On May 25, 2018, the European Union (EU) General Data Protection Regulation (GDPR) goes into effect, and its effect will be felt globally. Regardless of where your business is located, if your business holds or processes the personal data of EU citizens and you are not compliant with the GDPR by its effective date, you could face fines ranging from the greater of 10 million Euros or 2% of worldwide annual turnover1 per breach to the greater of 20 million Euros or 4% of worldwide annual turnover per breach. As such, it is important to understand whether the GDPR applies to your business, and if it does, what you must do to comply.
What is the GDPR?
The GDPR is a comprehensive regulation meant to protect the personal data of EU citizens, wherever that data might be processed. It replaces the 1995 Data Protection Directive (the "Directive").
In the twenty-two years since the Directive was passed by the EU Parliament, the technology landscape has changed dramatically. With the growth of e-commerce, social media and mobile technology, the cross-border transmission of personal data has exploded. To keep up with such changes, the EU Parliament felt the Directive needed an overhaul and that overhaul is the GDPR.
Additionally, the Directive was just that, a directive (i.e., instruction) to the EU members with regard to the minimum standards that they were to include in their individual states' data protection laws. This has resulted in a patchwork of laws across the EU member states that has made compliance difficult for companies wanting to do business throughout the EU. In order to correct this problem and to make it easier for businesses to operate throughout the EU, the EU Parliament passed the GDPR, a regulation (rather than a mere directive) that imposes an overarching, EU-wide data protection regime.
The GDPR was also intended to ensure the protection of EU citizens’ personal data, wherever that data might be processed. As such, the GDPR greatly expands the geographical scope of the EU data protection laws. In fact, the GDPR applies not only to organizations located within the EU, but also to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU residents. Consequently, US-based companies will need to be comply with the GDPR if they are doing business (or attempting to do business) in the EU and are handling or storing any personal data of individuals residing in the EU. For example, if your business’s marketing efforts into the EU include gathering EU residents' names and/or email addresses, you could be subject to the GDPR.
So, what is personal data?
“Personal data” under the GDPR means “any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity."2 So, if a person can use such information to identify the particular natural person using “all means reasonably likely to be used,” the given information is “personal data” under the GPDR. Thus, data may be “personal data” even if the organization holding such data cannot itself identify a natural person.3 Furthermore, a name is not necessary for the information to “identifiable;” any identifier such as an identification number, location data, an online identifier or other factors may be used to identify that natural person. Online identifiers are expressly called out as ways to identify a natural person in Recital 30 of the GDPR with IP addresses, cookies and RFID tags all listed as examples. Hence, “personal data” is broadly defined and covers far more information than one may initially believe. However, it is important to note that although these definitions are broader than those used in the Directive, they are merely codifications of the current guidance and case law on the definition of “personal data” under the Directive.
How does a business comply with the GDPR?
The first step in compliance with the GDPR is to analyze and understand your current state of affairs – review what kinds of data you handle, from where and how you are gathering such data, how that data are processed, and what security mechanisms, policies, and procedures you have in place already. Then, if you believe you are subject to the GDPR, you will need to review the GDPR to see what you may need to add or modify in order to comply. As you begin this analysis, you might keep in mind the following key components to the regulation:
- Strengthened Individual Rights: Under the GDPR, individuals have stronger rights, including, the right to be informed, the right of access, the right of rectification, the right to restrict processing, the right of data portability, the right to object, rights in relation to automated decision-making and profiling and the right to be forgotten/erasure. It is also easier for individuals to claim damages for compensation for violations of these rights, and consumer groups are permitted to enforce these individual rights on behalf of consumers. Your business needs to have the policies and procedures in place to accommodate such rights.
- Consent is More Difficult to Obtain: Consent must be a clear and affirmative action. Companies will no longer be able to use terms and conditions “full of legalese” to gain consent. The request for consent must be given in an easily accessible form, clearly indicating the purpose for data processing, and such consent must be clear and distinguishable from all other matters. The GDPR also makes it more difficult to reuse existing data for new or different purposes. Your consent documentation might need to be revamped to provide such clear and distinguishable consent.
- Privacy by Design and Privacy by Default: The concepts "privacy by design" and "privacy by default" were not specified in the Directive or in other data protection laws. "Privacy by design" means that privacy must now be built into new products, systems, and processes using personal data at the time of development. "Privacy by default" requires that the strictest privacy settings be automatically applied once a business acquires a new product, system, or service (no manual configuration of the privacy settings should be required). Also, there is a time element to the privacy by default concept that requires that personal data may be stored only for that period of time necessary to provide the given product or service. As such, your business will now have to consider data privacy at the initial design stages of any new project as well as throughout the lifecycle of the applicable data processing and have the protections and processes built into each project from the time of initiation.
- Accountability and Governance: Provisions within the GDPR promote accountability and governance. The principle of accountability is really the backbone of the GDPR and requires that businesses demonstrate their compliance with the GDPR. The governance principle requires that companies put governance measures in place so as to minimize the risk of breaches and to protect personal data.
- Data Protection Officers (DPOs): Data controllers and processors will be required to appoint DPOs to manage all data processing operations that require systematic monitoring of data subjects. DPOs are required to be an expert in data protection law, and must be allowed to act independently, reporting directly to top-level management within the organization.
- Impact Assessments: The GDPR requires data controllers to perform impact assessments before carrying out any data processing that is likely to involve high risks to the rights and freedoms of individuals. If the results of the assessment indicate a high risk, the controller must obtain a prior review by the relevant Data Protection Authority.
- Personal Data of Children: Businesses will have to obtain parental consent to process personal data of children under 16 years old. Member states will have the ability to lower this age requirement down to as low as 13 years old (which is similar to COPPA in the US).
- Reporting of Data Breach: The GDPR requires that in response to a breach, the controller without undue delay, and where feasible, no later than 72 hours after having become aware of it, notify the supervisory authority.
- Transfer of Data: The GDPR imposes additional restrictions (over those already in the Directive) on the transfer of personal data outside the EU.
The author thanks J. Cole Newkirk for his contributions to this article.