On May 25, 2018, a new data protection regulation entitled General Data Protection Regulation (“GDPR”), Regulation (EU) 2016/689, will come into force in the European Union (“EU”) and its 28 Member States. The GDPR provides significant new data privacy protections for individuals (“data subjects”), with corresponding requirements that must be implemented by organizations, regardless of location, that control or process the personal data of individuals located in the EU.
What are the Requirements of the GDPR?
With the explosion of the Internet, social media, and online marketing, it was only a matter of time before the EU would revisit its data protection regulations. The GDPR applies to the collection and processing of personal data in connection with an automated process or part of a manual filing system (both direct and indirect personal data, including: name, location, and online identifier). Under the regulations, an organization needs a lawful basis to process personal data and is required to satisfy additional requirements to process “special data” which, among other categories, includes: race; ethnic origin; religion; politics; and sexual orientation.
The GDPR imposes far reaching requirements on “data controllers” (organizations that determine the purpose and means of processing personal data) and “data processors” (third parties who process data on behalf of controllers) within the EU, as well as organizations located outside the EU if the organizations: (1) offer goods and services to persons in the EU; or (2) monitor behavior of individuals in the EU. Bear in mind, however, mere website accessibility by persons in the EU is likely insufficient to establish intent to offer goods and services to persons in the EU or its individual Member States.
Data controllers are required to have a written contract with data processors to ensure organizational and technical compliance with the GDPR (the GDPR sets forth what needs to be included in these contracts). The GDPR also provides detailed restrictions on the cross-border transfer of personal data, which will have significant implications insofar as United States civil litigation discovery requests are concerned.
The GDPR requires data controllers to self-report security breaches to regulators within 72 hours of the subject breach (unless the breach is unlikely to result in a risk to the rights and freedoms of data subjects) and to data subjects where the breach is likely to result in an elevated risk to the rights and freedoms of data subjects “without undue delay.”
New Rights for Data Subjects
The GDPR will introduce new rights for data subjects, including the right to request and obtain a copy of their respective personal data that an organization controls, processes, and/or transfers. Data subjects are entitled to: (1) know how long their data will be stored; (2) know how they can have the organization delete it (“right to be forgotten”); (3) know the purpose of processing their data; and (4) lodge a complaint with a supervisory authority. Many expect that there will be a flood of data subject requests asking for the deletion of their personal information.
The New Standard for Consent
Consent under the GDPR must be express, not implied (i.e., no pre-checked consent boxes). For consent to be express, the consent must be:
- Unambiguous (i.e., checking an unpopulated checkbox);
- Freely given (i.e., not conditioned on purchase, use of website, access, etc.);
- Specific (i.e., consent cannot be bundled, each purpose requires another consent checkbox);
- Informed (i.e., data controllers must provide their names, why they want your data, etc.); and
- Explicit (i.e., only for certain processing activities, such as sensitive data)
The consent obtained from data subjects must be documented (each data controller must be able to provide evidence of consent). In addition, data subjects must be advised as to how to withdraw consent, which should be as easily accomplished as the procedure by which consent was provided.
Non-Compliance with GDPR can Be Costly
If a company or organization violates or fails to comply with the GDPR, the financial consequences are severe and include administrative fines depending on the severity of the violation. Fines are subject to due process and judicial review, but EU Member States can impose additional penalties, including criminal sanctions. In addition to the foregoing, individuals have the right to obtain compensation from both controllers and processors for material and non-material damages that they suffer. Please note that controllers and processors can be held jointly and severally liable and can bring claims of contribution against one another.
How to Avoid GDPR Liability
To avoid GDPR liability, organizations should, among other things, establish and implement policies and procedures regarding their protection and handling of the data of individuals that they control/obtain, conduct staff training, hire DPOs, and establish breach response protocols. These measures can help identify, prevent, and reduce regulatory and/or legal liability. Companies should review all contracts with business partners to ensure compliance with the GDPR and review insurance policies to make sure that GDPR-related coverage is in place. In addition, organizations should keep records of GDPR organizational and technical measures that have been implemented. This will be useful in the event of an audit by a supervisory authority.