As the New Year approaches, it is a good time for companies of all sizes to review their data privacy and cybersecurity strategies. Are you meeting your requirements? Do you have the right partners? Are you preparing for the future?
That last question is especially important this year for companies that interact with European Union citizens. As of May 25, 2018, organizations that collect, process, or transfer EU personal data will have to be in compliance with the new General Data Protection Regulation (GDPR), which will replace the EU’s current comprehensive data regulation, Directive 95/46EC (Directive). Although the GDPR is similar in many respects to the Directive, there are several key differences that companies should understand.
The text of the GDPR makes it clear that the EU intends it to have greater extraterritorial effect than the Directive, which, if enforceable, could alter data privacy practices around the globe. It also could subject many more U.S.-based companies to EU privacy law.
Under the Directive, the vast majority of privacy regulations applied directly only to entities established in the EU or that used equipment in the EU. Under the GDPR, key regulations would apply to any business, regardless of which region of the world it calls home, that offer goods or services (even for free) to individuals in the EU or that monitors individuals located in the EU.
To put that in real-world terms, that means a company with a US-hosted website that offers free services worldwide and collects personal information will potentially be subject to the GDPR. Companies in the IT, marketing, and SaaS spaces especially should evaluate in advance whether they might be subject to the new law.
Another key difference between the Directive and the GDPR is the substantial penalties expected to be imposed for non-compliance with the GDPR. Most notably, the GDPR authorizes supervisory authorities to levy fines of up to 4 percent of an organization’s annual worldwide turnover or 20 million Euros, whichever is higher. The possibility of such a massive financial penalty makes it clear that, as of 2018, a company will only be able to ignore EU privacy law at great risk.
There are several other important, but less dramatic, differences in the regulations. The GDPR:
- Establishes a new right of data portability, which allows data subjects to receive personal data they provided to a data controller;
- Codifies a 2014 European Court of Justice ruling recognizing the right to be forgotten, which allows individuals to request the erasure of personal data;
- Requires organizations that process large quantities of EU sensitive information to employ a data protection officer;
- Requires notice of data breaches to regulators within 72 hours of the breach, where feasible, and to consumers “without undue delay;” and
- Establishes 16 as the default age of consent for child data processing.
Organizations should immediately take inventory of their data practices to determine whether they might be subject to the GDPR. This even applies to businesses that are not currently subject to the Directive.
Although May 2018 seems far away, the comprehensive nature of the GDPR may require significant changes to an organization’s collection, use and processing of data, and such changes may require a great deal of time to finalize and implement. Any company that discovers they collect or transfer EU residents’ personal data in the course of their business should immediately consult with legal counsel to evaluate the steps necessary to ensure compliance with the GDPR.