The EU General Data Protection Regulation (GDPR) will come into effect on May 25, 2018, replacing the current applicable Data Protection Directive.
The GDPR is complex and comprehensive and aims to harmonize data privacy laws across Europe, protect the privacy of EU citizens' personal information, and regulate the manner in which organizations in Europe or with European operations handle data privacy. Below we outline some key provisions of the GDPR that will impact American companies and the potential challenges they present.
Wider Scope & Enforcement
The GDPR applies not only to companies located within the EU but also to organizations located outside the EU if they offer goods or services to, or monitor the behavior of EU data subjects. For example, an online retail company that is solely located in the US, but allows purchases and deliveries to EU citizens, would be subject to the GDPR.
The GDPR applies both to data controllers (companies that determine the purpose and means of processing personal data) and data processors (companies that process personal data on behalf of data controllers). While a controller must comply with all obligations set out in the GDPR, the regulation also introduces direct obligations on processors. Both controllers and processors are subject to enforcement action for non-compliance by supervisory authorities.
A controller located outside the EU must appoint a representative in one of the member states in which the controller offers goods or services or monitors EU residents, unless the processing is occasional, small scale, and does not involve sensitive personal data.
The GDPR defines personal data broader than the US privacy laws, and includes any information that can identify a data subject, directly or indirectly, by reference to an identifier (including publicly available information) such as a name, an identification number, location data, an online identifier, or information pertaining to the physical, physiological, health, genetic, mental, economic, cultural, ethnic, religious, or social identity of a data subject.
Like US privacy laws, the regulation covers unauthorized access to or acquisition of personal information; however the GDPR also considers an accidental or unlawful destruction, loss or alteration of personal data to constitute a breach.
Fines imposed for violations of the GDPR are to be “effective, proportionate and dissuasive.” Supervisory authorities have the powers of conducting audits, issuing orders to cease operations for non-compliance, and to impose substantial fines. For minor non-compliance, fines can be up to EUR 10,000 or up to 2% of worldwide annual turnover of the preceding financial year, whichever is greater. More serious breaches can result in fines of up to EUR 20,000,000 or 4% of total worldwide annual turnover in the preceding financial year, whichever is greater. The availability of such substantial fines is a great concern for US companies and an incentive to understand and comply with the regulation.
Action Point: To achieve compliance and avoid potential enforcement action, US companies who offer goods or services to EU citizens or monitor their behavior have to be aware that they are subject to the GDPR, learn their obligations under the regulation and familiarize themselves with the regulation's definition of personal data and its key provisions (discussed below), appoint a representative in the EU if their operations are not occasional or small scale, implement required data handling practices and procedures and devise compliance plans (discussed below), and train their work force.
Key Provisions Impacting US Companies
Data Subject Rights
A fundamental objective of the GDPR is to protect and enhance the rights of data subjects. The key rights of data subjects include:
- Right of access and rectification. Data subjects have a right to request their personal data and receive it in an intelligible format within one month of such request, as well to request rectification of their personal data if it is inaccurate. The controller must give effect to data subjects’ rights of access, rectification, erasure, and the right to object to profiling or direct marketing, free of charge.
- Right of data portability. Under the right of data portability, a data controller must provide the data subject with a copy of the data subject’s personal data in a structured, commonly used and machine readable format and not hinder the data subject’s transmission of personal data to a new data controller.
- Right to transparency. Controllers must provide certain minimum information to data subjects regarding the collection and processing of their personal data. Controllers must provide subjects with concise, transparent, intelligible, and easily accessible information about the processing of their personal data.
- Right of erasure. Data subjects have the right to erasure of personal data (the "right to be forgotten") if the personal data is no longer necessary for the purpose for which it was originally collected, or when the individual withdraws consent and there is no overriding legitimate interest for continuing the processing. But, a controller may keep personal data to comply with a legal obligation, for public health purposes in the public interest, archiving purposes in the public interest, scientific research, historical research or statistical purposes, or for the defense of legal claims.
- Right to object to profiling and direct marketing. The GDPR defines “profiling” as “any form of automated processing of personal data consisting of the use of personal data to evaluate personal aspects relating to a natural person; in particular, to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements.” Under GDPR, data subjects have a right to not be subject to a decision based solely on profiling which produces a legal or other similarly significant effect.
Action Point: US companies should establish policies and procedures to promptly address personal data requests from data subjects, to provide access to and correct any inaccurate data, provide the data in specified format as requested, transfer data to another data controller, inform data subjects about how their data is collected and processed, and handle erasure requests where appropriate. An organization should also update its data retention policy to ensure it retains data within the legal and regulatory parameters, and only for the specific periods of time for which the personal data was collected in the first place. US companies should evaluate their profiling activities and whether such activities require data subjects’ consent.
Fair Processing Notices
Under the GDPR, a controller must provide detailed information to data subjects regarding any intended processing of personal data. The required privacy notice must be concise, and provide in clean and plain language the following information: identity of controller; purpose of the processing; the controller's contact details; the legal basis of the processing; the data retention period; a reference to the data subject's rights under the GDPR; and information on international transfers and safeguards applied to such transfers. Where the personal data is not obtained directly from the data subject, the notice should also identify the source of the personal data.
Action Point: US companies should review their privacy notices and update them to include the specific information required by the GDPR.
Under GDPR, organizations must have a lawful basis for all of their data processing activities. If an organization relies on consent as the lawful basis for its data processing activities, it must ensure that data subjects are provided with a clear explanation of the processing to which they are consenting. This includes the consent mechanism is genuinely voluntary and "opt-in" and that data subjects can easily withdraw their consent. Additionally, consent will not be valid if the data subject has no genuine and free choice, or is unable to refuse or withdraw consent without detriment.
Action Point: US companies should review their privacy policies and consent provisions because, under the GDPR, consent must be provided in the form of a clear, affirmative action by the data subject.
The GDPR requires controllers to demonstrate they comply with the GDPR through policies and procedures. Further, both controllers and processors must maintain records of processing activities that include details such as retention periods, transfers of personal data, and recipients of the data. The required policies, procedures, and processing records must be produced to the supervisory authorities upon request.
The GDPR also introduces the concepts of data protection by design and by default. Data protection by design requires controllers to implement appropriate technical and organizational measures to protect the rights of data subjects and ensure compliance with the regulation. Data protection by default means that controllers have to implement appropriate technical and organizational measures to ensure that only personal data that is necessary for processing for a specific purpose is processed.
Lastly, the GDPR requires that companies perform privacy impact assessments ("PIAs") where processing activities present a high risk to the rights and freedoms of data subjects (e.g., large scale processing of special categories of data). The PIA should contain a description of the processing, including the legitimate interest pursued by the controller; an assessment of the necessity and proportionality of the processing; an assessment of the risks to the rights and freedoms of data subjects; and the safeguards and measures to protect against these risks.
Action Point: Data privacy professionals at US companies work closely with management, product teams, and engineering teams to ensure that proper records are maintained demonstrating compliant data processing activities, and that appropriate technical and organizational measures ensuring compliance with the regulation are implemented with respect to existing products and services and built into newly developed products and services. In addition, US companies that handle personal data on large scale have to perform PIAs.
The GDPR requires both controllers and processors to handle personal data in a way that ensures appropriate security and protects against unauthorized and unlawful processing, and implement a level of security that is appropriate to the risk, including pseudonymisation and encryption of personal data, ensuring ongoing confidentiality and integrity of processing systems and services, ability to quickly restore availability of personal data in the event of a security incident, and regular evaluation and testing of security measures.
Action Point: US companies should perform thorough evaluation of their data processing practices and procedures, implement a level of security that is appropriate to the data handling risk, and review and update these practices and procedures frequently for GDPR compliance.
The GDPR introduces mandatory personal data breach reporting requirements to all companies subject to the regulation. Controllers will be obligated to report breaches to the relevant supervisory authority without undue delay, and where feasible, not later than 72 hours after they first become aware of the breach. It is not necessary to notify a personal data breach where it is unlikely to result in a risk to the rights and freedoms of data subjects.
Personal data breaches must also be notified to data subjects where the breach is likely to result in a high risk to the rights and freedoms of the data subjects. Notification to data subjects is not required if the controller has implemented appropriate security measures that render the personal data unintelligible to any unauthorized person (e.g., through encryption), the controller has taken subsequent measures to ensure the high risk to data subjects does not materialize, or it would involve disproportionate effort, in which case a public communication will suffice.
A processor responsible for the breach is required to notify the controller that owns the affected personal information, without undue delay.
Action Point: Given the very short deadline for notification, US companies should develop detailed notification action plans and identify in advance the appropriate authorities that need to be notified. Companies should also familiarize themselves with the thresholds that trigger the notification requirement under GDPR, as these thresholds differ in many aspects from the US breach notification laws.
Data Protection Officers
The GDPR requires controllers and processors to appoint a data protection officer (DPO) if they are a public entity, if the organization’s activities involve regular and systematic monitoring of personal data on a large scale, or if the organization processes data relating to criminal convictions and offenses or other sensitive personal data, on a large scale.
Action Point: US companies should evaluate whether they are required to appoint a DPO. For larger organizations, the DPO may require a support team in order to carry out the DPO role effectively.