Even if your company is not located in the European Union and is not in the business of collecting or selling sensitive information, the EU General Data Protection Regulation (GDPR) may still apply to you. The new sweeping legislation became effective May 25, 2018 and is the most significant data protection law since the dawn of the tech boom in the 1990’s. With heavy penalties for non-compliance (up to €20 million; about $23.3 M USD), it is already significantly impacting how companies collect and protect information pertaining to individuals.
The GDPR applies to companies that have no physical presence in the EU but have contact with EU residents, such as through a website that is available for use in the EU or engaging with EU applicants for employment or educational opportunities. The information does not have to be sensitive or confidential and there is no minimum amount of data for GDPR to apply. Accordingly, even if your business is not the size of Equifax or Chili’s – two companies that were recently involved in major data breaches – you are still required to comply with the new law.
Recognizing the broad reach of the GDPR, Frantz Ward attorneys have created a list of initial steps that companies should consider to comply. It is not too late to implement policies designed to minimize your exposure to liability.
1. Determine whether your company processes or controls personal data
The threshold question is whether your company obtains, records, or holds personal data of the data subjects covered by the GDPR, regardless of the use or purpose of collecting such data. Even if only passively collected, such as automatic logging of information on visitors to your website, that collection will trigger the obligation to comply with the GDPR. Personal data is identifying information that arguably includes IP addresses, which are often automatically collected by the use of “Cookies” on websites. Data subjects are living people, not companies. Moreover, GDPR’s application depends on the location of the data subject, not the location of your company or its servers.
3. Audit and inventory current data and create a records management plan
Assessing and creating an inventory of data collected can help the company timely identify, alter, and delete data upon request and manage exposure and response to data breaches. The initial assessment process may include reviewing current contracts that deal with the collection of personal data (such as third-party vendor agreements, applications for employment, and sales agreements), coordinating with key personnel in your information technology department, identifying gaps in GDPR preparedness, estimating costs to address gaps, and approving a budget. Companies should also document all data processing and collection activities to ensure compliance. Companies must create a records management plan that involves regular review and methodical purging of personal data that is no longer needed or used. Once you determine that you no longer need personal data for the purpose for which it was originally collected, you should delete it from your servers unless you have other lawful grounds for retaining it. A records management plan should be implemented by a designated individual within the company known as a data protection officer (“DPO”). Though appointing a DPO is only required of public authorities and organizations whose core activities require systematic monitoring of individuals on a large scale, a voluntary DPO could oversee the audit and inventory process and perform other data management functions.
4. Analyze your risk of a data breach and prepare a response plan
As the role of technology and personal data in our everyday lives increases, the number of data breach incidents in the United States has sky rocketed. According to a 2017 Ponemon Cost of Data Breach Study, the average cost of a data breach is $3.62 million. Depending on a company’s activities, a threat assessment of its servers and data storage facilities may prove critical. The GDPR requires a company to notify a supervisory or public authority within 72 hours of learning of a data breach. Further, if the breach is likely to result in risk to individuals, the company must notify the data subjects as well. Companies should have procedures in place to detect breaches and a well-crafted response plan to minimize the impact of the breach.
5. Consider cybersecurity insurance
While some courts have analyzed the extent to which coverage for a data breach may exist under traditional Commercial General Liability (“CGL”) and other insurance policies, by and large, coverage under these policies remains unsettled among courts of various U.S. jurisdictions. Accordingly, from a planning perspective, you should assume that your CGL policy will not provide coverage for a data breach unless you have specific confirmation otherwise. Fortunately, there are a number of insurance providers that offer specialized “cyber liability” coverage that may minimize the risk of hefty GDPR penalties in the event of a data breach. If your company does not currently have a cyber liability insurance policy, it may be the time to consider purchasing one. If your company does have a cyber liability policy, be sure to review and update it.
The above list is not exhaustive. The actions that need to be taken will depend on individual circumstances. It is critical to develop a compliance plan specific to your company’s needs, audit and revise your Privacy and internal data management policies, conduct awareness training for your employees, have a plan to respond to breaches when they occur, and take preventative measures, such as the procurement of insurance, to minimize potential exposure.