On May 25, 2018, Europe’s General Data Protection Regulation (GDPR) will go into effect, imposing new obligations on companies that market to, track, or handle the personal data of Europeans—whether or not those companies are in Europe.  For any company doing business in the EU (and any company that might have EU personal data in its databases), the GDPR is one of the most significant regulatory changes of the past several years.  Even companies that are not directly subject to the GDPR are likely to be asked to represent that they are GDPR compliant when acting as a vendor to organizations to which the regulations do apply.

A few of the GDPR’s general requirements include:

  • Data Protection by Design and by Default: Article 25 of the GDPR requires companies to take into account “the state of the art” and implement systems and technology to ensure that (i) data processing is limited to what is necessary for the purpose for which the data was collected; and (ii) only those within an organization who need to access personal data can do so.  Internal policies and possible measures suggested by the GDPR include:
    • Psuedonymising personal data as soon as possible
    • Data minimization: data processing should only use as much data as is required to successfully accomplish a given task. Data collected for one purpose cannot be repurposed without further consent.
  • Designation of a Data Protection Officer (“DPO”): A DPO must be appointed and identified to the European supervisory authority if the organization engages in systematic monitoring of people or “processes sensitive personal data on a large scale.”
  •  “Right to be Forgotten”: Natural persons have a right to demand the erasure of personal data “without undue delay” and the controller of the data has an obligation to comply.
  • Contractual Agreements / Consent: consent must be unambiguous if used as the lawful basis for data processing. 
    • Businesses that record calls as a matter of practice will no longer be able to assume consent from giving a warning at the outset that the call is being recorded for training purposes.
  • Data Portability: Data (including data that has been de-identified but can still be linked to an individual) must be transferable by that individual from one electronic processing system to another.

There are a wide range of best practices companies can implement to begin to comply with these requirements.  Most companies will want to begin by mapping information flows, identifying processes and systems to understand what personal data is collected, why it is collected, what it is used for, and who it is shared with. For example, companies should review their customer form agreements to ensure that their customers “opt-in” and give their consent to processing their personal data in addition to having a data incident response plan and privacy policy that they review periodically to ensure GDPR compliance. 

Failure to comply with the GDPR comes with considerable risk: violations can result in fines of up to €20 million or 4% of the annual worldwide revenue of the preceding financial year in case of an enterprise, whichever is greater.  The severity of these fines is reflective of an essential philosophical difference between the US and EU in the area of data privacy and protection: the US seems more concerned with integrity of data as a commercial asset, while the EU considers data privacy to be a fundamental human right taking priority over the interests of business.