Subjects – Data subjects will have expanded rights under the GDPR, including the right to ask for confirmation that their personal data is being processed, and where and for what purpose it is being processed. Further, a data controller must provide a copy of the personal data to the data subject, free of charge, in an electronic format. The GDPR also introduces the concept of “privacy by design” into the new regulation, meaning that controllers are to hold and process only the personal data that is absolutely necessary, and must limit access to personal data only to those involved in the processing. And last but not least, notification of a data breach will become mandatory if the breach is likely to “result in a risk for the rights and freedoms of individuals.” Under that scenario, notification must occur within 72 hours after a company becomes aware of the breach.

TERMS TO KNOW

Although the GDPR’s terminology is not new, its increased scope means that many more companies must understand what everything means. Here are some of the key phrases explained:

• Personal data – Any information relating to an identified or identifiable natural person (the “data subject”). An identifiable natural person is someone who can be identified, directly or indirectly, in particular by reference to an identifier such as their name, social security number, address, e-mail address, or other factors specific to the person’s genetic, physical, cultural or social identity. The GDPR actually has expanded the definition of personal data to include IP addresses and mobile device IDs.
• Data subject – The natural person (not a company) whose personal data is collected.
• Data controller – A natural or legal person, public authority, agency or other body which, alone or in combination with others, determines the purposes and means of the processing of personal data.
• Data processor – A natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
• Data processing – Essentially, anything that is done to the personal data collected, whether it is by collection, recording, organization, storage, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction, among other things.

WHAT SHOULD YOUR COMPANY DO?

             Any U.S. based company with a large global presence – the type of business that handles a large amount of personal data of EU citizens and could face the stiffest fines for non-compliance – has been working for months to get its policies and procedures updated to comply with the GDPR. But GDPR regulations aren’t only for multi-national corporations. What if you have a small company that might sell into Europe from time to time, or what if your business does market goods or services to EU citizens?

1.     Determine Your Role

First and foremost, determine what type of data your company might be collecting, and from where it is gathering the data. The GDPR applies to all companies that process the personal data of data subjects residing in the EU when the data is collected, regardless of the company’s location.  For EU citizens who are outside the EU when their data is collected, though, the GDPR would not apply.

What does this actually mean? Not only does the GDPR pertain to any U.S. company that regularly does business in Europe and stores or processes data of EU citizens, it also applies to any U.S. company that has an Internet presence and markets its products or services over the web, regardless of whether a financial transaction or sale takes place.  So if a company collects “personal data” of an EU citizen as part of a marketing survey, for example, then the data would have to be protected pursuant to the GDPR. The one caveat is that a company would actually have to target a data subject in an EU country. Passive marketing – where someone might just come across the company’s website by chance and fill out a form – does not count. But “targeting” can take a number of forms, including: using any language of an EU country on the website; offering to deliver goods to the EU; or using a URL that incorporates an EU member state’s domain.  In other words, it might be better to assume that your company could be subject to the GDPR and put a compliance plan in place.

2.     Determine What Your Obligations May Be

If the GDPR applies to your company, the next step is to determine whether you would be considered a “data controller” or a “data processor.” Generally speaking, a party that handles personal data on behalf of the data controller is known as a “data processor.” This could include anything as seemingly insignificant as, for example, storage of personal data on a third party’s servers. Control, not possession, of personal data is the factor that determines whether a party is a “data controller.”  The data controller is the person (or business) who determines the purposes for which, and the way in which, personal data is processed. It is possible, in certain instances, for a company to be both.

Under the GDPR, “data controllers” are required to do the following:

• Notify the relevant national authority before carrying out any data processing
• Comply with European data protection principles, i.e., processing data fairly and lawfully, and using data for specific, legitimate purposes.
• Provide certain information to individuals about whom you hold personal data, i.e., your identity, details of the data you hold and what you plan to do with it.
• Implement technical and organizational measures to protect personal data against accidental loss/destruction, unauthorized access or other unlawful processing; and
• Enter into written agreements with data processors that require them to: (a) act only on your instructions; and (b) comply with the same security obligations as are imposed on you under the applicable national legislation.“Data processors” used to have far fewer regulations placed on them. The GDPR is changing that. Starting on May 25, a data processor will have to do the following:
• Maintain a record of all processing operations under their responsibility.
• Be deemed to be a joint controller in respect of any data processing that it carries out beyond the scope of the data controller’s instructions.
• Be directly responsible for implementing appropriate security measures.
• Inform a data controller immediately of any data breach.
• Appoint a Data Protection Officer if certain criteria are met.

3.     Prepare Accordingly – But Err on the Side of Caution

While some U.S. companies will want, or need, to appoint a Data Protection Officer (DPO), for others, GDPR compliance may not be as involved. The key point here, though, is “plan.” Much of a company’s compliance with the GDPR can take the form of an appropriate compliance plan for the personal data it is collecting. Human Resources, IT and either in-house or outside legal counsel should work together to create or update policies. Make sure data collection, retention and security policies address the key points of the GDPR – including how to update website content to clearly obtain consent – and that an incident response plan is in place to respond to a breach. Furthermore, follow up with any employees who may be involved in any of these activities and ensure they are appropriately trained to follow whatever plans are implemented. All of these actions can help mitigate the amount of a fine if a company is found to be in violation of the GDPR.As an example, let’s say a small U.S. manufacturer did some business in the UK* but was hoping to increase its customer base there. So, it created content on its webpage that specifically marketed its products to UK citizens, and set up a way to collect e-mail addresses of prospective UK customers who were interested in more information. At a minimum, the company would have to make sure that its webpage had an obvious “check the box” feature for consent. The company also would have to include clear language on the website about what it would be doing with the e-mail addresses, and it could not ask anyone to click on a separate link containing a long, complicated “terms and conditions” document. Then, the company would also want to take a look at its internal policies, to ensure that collected personal data was handled properly and kept secure – and, that the appropriate employees knew what to do if a data breach was discovered. (*Note: While the status of the United Kingdom as a member of the EU is up in the air, even if “Brexit” goes through, the UK has indicated it will still comply with the GDPR).

4.     Prepare for “Data Subjects” to Make Requests Concerning Their Data

As discussed above, a data subject has the right to obtain information from a company as to whether personal data concerning him or her is being collected, why it is being collected, and how it is being stored. In other words, at any time, a customer can request a copy of this information, and a company must provide it free of charge in an electronic format that is easy to read. The data subject also has the right to withdraw consent to having his or her information collected at any time, and a company must make the procedure for withdrawal as easy and obvious as it is to give consent. It also must make sure a data subject knows how to withdraw consent before he or she ever gives consent in the first place. And once a data subject withdraws consent, the data subject has the right to have his or her personal data erased completely. Companies need to ensure that they can be responsive to any request, whether it is to provide information to a data subject, or to erase any information on a data subject completely.

• But calculating a penalty is not necessarily cut and dry. Rather, a number of criteria will be considered when determining the amount of the fine on a company found to be in violation of the GDPR. They include the following:
• Under the GDPR, as mentioned, the stiffest fine possible for a company in breach of the regulation is up to 4% of its annual global revenue or €20 Million (approximately $24,294,980.00), whichever is greater. This amount would be imposed for the most serious infringements, such as not having sufficient customer consent to process data or violating any of the rights of a data subject, such as not erasing information once consent is withdrawn. However, there is also a lower tier of fines that could be assessed for a violation deemed less severe. Alternatively, a company could be fined up to 2% of its annual global revenue or €10 Million (approximately $11,975,400.00) for not having its personal data records in order, or failing to notify a data subject about a breach. It is important to note that these rules apply to both controllers and processors, which also means that any personal data stored in the “cloud” – for example, programs like Salesforce and Dropbox – will also be subject to GDPR enforcement.

WHAT ARE THE PENALTIES FOR NON-COMPLIANCE?

• Nature of violation – the number of people affected, the damage they suffered, the duration of the violation, and the purpose for which the information was collected
• Intention – whether the violation of the GDPR is intentional or negligent;
• Mitigation – what, if any, actions were taken to mitigate the damage to data subjects;
• Preventative measures – how much technical and organizational preparation the company had previously implemented to prevent non-compliance;
• History – has the company had past violations, even under the previous data protection directive;
• Cooperation – how cooperative the company has been with the supervisory authority to remedy the violation;
• Data type – what types of personal data does the infringement impact;
• Notification – whether the infringement was proactively reported to the supervisory authority by the company itself, or whether it was reported by a third party;
• Other – whether there are any other aggravating or mitigating factors; this could include the financial impact on the company as a result of a fine imposed.

All of the factors listed above should help alleviate a company’s concern – particularly smaller companies that are still trying to figure out how the GDPR may apply to them – that it will automatically be paying millions of dollars in fines for an unintentional violation. But while it remains to be seen exactly how the GDPR will be enforced, the new regulation makes it very possible that a company could find itself paying a hefty fee if it doesn’t take compliance seriously.