You recently may have received a flood of emails from companies concerning their updated privacy policies and wondered why. These notifications are the result of the European Union’s General Data Protection Regulation (“GDPR”), which dramatically affects how companies may collect, process, maintain and distribute personal data. Below is a brief overview of the GDPR.
What is the GDPR?
The GDPR protects the privacy rights of individuals in the European Economic Area (EU member states plus Iceland, Lichtenstein and Norway) (“EEA”) by providing them with greater ability to control how companies may collect, process, maintain and distribute their personal data and by requiring that companies engage in the lawful, fair and transparent use of such data.
When did the GDPR become effective?
May 25, 2018.
Whom does the GDPR protect?
Individuals, not entities, in the EEA.
What data is subject to the GDPR?
Personal data, namely any information that can identify, authenticate or link to a specific person, including names, email addresses, physical addresses and IP addresses.
Personal data may comprise social, physical, financial, mental, cultural, health or even genetic information.
Who must comply with the GDPR?
Any natural or legal person or public authority, agency or other body (“Entity”) located in the EEA.
Any Entity outside the EEA that provides products or services to EEA individuals.
Any Entity outside the EEA that monitors the behavior of EEA individuals, which behavior takes place in the EEA (e.g., cookies, profiling).
The GDPR applies to both data controllers (who control the purposes and means of processing personal data) and data processors (who process personal data on behalf of the controller).
What are some of the key provisions of the GDPR?
Entities must provide clear and conspicuous information to individuals concerning what personal data is collected and why and how it is used.
Entities generally must obtain explicit consent to the collection and use of an individual’s personal data or demonstrate other enumerated legitimate purposes for such collection and use (e.g., processing is necessary for the performance of a contract).
Subject to certain exceptions, individuals have certain rights to access, rectify, erase, transfer and object to and restrict use of their personal data, as well as the right not to be subject to decision-making based on automatic processes (e.g., profiling). The right of erasure stems from the EU’s “right to be forgotten” and is novel to many US entities.
Entities must provide individuals with notice of the foregoing rights.
Entities must maintain the integrity of their systems and know how and where personal data is stored, transmitted and used, including through data processors.
Entities must be able to demonstrate that data is processed and stored in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.
Entities must ensure that personal data is processed lawfully, fairly and in a transparent manner and collected only for specified, explicit and legitimate purposes.
Entities must maintain personal data no longer than is necessary for the purposes for which the data is processed.
Entities generally may not transfer personal data outside of the EU except to a country deemed by the European Commission to have adequate privacy protections in place.
Entities must provide measures for detecting, evaluating and notifying individuals and regulatory authorities of data breaches and the harm resulting therefrom. Certain breaches must be reported to regulatory authorities within 72 hours.
Entities whose core business involves processing personal data generally must appoint a data protection officer (DPO) and test security for high-risk situations.
Entities must be able to demonstrate compliance with the GDPR immediately upon request.
What happens if an Entity does not comply with the GDPR?
The GDPR permits penalties up to the greater of €10 million or 2% of an Entity’s global revenue for negligent violations, increased to the greater of €20 million or 4% for willful violations.
What are some things I should be thinking about next?
Determining whether you are subject to the GDPR.
Educating yourself, relevant employees and vendors about the GDPR.
Gaining a full understanding of what data you collect and how it is stored and processed, including through any third party vendors.
Reviewing and revising as necessary privacy policies, consent vehicles, individual access and rights procedures and data collection, management, security and breach notification protocols.