In a little more than six weeks, the most comprehensive revision of EU privacy rules in the past 20 years goes into effect, and the rules have broad implications for U.S.-based companies.
On May 25, 2018, the European Union General Data Protection Regulation or GDPR , goes into effect. The following is an explanation of what businesses should be doing now to prepare.
Which American entities may be affected?
Although the GDPR’s purpose was to protect the personal data of EU residents, it is intended to have expansive application beyond the territorial limits of the EU. It will regulate entities outside the EU that have EU subsidiaries, provide goods and services to EU residents or who collect or process data concerning any EU resident.
It is difficult to know how robustly the GDPR will be enforced around the globe. Reasonably, we can predict that the Supervisory Authorities (SA) will focus, at least initially, on larger entities with a substantial presence in the EU or that target EU citizens. Conversely, a US entity that possesses only limited personal data on one or two EU citizens as an artifact of its provision of services or goods in the US is less likely to be aggressively scrutinized by the SA in the absence of a damaging cyber event.
Between these two extremes are a range of variables that require US companies to candidly assess their business practices, including their online presence and the extent to which they are presently in possession of EU personal data. If the company’s connection to EU residents is more than just random or sporadic, we advise undertaking steps to comply with the GDPR or document the analysis that led the company to conclude that it was not required to do so.
GDPR’s privacy principles
The GDPR’s goal is to shift control over data collection practices from entities that collect or use personal data (Data Controller or Data Processor) to the individual whose personal data is being collected and used (Data Subject).
The principles to achieve this goal are set forth in GDPR Article 5(1)(a) – (f). First, personal data must be “processed lawfully, fairly and in a transparent manner in relation to the data subject.” In other words, a legally permissible reason for the data’s collection and use must exist and, except where collection is legally required, the Data Subject’s express consent must be obtained on an opt-in basis, using clear language, explaining exactly what data is to be collected and its specific proposed use.
Once collected, the personal data may only be used for “specified, explicit and legitimate purposes” and may not be further “processed” in a manner that is incompatible with those purposes. Accordingly, a company may no longer routinely collect personal data in hopes that it may be helpful to its marketing practices in the future. Data collection is restricted to what is “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” The personal data must be accurate and up to date, and “reasonable steps” must be taken to erase or rectify inaccurate personal data “without delay.” Similarly, personal data must be handled in a manner intended to protect is “integrity and confidentiality,” including “appropriate technical or organizational measures.” Finally, non-anonymized personal data may be kept for only so long as it is needed for the purposes to which the Data Subject consented.
The GDPR provides that the Data Controller “shall be responsible for and be able to demonstrate compliance with the GDPR collection principles.” The Data Controller needs to view GDPR’s specific requirements in light of the entity’s business practices and data needs. To do so, the Data Controller will need to document what personal data is held by the company, who has access to it and with whom it is shared. Data Controllers will need to update their privacy notices in order to provide full and clear disclosure to data subjects and provide clear opt-in provisions and mechanisms by which the Data Subject may change his/her consent or assess the accuracy of the data over time. Data Controllers are also required to assess the security of the personal data it holds, including how it is collected, stored and accessed, and make necessary adjustments to address existing and emerging cyber security threats.
Of course, part of the purpose of enacting the GDPR was to respond to the crisis of cyber breach events and provide a uniform approach if a data breach occurs. The GDPR requires that Data Controllers have adequate procedures in place to detect, report and investigate a data breach. Rapid-response plans, including notification of a data breach within 72 hours of the event, are needed. These pre-breach efforts must be memorialized and available for examination as part of GDPR compliance.
One aspect of the GDPR that has achieved notoriety is the role of a Data Protection Officer, or DPO. The GDPR mandates appointment of a DPO by Data Controllers or Processers when the entity is a public authority, or where the entities’ “core activities” consist of “large scale” processing of either “special categories of personal data” (as defined in the GDPR) or criminal convictions and offenses. Notably, employee, customer and third-party personal data are all considered when assessing whether large scale processing occurs. Should an entity determine that it need not appoint a DPO, that analytical process must be memorialized and be available to the regulators. Even where a DPO may not be required, appointment of a DPO may prove helpful.
The DPO may be an individual within the company or an outside employee who is retained to provide the service. Regardless, it is key that the DPO be free from interference and conflicts of interest, and cannot be subject to retaliation if the DPO concludes that the entity must act to comply with GDPR or respond to a breach.
Data Controllers and Processors bear the burden of establishing GDPR compliance. In many cases, they are required to maintain documentation to demonstrate their compliance such as in connection with their data protection impact assessments, implementation of “data protection by design and by default” plans and enactment of binding corporate rules that govern the intracompany transfer of data.
The SAs are endowed with a number of powers to enforce GDPR compliance, which include the right to demand the documentation be provided to them as part of an SA investigation or audit. SAs may also issue warnings, orders of remediation or direct erasure of data. They may also suspend transfer of data to non-EU countries.
The GDPR permits SAs to impose significant fines and penalties in the event of noncompliance with GDPR. The goal is that the fine be “effective, proportionate and dissuasive.” The SAs will consider the nature of the infringement, the number of subjects involved, whether the infringement resulted from deliberate or negligent conduct, the damage caused by the infringement, prior infringement incidences and other factors.
The GDPR defines the maximum fines for violation in two distinct tiers. The lower tier generally applies to failures by a Data Controller or Processor to comply with its obligations under GDPR. In such case, a fine of up to the greater of 2% of annual global turnover in the previous year or 10 million euros may be assessed. However, when the Data Subjects’ rights are violated, the maximum fine can be the greater of 4% of annual global turnover or 20 million euros.
What to do now?
With GDPR only six weeks away, compliance is daunting. Nevertheless, there are steps every company can and should take to reduce their risks after May 25, 2018. First, every company should undertake a frank and full assessment of its present data practices, including its policies for collection, storage, security and disposal, and whether the company is likely to come within the purview of GDPR. Next, the company should prioritize the steps that are most critically needed and feasibly achievable.
High on the list of short-term goals should be revision of a company’s externally facing privacy statements and practices, such as customer notices and the collection practices that a company engages in through its websites, apps and other digital media.
It is also important that a company address its privacy framework, including who is in charge of privacy for the company, identification of the practices of the companies and vendors that hold or process personal data and data mapping. Work should be undertaken to create a proactive plan to improve those data practices on a going-forward basis to achieve GDPR compliance in the future. Finally, the company should promptly update (or create) a rapid-response plan that will comply with GDPR requirements as well as comply with any applicable federal or state regulations to which the company may be bound. In every case, documentation should be maintained regarding the company’s efforts.
The reality is that many, if not most, US companies will not be in full compliance with GDPR by the May 25deadline. However, company efforts, if undertaken in good faith, may mitigate against the risk of GDPR fines or suspension of data transfer.
Equally important, creation of a long-term, proactive data strategy makes good business sense to address the potentially catastrophic impact of a cyber security event regardless of what law is applied.