General Data Protection Regulation (“GDPR”)
In less than three weeks, the new General Data Protection Regulation (“GDPR”) will go into effect. Are you ready? More importantly, do you understand what the GDPR means and whether (or how) it might affect your company?
Starting on May 25, the GDPR will apply in each of the European Union’s 28 member states. The GDPR’s aim is to protect all EU citizens from privacy and data breaches in a world that has changed significantly from 1995, when the original Data Protection Directive was implemented. But while the new GDPR is designed to improve and harmonize data privacy laws across Europe, its obligations now extend to any U.S. company that handles the personal data of EU citizens.
With new requirements on everything from data subject consent and breach notification to appointment of data protection officers, the GDPR isn’t a regulation to be taken lightly. Its major changes are as follows:
- Increased Territorial Scope – Arguably the biggest change from the 1995 Directive is the extended jurisdiction of the GDPR, as the GDPR now applies to all companies that process the personal data of data subjects who reside in the EU, regardless of the company’s location. Previously, the territorial scope was ambiguous. Now, not only will the GDPR apply to any data collected in the EU, but it will also apply to the processing of personal data by controllers or processors located anywhere, provided that the data collection relates to: (1) offering goods or services to EU citizens (regardless of whether payment is required), and (2) the monitoring of behavior that takes place in the EU.
- Appointment of a “Data Protection Officer” – Going along with the increased territorial scope, any non-EU business processing the data of an EU citizen could also have to designate a specific Data Protection officer (DPO). But which companies actually need to do this? The GDPR states that any controller or processor of data must appoint a DPO if their “core activities” require “regular and systematic monitoring of data subjects on a large scale. All public companies are subject to the DPO requirement. However, privately-held and/or small companies have some flexibility; they need to evaluate their level of risk and decide whether a DPO might be necessary. Privately-held and smaller companies would also have the option of using a DPO in the form of a purchased service over appointing a specific person for the role; one DPO can serve multiple companies.
- Consent – The conditions for consent to collect personal data have been strengthened as well. Any request for consent must be given in an intelligible and easily accessible form, and must be clear and distinguishable from other matters. It also must be as easy to withdraw consent as it is to give it, and once consent is withdrawn, data subjects also have the right to have their personal data completely erased and no longer used for processing.
- Penalties – The maximum fines for the most serious infringements are steep. Companies in breach of the GDPR can now be fined either (1) up to 4% of their annual global revenue, or (2) up to €20 Million (approximately $24 million USD), whichever is greater. Second tier fines for lesser offenses could be either (1) up to 2% of a company’s annual global revenue, or (2) up to €10 Million (approximately $12 million USD).
- Rights of Data Subjects – Data subjects will have expanded rights under the GDPR, including the right to ask for confirmation that their personal data is being processed, and where and for what purpose it is being processed. Further, a data controller must provide a copy of the personal data to the data subject, free of charge, in an electronic format. The GDPR also introduces the concept of “privacy by design” into the new regulation, meaning that controllers are to hold and process only the personal data that is absolutely necessary, and must limit access to personal data only to those involved in the processing. And last but not least, notification of a data breach will become mandatory if the breach is likely to “result in a risk for the rights and freedoms of individuals.” Under that scenario, notification must occur within 72 hours after a company becomes aware of the breach.
TERMS TO KNOW
Although the GDPR’s terminology is not new, its increased scope means that many more companies must understand what everything means. Here are some of the key phrases explained:
- Personal data – Any information relating to an identified or identifiable natural person (the “data subject”). An identifiable natural person is someone who can be identified, directly or indirectly, in particular by reference to an identifier such as their name, social security number, address, e-mail address, or other factors specific to the person’s genetic, physical, cultural or social identity. The GDPR actually has expanded the definition of personal data to include IP addresses and mobile device IDs.
- Data subject – The natural person (not a company) whose personal data is collected.
- Data controller – A natural or legal person, public authority, agency or other body which, alone or in combination with others, determines the purposes and means of the processing of personal data.
- Data processor – A natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
- Data processing – Essentially, anything that is done to the personal data collected, whether it is by collection, recording, organization, storage, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction, among other things.
WHAT SHOULD YOUR COMPANY DO?
Any U.S. based company with a large global presence – the type of business that handles a large amount of personal data of EU citizens and could face the stiffest fines for non-compliance – has been working for months to get its policies and procedures updated to comply with the GDPR. But GDPR regulations aren’t only for multi-national corporations. What if you have a small company that might sell into Europe from time to time, or what if your business does market goods or services to EU citizens?
1. Determine Your Role
First and foremost, determine what type of data your company might be collecting, and from where it is gathering the data. The GDPR applies to all companies that process the personal data of data subjects residing in the EU when the data is collected, regardless of the company’s location. For EU citizens who are outside the EU when their data is collected, though, the GDPR would not apply.
What does this actually mean? Not only does the GDPR pertain to any U.S. company that regularly does business in Europe and stores or processes data of EU citizens, it also applies to any U.S. company that has an Internet presence and markets its products or services over the web, regardless of whether a financial transaction or sale takes place. So if a company collects “personal data” of an EU citizen as part of a marketing survey, for example, then the data would have to be protected pursuant to the GDPR. The one caveat is that a company would actually have to target a data subject in an EU country. Passive marketing – where someone might just come across the company’s website by chance and fill out a form – does not count. But “targeting” can take a number of forms, including: using any language of an EU country on the website; offering to deliver goods to the EU; or using a URL that incorporates an EU member state’s domain. In other words, it might be better to assume that your company could be subject to the GDPR and put a compliance plan in place.
2. Determine What Your Obligations May Be
If the GDPR applies to your company, the next step is to determine whether you would be considered a “data controller” or a “data processor.” Generally speaking, a party that handles personal data on behalf of the data controller is known as a “data processor.” This could include anything as seemingly insignificant as, for example, storage of personal data on a third party’s servers. Control, not possession, of personal data is the factor that determines whether a party is a “data controller.” The data controller is the person (or business) who determines the purposes for which, and the way in which, personal data is processed. It is possible, in certain instances, for a company to be both.
Under the GDPR, “data controllers” are required to do the following:
- Notify the relevant national authority before carrying out any data processing
- Comply with European data protection principles, i.e., processing data fairly and lawfully, and using data for specific, legitimate purposes.
- Provide certain information to individuals about whom you hold personal data, i.e., your identity, details of the data you hold and what you plan to do with it.
- Implement technical and organizational measures to protect personal data against accidental loss/destruction, unauthorized access or other unlawful processing; and
- Enter into written agreements with data processors that require them to: (a) act only on your instructions; and (b) comply with the same security obligations as are imposed on you under the applicable national legislation.“Data processors” used to have far fewer regulations placed on them. The GDPR is changing that. Starting on May 25, a data processor will have to do the following:
- Maintain a record of all processing operations under their responsibility.
- Be deemed to be a joint controller in respect of any data processing that it carries out beyond the scope of the data controller’s instructions.
- Be directly responsible for implementing appropriate security measures.
- Inform a data controller immediately of any data breach.
- Appoint a Data Protection Officer if certain criteria are met.
3. Prepare Accordingly – But Err on the Side of Caution
While some U.S. companies will want, or need, to appoint a Data Protection Officer (DPO), for others, GDPR compliance may not be as involved. The key point here, though, is “plan.” Much of a company’s compliance with the GDPR can take the form of an appropriate compliance plan for the personal data it is collecting. Human Resources, IT and either in-house or outside legal counsel should work together to create or update policies. Make sure data collection, retention and security policies address the key points of the GDPR – including how to update website content to clearly obtain consent – and that an incident response plan is in place to respond to a breach. Furthermore, follow up with any employees who may be involved in any of these activities and ensure they are appropriately trained to follow whatever plans are implemented. All of these actions can help mitigate the amount of a fine if a company is found to be in violation of the GDPR.As an example, let’s say a small U.S. manufacturer did some business in the UK* but was hoping to increase its customer base there. So, it created content on its webpage that specifically marketed its products to UK citizens, and set up a way to collect e-mail addresses of prospective UK customers who were interested in more information. At a minimum, the company would have to make sure that its webpage had an obvious “check the box” feature for consent. The company also would have to include clear language on the website about what it would be doing with the e-mail addresses, and it could not ask anyone to click on a separate link containing a long, complicated “terms and conditions” document. Then, the company would also want to take a look at its internal policies, to ensure that collected personal data was handled properly and kept secure – and, that the appropriate employees knew what to do if a data breach was discovered. (*Note: While the status of the United Kingdom as a member of the EU is up in the air, even if “Brexit” goes through, the UK has indicated it will still comply with the GDPR).
4. Prepare for “Data Subjects” to Make Requests Concerning Their Data
As discussed above, a data subject has the right to obtain information from a company as to whether personal data concerning him or her is being collected, why it is being collected, and how it is being stored. In other words, at any time, a customer can request a copy of this information, and a company must provide it free of charge in an electronic format that is easy to read. The data subject also has the right to withdraw consent to having his or her information collected at any time, and a company must make the procedure for withdrawal as easy and obvious as it is to give consent. It also must make sure a data subject knows how to withdraw consent before he or she ever gives consent in the first place. And once a data subject withdraws consent, the data subject has the right to have his or her personal data erased completely. Companies need to ensure that they can be responsive to any request, whether it is to provide information to a data subject, or to erase any information on a data subject completely.
- But calculating a penalty is not necessarily cut and dry. Rather, a number of criteria will be considered when determining the amount of the fine on a company found to be in violation of the GDPR. They include the following:
- Under the GDPR, as mentioned, the stiffest fine possible for a company in breach of the regulation is up to 4% of its annual global revenue or €20 Million (approximately $24,294,980.00), whichever is greater. This amount would be imposed for the most serious infringements, such as not having sufficient customer consent to process data or violating any of the rights of a data subject, such as not erasing information once consent is withdrawn. However, there is also a lower tier of fines that could be assessed for a violation deemed less severe. Alternatively, a company could be fined up to 2% of its annual global revenue or €10 Million (approximately $11,975,400.00) for not having its personal data records in order, or failing to notify a data subject about a breach. It is important to note that these rules apply to both controllers and processors, which also means that any personal data stored in the “cloud” – for example, programs like Salesforce and Dropbox – will also be subject to GDPR enforcement.
WHAT ARE THE PENALTIES FOR NON-COMPLIANCE?
- Nature of violation – the number of people affected, the damage they suffered, the duration of the violation, and the purpose for which the information was collected
- Intention – whether the violation of the GDPR is intentional or negligent;
- Mitigation – what, if any, actions were taken to mitigate the damage to data subjects;
- Preventative measures – how much technical and organizational preparation the company had previously implemented to prevent non-compliance;
- History – has the company had past violations, even under the previous data protection directive;
- Cooperation – how cooperative the company has been with the supervisory authority to remedy the violation;
- Data type – what types of personal data does the infringement impact;
- Notification – whether the infringement was proactively reported to the supervisory authority by the company itself, or whether it was reported by a third party;
- Other – whether there are any other aggravating or mitigating factors; this could include the financial impact on the company as a result of a fine imposed.
All of the factors listed above should help alleviate a company’s concern – particularly smaller companies that are still trying to figure out how the GDPR may apply to them – that it will automatically be paying millions of dollars in fines for an unintentional violation. But while it remains to be seen exactly how the GDPR will be enforced, the new regulation makes it very possible that a company could find itself paying a hefty fee if it doesn’t take compliance seriously.