The General Data Protection Regulation (GDPR) (EU) 2016/679 took effect on May 25, 2018. Going forward, businesses[i] that collect or process personal data of individuals in the European Union must be able to demonstrate GDPR compliance. In theory, those who are not compliant could face potential administrative fines of up to €20 million or 4 percent of the organization’s global annual revenue, whichever is greater.

All is not lost, however, for U.S. businesses that did not achieve full compliance prior to the effective date. Like any other regulatory requirement, the motivations and degree to which a U.S. business becomes GDPR compliant is a business decision made based on an assessment of the business’s activities, goals and tolerance for risk. U.S. businesses with a significant presence in the EU or that regularly handle EU resident personal information will need to become GDPR compliant to avoid potential steep penalties. In contrast, U.S. businesses with little to no EU contact might opt to take smaller steps towards compliance, either to mitigate risk or to distinguish themselves from competitors by demonstrating to customers their commitment to broader privacy principles. The majority of U.S. businesses fall somewhere in the middle of this spectrum and will want to mitigate their risk of regulation by incorporating a tailored approach to GDPR compliance into their overall business plans.

This article outlines the GDPR’s core provisions and best practices for U.S. businesses to achieve compliance at a level and pace that responds to their business activities and risk of regulation.

What is the GDPR?

The GDPR is the much-anticipated European Union regulation that provides data protection and privacy for individuals within, and imposes requirements for the export of personal data outside of, the European Union (EU) and the European Economic Area. The GDPR applies not only to EU residents, but also to any person physically located within the EU at the time the data is collected or processed. The GDPR applies to U.S. businesses, nonprofit organizations, charities and educational institutions that collect or process EU personal data to any degree, whether or not the entity has a physical presence in the EU.

Their Data, Their Rights:

The GDPR entitles individuals located in the EU with certain fundamental privacy rights over their personal data,[ii] including the right to:

  • Transparency, meaning, the right to be informed about the collection and use of the individual’s personal data;
  • Access their personal data;
  • Object to the processing of their personal data;
  • Restrict the processing of their personal data;
  • A means for requesting correction of their personal data, to the extent it is inaccurate;
  • Erasure, also referred to as “the right to be forgotten;” and
  • Data portability.

Implementing Best Practices:

The GDPR requires businesses to institute privacy by design, or incorporate robust data protection mechanisms into the framework of business activities and provide individuals with the means to exercise what the EU has outlined as fundamental privacy rights.[iii] Businesses can reduce the risk of violations and hefty fines by taking measured, proactive steps toward compliance.

Map Your Data

The first step in privacy by design is assessing how your business collects and processes personal data. This involves creating a data map, or taking inventory of all personal data that your business collects and processes, and determine whether any of the personal data falls within a special category and is therefore subject to special protections. Unlike most U.S. definitions of protectable personal data, the GDPR defines “personal data” to include a broad array of information.[iv] General information such as IP addresses, names, birthdates, as well as highly specific information such as biometric data, medical or genetic information, and political affiliation are protected personal data under the GDPR. Once your business understands the types of data it collects, and whether the GDPR protects that data, the next step is to analyze how your business uses the personal information and identify any practices that may require additional efforts to comply with the GDPR. Consider your business’s current efforts to ensure the security of the personal information it collects and, if necessary, institute additional security measures to mitigate risk and provide GDPR compliant protections.

Identify Yourself

Your business will have different compliance requirements depending on whether it is a data controller or a data processer.[v] A data controller determines the purposes and means of the processing of personal data. For example, a business that collects data from its own customers to compile a list of direct marketing contacts is a data controller. In contrast, a data processor is a third-party vendor that processes personal data on behalf of the business that initially collected the data. Examples of data processors include payroll companies, accountants and market research companies. In some cases, a business may be a data controller when providing some services and a data processor when providing other services, and then must meet the requirements of both roles.

Appoint a DPO

A Data Protection Officer (DPO)[vi] is a person associated with your business who serves as the point of contact for regulators and takes responsibility for GDPR compliance efforts including employee training, compliance audits and serving as a point of contact for individuals contacting your business to exercise their fundamental privacy rights. Depending on the size of your business and the scope of your data processing activities, the DPO position can be a standalone position or a designation assigned to an existing employee who serves other functions as well.

State a Lawful Basis

The GDPR requires businesses to have a lawful basis to collect and process personal data.[vii] A lawful basis may exist if the processing is:

  • Necessary for the performance of a contract entered into with the data subject;
  • Necessary for compliance with legal requirements;
  • Based on consent obtained from the individual; and/or
  • Necessary to achieve your business’s legitimate interests.

Consent is the most common lawful basis. To rely on consent, a data controller must (1) obtain explicit consent from the data subject, (2) maintain documentation of the consent and (3) ensure that consent is current and based on accurate disclosure. Explicit consent means the consent is informed, unambiguous, presented in clear and plain language that is intelligible and easily accessible, specific to the purpose of the data processing, freely given by a statement or clear act, and presented separately from other policies and disclosures. For example, consent is not explicit if it is buried in a privacy policy or presumed where the individual has not opted-out.

The legitimate interest basis requires completion of a thorough legal analysis called a Legitimate Interest Assessment, thorough record keeping practices, potential review and modification of existing contractual relationships, and updating the business’s corporate documents to reflect reliance on the lawful basis.[viii] To claim a legitimate interest, a data controller must (1) identify a legitimate business interest (i.e. direct marketing, fraud prevention, internal administrative purposes or reporting possible criminal acts), (2) prove that the processing of personal data is necessary to achieve that legitimate interest, and (3) complete a legitimate interest assessment to demonstrate that the individual’s interests or fundamental rights and freedoms do not override the data controller’s need to process the personal data.[ix]

Freshen Up Your Privacy Policies

The GDPR requires that privacy policies meet specific minimum requirements, not only in terms of the information the policy includes, but also in terms of how the policy presents the information. For example, your privacy policy must state what information your business collects, how the information is used, what security measures your business takes to keep the information safe, and what the individual can do to exercise their fundamental privacy rights.[x] Also, be sure to include in your privacy policy a statement of the lawful basis for the data collection and processing and provide the DPO’s contact information.[xi] Depending on the scope and activities of your business, similar treatment may be necessary to bring your business’s terms of use into compliance as well.

Check Your Contracts

The GDPR requires certain minimum provisions in third-party contract vendors who collect or process personal data on your behalf.[xii] The best practice is to seek a legal analysis of all existing third party contracts and, if necessary, execute an addendum to any contract that does not contain the required provisions or amend any contract containing conflicting provisions. Be wary of inadvertently agreeing to additional contractual requirements or waving jurisdictional defenses that may be available to U.S. entities under U.S. federal or state laws.

Document, Document, Document

Document your business’s data processing activities and the lawful basis for those activities. Develop and maintain a documented plan for GDPR compliance, which will allow you to respond quickly and thoroughly to inquiries from individuals and regulators. Keep records of all consents given to your business, especially consents obtained from individuals in the EU. Complete impact assessments of your business’s data processing activities at regular intervals and update all policies, terms of use and legitimate interest assessments to reflect any changes.

Ask the Experts

Even though the GDPR is a European law, the free flowing nature of online data makes it essentially impossible for any business to be certain that its data collection and processing activities will not trigger regulation under the GDPR. For this reason, the GDPR is having a profound impact on how businesses around the world collect and process personal information. A business is best served by investing in preemptive measures to reduce risk exposure, updating notices and consent mechanisms, and completing a legitimate interest assessment to establish a defensible position that the business has a lawful basis for its data processing activities.