In a little more than 100 days, a sweeping regulation known as the General Data Protection Regulation (GDPR) will go into effect across the European Union. The purpose of the GDPR is to update and modernize the scope of protections that are placed on “personal information” stored about individuals by certain entities. The regulations are broad and include significantly increased requirements and associated penalties for non-compliance. As but one piece of evidence regarding how seriously the EU is taking the GDPR, these new regulations are included within the broader “EU Charter of Fundamental Rights.”
A brief overview of the GDPR is provided below. Additionally, some explanation is also included as to why the GDPR is important even to U.S. only companies.
WHO IS AFFECTED BY THE GDPR?
The GDPR applies to “all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”
In other words, if you store customer information, client information, sales-lead information, contact information, or other “personal data” about any person who resides in the European Union, you are responsible to abide by the GDPR with respect to any business operations that occur within the EU.
WHAT CONSTITUTES PERSONAL DATA?
In the United States, a more common term for sensitive data is “personally identifiable information” (PII). In the U.S., PII has historically been limited to data that is clearly linked to a particular person. For example, names, addresses, social security numbers, etc., have been treated as PII. Other information about individuals such as birthdates, telephone numbers, email addresses, etc., have traditionally been treated as non-sensitive information and has, subsequently, rarely been subject to regulation. Under the GDPR, personal data includes “any information related to a natural person that can be used to directly or indirectly identify the person.”
The inclusion of “indirect” data likely broadens the reach of protections dramatically. As data analytics technology improves, the ability to derive identifying information from sets of previously “non-sensitive” data has become easier and easier. For example, knowing only a birthdate, gender, and zip code can allow direct identification, by name, of large portions of a population. Likely because of this, the applicability of the GDPR is not based on any distinction between “sensitive” personal data and any other personal data.
WHAT IF I DON’T COMPLY?
The GDPR states that a company can be fined up to 4% of their total annual revenue (likely revenue derived within the EU for international companies) up to 20 million euros for failing to comply with the GDPR. While non-compliance is likely to only be discovered in conjunction with a breach or data incident, penalties under the GDPR are not limited to circumstances where data is exposed. Additionally, although the 20-million-euro maximum penalty is likely to be reserved for egregious and willful violations where actual data is exposed, penalties may also be levied simply for discovered non-compliance even without a known data exposure. As such, the penalties imposed by the GDPR represent a level not really seen before in any previous data privacy regulation regimes.
WHAT DOES THE GDPR REQUIRE ME TO DO?
The GDPR is broad and complicated. Some requirements vary depending on the degree to which you control, process, or store personal data. However, some general principles apply to all entities covered by the GDPR.
First, consent requirements have been strengthened – particularly, if you are collecting personal information (again, remember that the definition of this term has been broadened over historical meanings.) While the GDPR applies to all entities that collect any personal data, consent requirements do differ according to the type of personal data being collected. Generally, more sensitive data requires “explicit” consent to collect (e.g., specific consent for the particular data item to be collected). As such, a collection of more sensitive data must inherently be “opt-in.” Less sensitive data, however, requires only “unambiguous” consent. Regardless of the type of data being collected, the GDPR also requires that “opt-out” procedures be as clear and easy for a person to choose (even at a later date) as “opt-in” options are.
In practice, this means that covered entities likely need to revisit privacy policies, shrink-wrap/clickwrap provisions, contracts, and other disclosures to ensure both that the specific types of data that are collected are identified and, perhaps more importantly, that such documents are clear and easy for a person to understand. Additionally, entities should even be concerned about where those clauses are found within agreements, including potentially considering whether data collection provisions should be excised from larger agreements and separately presented to users to ensure that the “explicit” consent requirement is met.
Good practice also likely dictates that consent is periodically verified and updated to lessen the likelihood of assertions of non-consent if/when a data incident occurs.
Second, data breach reporting requirements have also been strengthened. Generally, the standard within the U.S. (mostly dictated by state law), is that breaches must be reported: “within a reasonable timeframe.” The GDPR introduces a role known as a “Data Protection Authority” (DPA). Any entity that experiences a loss of data (e.g., a breach, malfunction, inadvertent disclosure, etc.) is required to report the incident to their DPA within 72 hours of learning of the incident.
DPAs have been established in various EU member states to receive such reports. Typically, a French company reports the breach to the French DPA, and a German company to the German DPA. For entities covered by the GDPR but that are not organized with the EU (e.g., U.S. based corporations collecting personal data for EU residents), the reporting requirements are more complicated. The company may be required to report to the DPAs corresponding to the residencies of the people affected by the data incident. As such, incidents must be recognized and quickly analyzed to identify the proper DPAs to contact within the 72-hour reporting window.
Third, depending on the degree to which your company is involved in personal data collection and/or processing, you may be required to establish/assign a Data Protection Officer. In many cases, a DPO may serve multiple roles within an organization, but as the quantity and sensitivity of collected data increases, the more beneficial it may be to have a dedicated DPO assigned to track and manage data activities within your company.
Finally, while the GDPR is mostly a European Union concern, there are strong indications that similar shifts in data privacy regulations are likely to make their way into U.S. law either on a state-by-state manner (as has historically been the trend) or as some eventual Federal data privacy regulation. So, while the GDPR may not apply to your organization yet, it is likely that similar types of rules may eventually be required even for you. To that end, understanding the GDPR and proactively preparing your organization for eventual changes is likely good business strategy moving forward.