This is a five week series discussing General Data Protection Regulation (GDPR) and its implications for US businesses and organizations.
What is GDPR?
The General Data Protection Regulation (“GDPR”) is regulation EU 2016/679, which has far-reaching authority applicable to entities in the U.S. and worldwide. It governs data protection for individuals in the EU regardless of where that data is processed or stored. It was adopted in April 2016 and will be enforced starting May 25, 2018.
Does GDPR apply to my organization?
In addition to EU organizations, GDPR covers organizations outside the EU that process data of an individual located in the EU in connection with goods and services offered to that individual, or those that “monitor” behavior of an individual in the EU. It also applies to organizations with EU “establishments,” which will likely be broadly interpreted to include almost any ongoing contact with the EU—whether it be employees or local agents. In short, if your organization does any business with the EU or with EU individuals, GDPR most likely applies to your organization.
Why does it matter if it applies to my organization?
For U.S. companies in particular, the GDPR represents a drastically more protective privacy regime than our own regulations. As detailed below, there are a number of specific requirements of the GDPR that will be challenging to implement.
If GDPR applies to my U.S. organization, what are some of its requirements?
The GDPR is based on a European view of privacy as a fundamental right. Some of the concepts reflected in the GDPR are:
Consent: Affirmative consent is required before data processing of an EU individual’s data. It has to be “freely given, specific, informed and [an] unambiguous indication of the data subject's wishes.” Further, data subjects must be able to withdraw consent at any time.
Lawful Processing and Storage Limitations: The collection and use of personal data is narrowly prescribed to be limited to that which satisfies the purpose for which it was collected. Further, the data should only be stored long enough to carry out that purpose.
Access to Data: Data controllers, upon request, must confirm if they are processing an individual’s data and provide a copy in a readily useable electronic format.
Right to be Forgotten: Referred to as erasure, data subjects have the right to have their data erased. If the data subjects’ data has been shared with others the controller has to notify others of the request as well.
Breach Notification: Data controllers have just 72 hours after discovery to report a breach.
The above is a small selection of the provisions of GDPR, with a focus on those that could prove very challenging for companies that are under the purview of the GDPR. Many observers are predicting a widespread lack of compliance with GDPR at its outset. Nevertheless, GDPR authorities wield a big stick, with the ability to fine up to 20 million euros or the 4% of a company’s global revenue, whichever is larger. Needless to say, the risk of non-compliance is daunting. If your organization has not considered GDPR’s applicability, the time to do so is now.