The European Parliament, the Council of the European Union, and the European Commission have enacted new rules, called the General Data Protection Regulation (“GDPR” or “Regulation”), to strengthen the protection of data pertaining to residents of the European Union (“EU”). GDPR also addresses the use and export of such data outside the EU. The requirements are not limited to EU-based organizations; rather, they will apply to organizations outside the EU if they offer goods or services to, or handle the data of, EU residents. The rules apply a very broad definition of the term “data,” which includes not only an individual’s name, address and/or social security number, but also email addresses, photos, IP addresses, social media posts and political orientation. The requirements are intended to be an extension of the principles underlying the UK Data Protection Act of 1998, and are primarily privacy rules, intended to provide EU residents greater control over the use and dissemination of their personal data. The new rules identify practices and procedures to be followed when handling EU residents’ data and contain a significant penalty provision for violations. While the GDPR’s breadth and scope are unprecedented, there is still time for affected companies and entities to develop an effective compliance plan to meet the GDPR implementation deadline of May 25, 2018.
Does the GDPR apply to my company/organization?
The GDPR applies to any company/organization that (1) has a presence in the EU, or has no presence in the EU, but processes personal data of EU residents, and (2) has more than 250 employees, or has fewer than 250 employees, but its data processing impacts EU residents’ personal data. The GDPR may apply to any organization – health care organizations, utility companies, online retailers, colleges, etc. – that handles the personal data of an EU resident, which may be collected on websites, through sales or in marketing efforts.
What are the GDPR’s requirements?
The GDPR outlines steps (“data protection by design and by default”) that are considered reasonable measures to be taken when handling the subject data. Among other things, it requires an organization to provide a “right of access” to the protected data. The organization must identify the data that is being collected and explain how it will be used. The organization is also required to provide EU residents a “right to erasure/right to be forgotten,” which means an individual can request that their personal data be erased without undue delay, under specific circumstances. Under the GDPR, the loss, destruction or unauthorized use of personal data constitutes a breach, which the organization must report to the supervisory authority no later than 72 hours after becoming aware of it.
What are the penalties for violations of the GDPR?
The potential penalties for violations of the GDPR are significant and will be based upon the severity of the violation – up to $20 million, or up to four percent of the total worldwide annual turnover (sales volume net of all discounts and sales taxes) of the preceding financial year, whichever is greater. Based on recent legal precedent, violators could also be subject to class action lawsuits resulting from violations and noncompliance.
What should an organization do to comply with the GDPR?
There are a number of steps an organization should take now in order to comply with the GDPR requirements and May 2018 implementation deadline.
- Inventory data and determine whether any of the data stored is covered by the GDPR, even if it is the personal data of a single EU resident.
- Designate a Data Protection Officer. This person will serve as the point of contact regarding all GDPR matters.
- Make a plan for how the organization will handle the data to comply with the GDPR. Perform a standards-based cybersecurity risk assessment (e.g., gap analysis) and implement data security and privacy protection measures that conform with industry standards. Develop a corrective action plan based on the results of the risk assessment.
- Develop a process for responding to data erasure requests from EU residents, and know the circumstances under which they will be granted.
- Document the actions taken and progress made toward compliance.
- Review existing and form contracts that deal with the control and/or processing of EU resident data.