What’s the News?
The EU Commission, Parliament, and Council of Ministers recently reached an agreement on the General Data Protection Regulation (GDPR). The GDPR, many years in the making, will greatly impact multinational companies doing business in the EU as it sets forth numerous requirements for entities that process personal data for EU residents. To be clear, “personal data” covers a broad range of data, including any data that may reasonably be used to identify a living individual. This broad definition covers numerous identifiers, including cookies, IP addresses, and other data that may be reasonably linked to a living EU resident. Further, the processing of “sensitive data,” defined to include both genetic and biometric data, will be subject to additional requirements. Given the GDPR’s likely approval in early 2016, multinational companies should begin to prepare as the new law may take effect in late 2017. It will replace the current EU Data Directive, and the various country-by-country laws implementing the Directive will likely continue in force until the GDPR takes effect.
What Should Businesses Know?
Businesses should be aware of the GDPR requirements and prepare to implement data processing safeguards in compliance. Some notable things that businesses should consider include the following:
- Privacy by Design: Privacy should be incorporated into all aspects of data processing. Appropriate policies must be adopted to demonstrate compliance with data protection principles. For example, under the GDPR, businesses are encouraged to develop pseudonyms to enhance privacy. While pseudonyms will still be viewed as a form of personal data, they are encouraged as a means of incorporating privacy into business practices. In certain industries, such as those using information for historical, scientific research or statistical purposes, pseudonyms will be deemed mandatory. Businesses must also design methods to permit consumers to obtain information regarding the processing of their data in a concise, transparent, intelligible, and easily accessible way. Further, certain categories of businesses will be required to appoint a data protection officer. That said, a data protection officer (akin to a US Chief Privacy Officer) should be considered given the additional mandates in place.
- Consent: Businesses should include methods of obtaining unambiguous consent for data processing and, for sensitive data, it must be explicit. As a reminder, the GDPR will maintain the requirement that all consent be specific, informed, and active. Further, opt-in consent is required and inaction (opt-out) is not an acceptable form of consent under the EU regulations.
- Vendors: Under the current law, data controllers carry the heaviest burden with respect to responsibility for data processing—even where a data controller hires a vendor to handle the processing of information. For example, under current law, a company that outsources their servers will remain responsible for anything that happens to EU resident data while the data is on the servers. However, under the GDPR, data processors will assume additional responsibility in some areas, such as data transfers. Further, the appointment of a data processor becomes more difficult as approval must be sought to appoint sub-processors and to transfer data out of the European Economic Area. It is likely that standardized contracts will be released.
- Right to be Forgotten: There is an explicit right to be forgotten. Therefore, under certain circumstances, including once data is no longer needed or consent is withdrawn, personal data must be erased “without undue delay.”
- Data Breach Notification: Under the GDPR, companies must notify their supervisory data authority within 72 hours of becoming aware of a data breach. Further, consumers must be notified if it is determined that the breach is likely to result in a “high risk to the rights and freedoms of individuals” and such notice must be provided without undue delay (similar to the law in many US states).
- Consolidated System: One benefit of the GDPR is that it will allow companies to report to a single, lead supervisory authority in the country of their primary EU office. Having this primary supervisory point-of-contact will be helpful given that many companies now often have to report to various DPAs when doing business in the EU. Under the GDPR, there will be one primary authority.
As the official enactment of the GDPR nears, businesses should begin preparing early. It may be wise to appoint a Chief Privacy Officer to manage the various requirements imposed by various US and international data regulations. This lead officer, in conjunction with any data protection officer appointed in the EU, will be responsible for training within a business, managing compliance, as well as reporting to an EU supervisory authority. Further, where there is no EU office, but a company targets EU residents, a representative will need to be appointed in the EU. If reorganization is necessary to ensure that the proper individuals are in place, it may be wise to consider these structural shifts now.
The EU Commission will likely release additional information in early 2016. In addition to guidance, it is also likely that we will soon see the release of icons, standard contracts, and other information to help guide companies as they work to comply with the GDPR.