Have you thought about whether your business can, or must, comply with the GDPR? The European Union’s (EU) GDPR (General Data Protection Regulation) becomes enforceable on May 25, 2018. The GDPR covers any entity that collects or processes the personal data of individuals in EU countries (including the UK), no matter where the entity is located or where the processing takes place, in connection with offering goods or services to individuals in the EU or as a result of monitoring individuals in the EU. Only a short window remains to assess whether your business must comply and, if so, to put the requisite compliance programs in place.
Entities of all sizes that engage in such activities are covered. Ulmer has assisted not just multinational corporations, but even small local businesses that might have to comply with the new regulation. For instance, an Ohio home-based mail order company that collects customer names and credit card information of EU residents to take orders through its website, or a regional data processing company with only ten employees that analyzes European customer data for other manufacturing companies for marketing purposes, may be covered entities under the GDPR.
The GDPR is a regulation designed to allow covered Data Collectors and Data Processors to look to “standardized clear rules” throughout the EU, instead of having to comply with different sets of procedures in each EU member country. Failure to comply will result in significant fines, up to the greater of 4% of an enterprise’s worldwide income or 20 million euros per infringement. The GDPR requires enhanced cybersecurity measures and recordkeeping, and notification to the appropriate EU Data Privacy Agent (DPA) of a breach “without undue delay,” and where feasible within 72 hours. A covered entity may also need to modify existing privacy notices and third-party supply chain or vendor contracts to ensure that they are compliant.
Where the “core activities” of the entity involve regular and systematic monitoring of individuals (called “data subjects”) on a “large scale,” or such core activities involve processing sensitive personal data on a large scale, the entity will also need to appoint a Data Protection Officer (DPO) to monitor compliance.
The basic steps necessary to ensure GDPR compliance include:
- Audit and map the types and uses made of sensitive personal information collected or processed by the entity, and the risks associated with such collection or processing, through a data protection impact assessment (DPIA)
- Determine whether it is necessary to appoint a DPO
- Determine whether changes need to be made in what data the entity collects, how long the entity maintains the data, and what uses the entity makes of the data or how it processes data
- Determine whether new or additional consents are required from data subjects to continue collecting and/or processing their data
- Review and ensure processes for allowing data subjects to exercise their rights under the GDPR including the “right to be forgotten,” the “right to data portability,” and the right not to be subjected to automated data profiling
- Review record-keeping processes to be sure that, if an incident occurs, the entity can easily provide the necessary historical information to the appropriate European data protection agency (DPA)
- Update your security incident response plan and procedures
- Train employees on GDPR compliance
- Provide a mechanism to insure “Privacy by Design” for any new entity products or systems
Delay is not an option! The GDPR can be enforced by the EU member states’ DPAs, but data subjects and third-party non-profit groups acting on behalf of groups of similarly situated data subjects are also empowered to file suit over a violation, even absent material financial damages. Although it is difficult to predict how and where the GDPR will initially be enforced, it is critical that every potentially covered entity assess whether it must comply and, if necessary, come into compliance, before the deadline.