The European Union has enacted a new General Data Protection Regulation (GDPR) that will take effect on May 25, 2018 regarding how businesses, wherever they are located around the world, must manage the personal data of European "data subjects."
What is personal data? It is any information relating to an identified or identifiable natural person.
The GDPR applies to every situation in which any type of business (for example, online or brick and mortar retail stores, landlords, accountants, real estate and insurance brokers, publishers, consumer goods manufacturers, healthcare companies) collects personal data from a "data subject" - European citizens and residents as well as nationals of other countries who are in the borders of the EU when the personal data is processed. Personal data may be collected through a form on an app, via a corporate website, at the point of sale of a product or at a conference. For instance, if a business has a contact form on their website or at the point of sale, and individuals located in the EU are not automatically excluded (i.e., if the contact form has a space for country, and persons checking "EU" or an EU member nation are permitted to go to the next step and complete the form), then the business is subject to the GDPR.
If a business is in negotiations with EU data subjects, and the business is gathering personal data about individuals, then the GDPR applies. Basically, if there is any action that a business takes or may in the future take in connection with EU data subjects where personal data is gathered (such as a person's name, address or national identification number), the GDPR applies. The GDPR also applies if a business established outside the EU is processing personal data in the EU, collecting or processing personal data of EU data subjects, or has a temporary or permanent location in the EU.
Key Provisions Upholding and enforcing the privacy rights of citizens of the European Union is the critical focus of the GDPR.
- Right to revoke prior consent: An EU data subject may revoke prior consent regarding your business's use of personal data
- Right to be forgotten: An EU data subject has the right to demand that your business delete all of the information you've collected about her
- Right to rectification: An EU data subject has the right to correct information that it previously provided
- Right to access personal data: An EU data subject may demand to know what data your business holds about him, how you use that data, and where it is stored
- Right to move personal data: An EU data subject has the right to demand that you move personal data to another provider
- Notification of data breach: The business must notify EU data subjects within 72 hours of a data breach that may affect their personal data
Key Actions These are some of the actions that businesses are taking to comply with the GDPR:
- New GDPR Policy: businesses are posting new GDPR privacy policies on their websites and apps
- Opt-in: any form used to gain consent to collect personal data of EU data subjects must explicitly list each and every task that the person is permitting the business to do, such as emailing the EU data subject, sending marketing material, sharing personal data with others, using cookies, using personal data to retarget social media campaigns, and analytics and tracking
- Continued Consent: existing EU data subjects are being contacted and presented with the new opt-in forms and the option to entirely opt-out
- Separate Data Storage: given the rights to move personal data, revoke consent, and be forgotten, maintaining EU data subjects' personal data apart from that of citizens of other nations is a best practice. Businesses may also hold the personal data of UK citizens in another location since it's not clear whether the UK will adopt the GDPR, or a similar regulation, after Brexit. You may choose to have a sophisticated third-party vendor hold all of the personal data and be legally responsible for, and indemnify your business with respect to, GDPR compliance
- Responsible Persons: each business not located in the European Economic Area (EEA) is required to appoint (1) a representative within the EEA to be its primary point of contact with the European authorities and (2) a contact person at your business to serve as the data protection contact for EU data subjects
If your business collects personal data from European data subjects, then understanding the GDPR and implementing new protocols are critical to properly managing their personal data. Working with counsel who partners with European privacy experts is one way to navigate this new system.