On May 25, 2018, the General Data Protection Regulation (GDPR) goes into effect. Are you ready?
Organizations, anywhere in the world, that process the personal data of European Union (EU) residents should pay attention to GDPR and its territorial scope.
If you collect personal data or behavioral information from someone in the EU (also referred to as a “data subject” in the GDPR), your company will be subject to the requirements of GDPR. The extended scope of GDPR will apply to your company even if:
- the processing of personal data takes place outside of the EU;
- no financial transaction takes place; or
- your company has no physical operations or employees in the EU.
The definition of “personal data” is broader than the definition of “personally identifiable information”, commonly used in U.S. information security and privacy laws.
Why should you care?
Failing to comply with GDPR may result in a maximum fine of €20,000,000 euros or 4% of global turnover, whichever is higher.
There are questions over how EU regulators will enforce these fines on companies outside of the EU. However, it would be ill-advised to underestimate the EU’s desire to create uniform data privacy laws for its market and the lengths to which regulators may go to accomplish this goal. GDPR extraterritorial enforcement mechanisms with authorities in non-EU countries is very possible.
The potential reputational damage that may result from noncompliance is also something organizations should consider. Non-EU companies, especially those with a strong online presence, should think whether action is required now to avoid the possibility of unfavorable headlines down the line.
How to mitigate risk?
- Conduct a Data Privacy Audit (DPA). A DPA should show you the location of data in your company and map the flows of this data. A DPA should also map your current data processing activities against the rights of data subjects which are mandated by GDPR. Examples being, the rights of data subjects to access their personal data and the right to be forgotten. The UK information commissioner’s office has provided helpful guidance on DPAs which can be accessed here.
- Put in place processes for deleting data. One of the 7 principles of GDPR is data minimization. Organizations must not keep data for longer than necessary and data subjects have the right to request the deletion of the personal data that you hold about them (known as the “right to be forgotten”). If not already in place, you should establish processes for deleting personal data: (i) on request; and (ii) if its retention is no longer necessary.
- Re-examine consent mechanisms. Consent of the relevant data subject is the basis upon which many organizations comply with the requirements of existing EU data protection laws relating to the processing and storing of such data subject’s personal data. If this is true of your organization you should note that the requirements under GDPR for obtaining consent are more stringent. For example, if you use pre-checked opt-in boxes to gain consent, GDPR clarifies that this is not an indication of valid consent. If your current mechanisms for obtaining consent or the consents that you already have do not meet the standards set by GDPR, you should consider updating such mechanisms and seeking new consents which satisfy the requirements of GDPR.
- Appoint a data processing officer (DPO). If your core activities call for either: (i) regular and systematic monitoring of data subjects on a large scale, or (ii) processing on a large scale of certain categories of data you may be required to appoint a DPO.