The General Data Protection Regulation (GDPR) (EU) 2016/679 took effect on May 25, 2018. Going forward, businesses[i] that collect or process personal data of individuals in the European Union must be able to demonstrate GDPR compliance. In theory, those who are not compliant could face potential administrative fines of up to €20 million or 4 percent of the organization’s global annual revenue, whichever is greater.
All is not lost, however, for U.S. businesses that did not achieve full compliance prior to the effective date. Like any other regulatory requirement, the motivations and degree to which a U.S. business becomes GDPR compliant is a business decision made based on an assessment of the business’s activities, goals and tolerance for risk. U.S. businesses with a significant presence in the EU or that regularly handle EU resident personal information will need to become GDPR compliant to avoid potential steep penalties. In contrast, U.S. businesses with little to no EU contact might opt to take smaller steps towards compliance, either to mitigate risk or to distinguish themselves from competitors by demonstrating to customers their commitment to broader privacy principles. The majority of U.S. businesses fall somewhere in the middle of this spectrum and will want to mitigate their risk of regulation by incorporating a tailored approach to GDPR compliance into their overall business plans.
This article outlines the GDPR’s core provisions and best practices for U.S. businesses to achieve compliance at a level and pace that responds to their business activities and risk of regulation.
What is the GDPR?
The GDPR is the much-anticipated European Union regulation that provides data protection and privacy for individuals within, and imposes requirements for the export of personal data outside of, the European Union (EU) and the European Economic Area. The GDPR applies not only to EU residents, but also to any person physically located within the EU at the time the data is collected or processed. The GDPR applies to U.S. businesses, nonprofit organizations, charities and educational institutions that collect or process EU personal data to any degree, whether or not the entity has a physical presence in the EU.
Their Data, Their Rights:
The GDPR entitles individuals located in the EU with certain fundamental privacy rights over their personal data,[ii] including the right to:
- Transparency, meaning, the right to be informed about the collection and use of the individual’s personal data;
- Access their personal data;
- Object to the processing of their personal data;
- Restrict the processing of their personal data;
- A means for requesting correction of their personal data, to the extent it is inaccurate;
- Erasure, also referred to as “the right to be forgotten;” and
- Data portability.
Implementing Best Practices:
The GDPR requires businesses to institute privacy by design, or incorporate robust data protection mechanisms into the framework of business activities and provide individuals with the means to exercise what the EU has outlined as fundamental privacy rights.[iii] Businesses can reduce the risk of violations and hefty fines by taking measured, proactive steps toward compliance.
Map Your Data
The first step in privacy by design is assessing how your business collects and processes personal data. This involves creating a data map, or taking inventory of all personal data that your business collects and processes, and determine whether any of the personal data falls within a special category and is therefore subject to special protections. Unlike most U.S. definitions of protectable personal data, the GDPR defines “personal data” to include a broad array of information.[iv] General information such as IP addresses, names, birthdates, as well as highly specific information such as biometric data, medical or genetic information, and political affiliation are protected personal data under the GDPR. Once your business understands the types of data it collects, and whether the GDPR protects that data, the next step is to analyze how your business uses the personal information and identify any practices that may require additional efforts to comply with the GDPR. Consider your business’s current efforts to ensure the security of the personal information it collects and, if necessary, institute additional security measures to mitigate risk and provide GDPR compliant protections.
Your business will have different compliance requirements depending on whether it is a data controller or a data processer.[v] A data controller determines the purposes and means of the processing of personal data. For example, a business that collects data from its own customers to compile a list of direct marketing contacts is a data controller. In contrast, a data processor is a third-party vendor that processes personal data on behalf of the business that initially collected the data. Examples of data processors include payroll companies, accountants and market research companies. In some cases, a business may be a data controller when providing some services and a data processor when providing other services, and then must meet the requirements of both roles.
Appoint a DPO
A Data Protection Officer (DPO)[vi] is a person associated with your business who serves as the point of contact for regulators and takes responsibility for GDPR compliance efforts including employee training, compliance audits and serving as a point of contact for individuals contacting your business to exercise their fundamental privacy rights. Depending on the size of your business and the scope of your data processing activities, the DPO position can be a standalone position or a designation assigned to an existing employee who serves other functions as well.
State a Lawful Basis
The GDPR requires businesses to have a lawful basis to collect and process personal data.[vii] A lawful basis may exist if the processing is:
- Necessary for the performance of a contract entered into with the data subject;
- Necessary for compliance with legal requirements;
- Based on consent obtained from the individual; and/or
- Necessary to achieve your business’s legitimate interests.
The legitimate interest basis requires completion of a thorough legal analysis called a Legitimate Interest Assessment, thorough record keeping practices, potential review and modification of existing contractual relationships, and updating the business’s corporate documents to reflect reliance on the lawful basis.[viii] To claim a legitimate interest, a data controller must (1) identify a legitimate business interest (i.e. direct marketing, fraud prevention, internal administrative purposes or reporting possible criminal acts), (2) prove that the processing of personal data is necessary to achieve that legitimate interest, and (3) complete a legitimate interest assessment to demonstrate that the individual’s interests or fundamental rights and freedoms do not override the data controller’s need to process the personal data.[ix]
Freshen Up Your Privacy Policies
Check Your Contracts
The GDPR requires certain minimum provisions in third-party contract vendors who collect or process personal data on your behalf.[xii] The best practice is to seek a legal analysis of all existing third party contracts and, if necessary, execute an addendum to any contract that does not contain the required provisions or amend any contract containing conflicting provisions. Be wary of inadvertently agreeing to additional contractual requirements or waving jurisdictional defenses that may be available to U.S. entities under U.S. federal or state laws.
Document, Document, Document
Ask the Experts
Even though the GDPR is a European law, the free flowing nature of online data makes it essentially impossible for any business to be certain that its data collection and processing activities will not trigger regulation under the GDPR. For this reason, the GDPR is having a profound impact on how businesses around the world collect and process personal information. A business is best served by investing in preemptive measures to reduce risk exposure, updating notices and consent mechanisms, and completing a legitimate interest assessment to establish a defensible position that the business has a lawful basis for its data processing activities.