You have probably heard something about the General Data Protection Regulation (“GDPR”) adopted last year by the European Union to become effective on May 25, 2018. This is the newest approach taken by the EU to protect the privacy of its citizens’ personal data and to regulate the collection, use, sharing and storage of such data. What you may not have heard is that the GDPR will apply to your company even if it does not have a physical presence in the EU. The expanded territorial scope encompasses any company that offers products and services to EU residents – wherever they may be – or who monitors the behavior of individuals in the EU - such as social media platforms – just as companies based in the EU. You also may not have heard what you need to do NOW to reduce your risk of legal challenges for non-compliance with the GDPR.
In view of the drastically expanded penalties for non-compliance, which are likely to have material financial impact - greater of 20 million Euros or 4% of worldwide revenue - this issue must be given a very high priority. Numerous arcane questions regarding interpretation of the rules will present themselves over the next several years. Nevertheless, good faith, substantial compliance with the clear dictates of the rule is possible and likely to substantially reduce the likelihood of unwanted regulatory attention.
To this end, we suggest and are pleased to work with your team regarding:
- Address at Highest Level. Your Board of Directors (or LLC equivalent) and senior management need to formally work on (and document such work in formal corporate records) the development of a compliance strategy and direction/oversight of appropriate managers.
- Understand Expanded Coverage. One could plausibly argue that the EU Directive, which was the predecessor of the GDPR, was EU-centric and had little impact on rights of those with ‘incidental’ connections to the EU. Now, this is no longer the case, and even minimal connections with persons from the EU – who may not physically be situated in the EU – may trigger claims of application of the rules. For example, even US website operators need to be cognizant of and responsive to potential implications.
- Designate Responsible Managers. Among other things, many organizations must (and others may want to) formally designate a qualified Data Protection Officer who is responsible for the organization’s efforts. Such person must be vested with appropriate authority to implement applicable requirements, possess pertinent knowledge and training, and have no other duties that could create a conflict of interest with his or her data protection duties for the company.
- Think Affirmatively … about Consent! The GDPR requires affirmative consent to the collection, use, and storage of personal information. As under the EU Directive, opt-outs will not work for personal information of an EU citizen. And, presenting a pre-checked box will not work either. The request for consent must be presented in plain, clear language, the request must include the purposes for collecting and processing the data in clear language, and the consent must be freely given, specific, informed and unambiguous.
- Better Due Diligence ... If you are contracting with a cloud, SaaS or similar provider for the storage or processing of personal information, you must expressly discuss with them, engage in meaningful technical review, and confirm in writing their ability to take the steps required under the GDPR.
- … and Contracting Process. Your agreements with third parties need to contain robust warranties, covenants and indemnities pertaining to GDPR non-compliance and expressly referencing the GDPR. If you are a ‘data controller’ within the meaning of the rules, you should expect that your customers will demand such robust commitments from you. Cyber-liability and error and omission insurance must be part of this discussion as well.
- M&A and Finance Protocol. The two preceding points must be taken into account if you are considering the purchase of or lending money to a business with any EU connections in the same manner as more traditional legal, accounting, contract and physical asset due diligence.
- Modify Web Policies. In that the new rules significantly expand the rights of individuals to know about the sharing and use of their data as well as a totally new ‘right to be forgotten’, that is (in essence) to avoid their name coming up in web searches and have their records eradicated altogether, public-facing policies must be revised to so indicate. Of course, there must be actual compliance with the revised policies. So, systems and practices will have to be modified accordingly.
- Consider Location/Relocation of Servers. Companies collecting large amounts of data pertaining to EU citizens may wish to consider where relevant servers should be physically situated. This may facilitate compliance with requirements governing data transfers to non-EU countries, by avoiding such transfers.
While definitive governmental guidance in this area is presently sparse, and we will provide more specific guidance as authority emerges, the above are essential actions to be taken in the short run, and prior to May 25, 2018.