The General Data Protection Regulation (GDPR) goes into effect on May 25, 2018, and will mark a fundamental change in the legislative framework for the use and protection of personal data in European Union (EU) countries.
Who is affected by GDPR?
The GDPR applies to every organization, regardless of size, that has customers located in the EU. Importantly for U.S. businesses, even if your organization has no establishment in the EU, you likely will need to comply with the GDPR if you offer to sell goods or services to, or monitor, individuals in the EU. These individuals need not be customers or clients.
What is personal data?
Personal data comprises “any information relating to an identified or identifiable natural person.” Identification (or identifiability) can arise not only with names and state- or employer-issued identification numbers, but dynamic IP addresses and geo-location data and online identifiers, among others. The GDPR also expands the scope of heavily regulated “special” categories of particularly sensitive data such as racial, ethnic, religious, genetic and biometric information.
What are the rights and obligations with regard to personal data?
The GDPR’s provisions are mandatory and grant individuals numerous rights, including those to transparent communication, erasure (the right to be forgotten), and data portability (i.e., transfer from one data controller to another). These rights may be exercised and enforced not only by individuals but by organizations acting on behalf of individuals.
Obligations under the GDPR fall principally upon data controllers and processors. A data controller determines the purposes and means of processing personal data. A data processor processes data on behalf of the controller. For example, an employer would typically act as data controller for employees’ personal data. The employer might engage a payroll-administration firm to act as processor. Distinctions between controller and processor vary — the controller and processor can be the same person, and more than one person can act as controller/processor.
The controller, and by extension the processor, must process in accordance with principles of lawfulness, fairness and transparency; limited purposes; data minimization (collecting and using only that data necessary for the lawful and limited purpose); accuracy; storage limitation (i.e., timely erasure); and integrity and confidentiality. The GDPR further requires controllers to be able to demonstrate compliance. Controllers must also implement appropriate measures to ensure the integrity of processing, potentially including the appointment of a responsible and independent data protection officer.
How important is compliance?
Compliance with the GDPR must be a strategic priority for companies and businesses. Fines can amount to as much as the larger of 4% of global annual revenue or 20 million EUR.
The GDPR requires each EU member state to establish a data protection authority (DPA). Some data controlling/processing will occur in more than one EU member state. To prevent a regulatory free-for-all among DPAs, the GDPR establishes rules for designating the lead DPA with respect to a controller/processor.
What does my company need to do?
The GDPR creates a vast and vague regulatory structure and massive penalties. This structure will force controllers and processors to use state-approved contracts and to obtain state-sanctioned certifications. Non-EU controllers and processors therefore have three immediate tasks:
- Perform a complete data inventory to identify the information currently being collected and used. Architecture and processes must be brought into GDPR compliance to the best of the controllers’ and processors’ ability.
- Monitor and quickly adopt officially approved/sanctioned best practices to enjoy any safe harbors regulators afford.
- Consider, where applicable, creating a limited-liability establishment in the EU jurisdiction that offers the most efficient, honest, and business-friendly regulatory oversight. The GDPR leaves much in the hands of the lead DPA, so by creating an establishment in a particular EU jurisdiction, non-EU businesses can help select which national DPA regulates them.