Earlier this year, we provided an update regarding the European Commission’s plans to unify, streamline and strengthen data protection law in the European Union (EU) with a single General Data Protection Regulation (GDPR). You can read our earlier post here. The GDPR is now in force, and following a two year implementation period due to the magnitude of the changes to data protection law in the region it imposes, will apply from May 25, 2018. You can view the official text of the GDPR here.
Why does it matter outside the EU?
A key component of the GDPR is its expanded territorial reach. An organization based outside of the EU is required to comply with the GDPR if it engages in data processing activities involving personal information of EU residents that relate to: (a) offering goods or services to EU residents; or (2) monitoring the behaviour of EU residents within the EU. As such, all organizations are encouraged to consider whether they are required to comply with the GDPR.
What if an organization is required to, but does not, comply with the GDPR?
The GDPR contains significant fines for non-compliance – up to €20 million or 4% of annual worldwide revenue. In addition, the GDPR includes statutory rights for individuals who have suffered damages to seek compensation from organizations, and for public interest organizations to bring class actions on behalf of such individuals. As such, organizations are encouraged to carefully review their privacy and data protection programs for compliance with the GDPR and to consider whether they have adequate insurance in place.
What can organizations do in preparation?
Although the GDPR will not apply until May 25, 2018, organizations are encouraged to utilize the transition period to determine how the GDPR will impact them and to update their privacy and data protection programs to satisfy the requirements of the GDPR. Organizations are also encouraged to get executive buy-in to ensure that they have appropriate resources to do so.
The following are some key changes and steps that organizations can take to address them:
- Uniform Rules. The GDPR creates an extensive set of uniform rules for all 28 EU Member States. However, Member States may also implement additional rules. To prepare, organizations are encouraged to get a clear understanding of the requirements of the GDPR and of any additional Member States in which the organization operates.
- Mandatory Breach Reporting. The GDPR requires mandatory breach reporting to regulators within 72-hours of the breach. In some cases, the GDPR also requires organizations to inform affected individuals. To prepare, organizations are encouraged to have appropriate breach and notification procedures and contractual obligations in place to assist the organization to meet its requirements.
- Consent. The GDPR outlines more rigorous requirements for consent. Some key changes are that consent must be given through a “clear affirmative action” (opt-out consent is not accepted) and that explicit consent is required for sensitive data. To prepare, organizations are encouraged to determine when and how they will need to obtain consent, and to implement appropriate practices to obtain and evidence such consent.
- Rights for Individuals. The GDPR introduces new rights and expands on other rights for individuals. These rights include: (a) a right to be forgotten (a requirement for organizations to erase an individual’s information); (b) a right of portability (a requirement for organizations to transfer an individual’s information to another organization); (c) a right not to be profiled (a requirement for organizations to respect various restrictions relating to marketing and customer profiling); and (d) a subject access right (a requirement for organizations to provide individuals with information about themselves at no charge within a short timeline). To prepare, organizations are encouraged to have in place policies and procedures which address such rights.
- Privacy by Design. The GDPR requires organizations to embed privacy considerations in the design phase of processing activities (known as “privacy by design”), and to carry out data protection impact assessments to assess privacy risks associated with new or changed programs or projects. To prepare, organizations are encouraged to have in place policies and procedures to incorporate these requirements into existing practices.
- Accountability. The GDPR enhances accountability principles for organizations. Some of the key requirements for organizations are:
- Increased obligations: To have policies and procedures which ensure that the requirements of the GDPR are met, to keep more detailed records, to implement stronger security measures, and to demonstrate compliance with the GDPR.
- Data Protection Officers and Representatives in the EU. To appoint corporate data protection officers who meet certain requirements and satisfy specific duties and to designate representatives within the applicable Member State(s) in some cases.
- Mandatory Audits. To submit to audits, including the right for regulators to access an organization’s premises and data processing equipment and means.
- One Stop Shop. To cooperate with regulators (a “lead” will coordinate with other regulators for issues that impact various Member States or a Member State’s regulator will take the lead role in issues substantially affecting only that Member State).
To prepare, organizations are encouraged to review the requirements, have in place policies and procedures to implement the requirements, implement appropriate training, and appoint and/or designate data protection officers or representatives (where required).
The GDPR contains a number of new requirements for organizations, and the above outlines only some of the key changes. Organizations are encouraged to review their privacy and data protection programs with legal counsel in order to ensure compliance with the GDPR prior to May, 2018.