“GDPR – please not again …” In recent times there is hardly any other legal topic more often written and talked about than the new EU General Data Protection Regulation (“GDPR”).
In light of the severe penalties and with less than 100 days until the GDPR goes into full effect (on May 25th, 2018), it is time for U.S. companies to take steps to prepare. Below are some key points to consider and pragmatic to-dos to assist in assessing whether your organization is ready for GDPR compliance.
- GDPR may apply to U.S.-based companies with zero employees and no offices within the boundaries of the EU territory
While the EU Data Protection Directive of 1995 did not apply to businesses outside the EU territory, this is no longer the case under GDPR.
Now any business may be subject to the new law if it processes personal data of an individual residing in the EU; not even a single transaction needs to occur. As long as your data processing relates to offering services or monitoring behavior on the EU market of EU data subjects – the GDPR may apply to your U.S.-based business. The location of a consumer is the key term to identify whether an individual is deemed a “data subject in the Unio.” While”location” does not necessarily relate to the consumer’s legal “citizenship” or “residenc,” lawyers often use the term “residency” as a short hand way of referring to those people to whom the direction of services might trigger the application of the GDPR. If you have an establishment in the EU, GDPR applies in any case to your data processing.
- “Personal Data” under GDPR goes far beyond any similar terms under U.S. definitions
Personal Data under GDPR covers a broad spectrum from – for example – HR data, medical records, directly identifiable study data, key-coded data to health and race related data. The GDPR regulates how data is collected, stored, processed and deleted. Personal data covers any information relating to an identified or identifiable person including name, ID number and social identity, whether it is on social media posts, online contacts or mobile devices. Please note that even data which “on its face” does not contain personal data may be deemed personal data within the meaning of the GDPR provided such data can be linked to other databases available to your business which may identify an individual.
If you have not started yet, promptly audit your data and assess the risk of its processing by following these ten to-dos:
– 1 – identify all personal data you have collected;
– 2 – identify the source of the personal data;
– 3 – categorize whether the data is sensitive under GDPR;
– 4 – check the purpose of the collection of the data;
– 5 – determine whether a privacy notice was provided or consent was obtained;
– 6 – understand where the data will be stored;
– 7 – verify who has access to the data;
– 8 – identify whether security measures are in place and if so what they are;
– 9 – determine whether you need to appoint an EU representative and/or a Data Protection Officer and
– 10 – evaluate your IT systems to deal with data requests from your employees or other “data subjects.”
- Do you have an integrated team and a joint plan in place to ensure GDPR compliance?
Decision makers, C- level executives and board members should be aware of the changing law and its immediate impact on their organizations. Know and start updating your existing privacy policies and security procedures, know your data, set up an integrated team consisting of IT, HR and Legal to prepare a compliance plan across the business and think about communication with and training of your staff.
If you have not started yet, go carefully through the following ten to-dos:
– 1 – assess the risk of existing IT processes and security measures within your organization;
– 2 – take into account the new GDPR concepts “privacy by design” or “privacy by default” and the principle of data minimization;
– 3 – document your data protection concept and draw up a record of data processing activities;
– 4 – review and change existing declarations of consent and implement “opt-in” procedures;
– 5 – review and complement your privacy policies;
– 6 – conduct data protection impact assessments (DPIAs) prior to “high risk” data processing activities and when using new technologies;
– 7 – set up an action plan for data breaches which allows for due and timely notification of the respective data protection authorities and be aware of the 72-hour deadline;
– 8 – implement procedures for access and erasure requests by data subjects;
– 9 – review and adjust employee consents, respective collective shop agreements and
– 10 – be aware of mandatory consultation rights of employee representatives.
- Employers be aware of more administrative red tape and time-consuming alignment of DPOs and works councils
Far reaching consequences for employers around the globe cannot be ignored; new and substantial administrative red tape needs to be observed. Employees will have more and broader rights and easier data access whereas employers will likely face more frequent and extensive information requests. Also be aware, whenever GDPR related changes will affect data privacy at the work place, such changes need to be discussed and consulted with German works councils – always a time-consuming and often a highly political process.
Employers subject to the GDPR should immediately take steps to ensure that existing policies cover the following individual rights under the GDPR:
– 1 – right to be informed;
– 2 – right to access;
– 3 – right to rectification;
– 4 – right to erasure (“right to be forgotten”);
– 5 – right to restrict processing;
– 6 – right to data portability and
– 7 – right to object.
Be aware that in Germany even stricter rules regarding mandatory data protection officers (DPOs) exist and require compliance. This will result in communicating and dealing upfront with DPOs. Do not expect to obtain mandatory approval from the German works’ councils prior to any clearance by the DPO. They will – as a matter of practice – always seek DPO approval of any GDPR-related changes as far as they affect data privacy at the operational level.
- There will be significant fines should you fail to comply!
Fines for non-compliance with GDPR are calculated on a company’s global annual turnover of the preceding financial year up to 4% or € 20 million whichever is greater. Less important breaches such as failing to report a breach to the data protection authorities (DPAs) within 72 hours may result in a fine of the greater of 2% of the company’s global revenue of the prior year or € 10 million. Rest assured that DPAs will not spare extra-territorial businesses.