The compliance world will change dramatically for a number of GCC organizations on 25 May 2018. In just over one year’s time GCC organizations that:
- have a branch, subsidiary or single representative in the European Union (“EU”);
- do not have a physical presence in the EU, but offer goods or services to data subjects in the EU; or
- neither have a physical presence in the EU nor offer goods or services to people in the EU, but monitor the online behavior of data subjects in the EU,
will have to ensure that they are complying with the European Union General Data Protection Regulation (“GDPR”). Failure to do so by 25 May 2018 will expose such entities to fines of up to 20 million euros of 4% of a corporate group’s total annual worldwide turnover, whichever is higher.
Who is likely to be affected?
Based on the test set out in the GDPR, the new regulations will likely apply to a significant number of entities in this region. Obvious examples include major airlines that fly to and from the EU, hotel and tourism operators who promote travel to the region to EU data subjects, regional banks and other financial service companies that have branches in the financial centres in the EU and online. Less obvious examples include e-commerce companies that are able to accept payments in euros and deliver to the EU and mobile apps that can be downloaded by users in the EU and which have access to a user’s contacts, photos or location data. All of these entities need to consider the fact that they may need to comply with the GDPR and be cognizant of the cost attached to the failure to do so.
What if an organization is affected?
If your organization is affected it has three main options:
- do nothing (not advisable);
- consider what it needs to do to make sure that it does not fall within the scope of the GDPR; or
- accept that it does need to comply with the GDPR and start taking steps to comply with the GDPR straight away.
With respect to option (2), if your organization does not have an establishment in the EU and does not need to target or monitor EU data subjects then simple things that it can do to mitigate the risk of needing to comply include making it very clear that your website or app does is not for use by EU users (e.g. including geo-blocking EU data subjects).
With respect to option (3), if you have not started the process of ensuring compliance by now, then there is a lot to do, but you still have until 25 May 2018 to do it. Our detailed client alert [Europe counts down to the General Data Protection Regulation] provides useful guidance on the compliance process, but in summary, an organization will need to:
- monitor business to consumer business practices, including conducting a data protection audit, examining the legal basis on which it processes personal data and updating its privacy policies;
- monitor internal business practices, including reviewing and updating agreements with data processors, implementing processes for adoption of pseudoanonymization and privacy by design and considering the legal basis on which it transfers personal data between jurisdictions;
- establish compliant accountability processes, including processes for record keeping, appointment of a data protection officer or EU representative and dealing with data subjects; and
- invest in infrastructure, including establishing robust security processes and procedures for notifying regulatory authorities and data subjects of a data breach depending on its severity and impact on data subjects.
What next for GCC organizations that wish to comply with the GDPR?
Please read our previous client alert (see above) and http://www.globalprivacyblog.com for an initial understanding of what organizations should be doing by way of compliance. If your organizations requires further assistance then our Data Privacy and Information Law team can help you prepare for the heightened compliance burden by 25 May 2018. We have developed a standard set of tools, policies and checklists and can tailor support for organizations at all levels – from start-up companies to complex multinationals. We can very quickly provide clients the tools they need to manage compliance internally, e.g.:
- GDPR checklists
- framework GDPR policies
- template intra-group data transfer agreements
- GDPR compliant processing clauses/ agreements for appointing service providers
- excel templates to gather information on records of processing
- framework policies for implementing privacy by design
- framework privacy impact assessments
We can also project manage clients GDPR compliance programs, including diligence existing agreements with data processors, update contract templates to ensure they meet GDPR requirements and implement compliance audits and remediation programs.