As the rock band “Europe” might say: it’s the final countdown to EU’s General Data Protection Regulation (GDPR). At least that’s how I’ve been singing their song.
The GDPR is the biggest change in data privacy law in more than 20 years, and businesses around the world have been gearing up for it since it was published in May of 2016 since it will have a tremendous impact on the way businesses collect, use, and share the personal data of EU residents. We’re now only about 200 days away from the GDPR being enforced on May 25, 2018, and many businesses in the US that will need to comply with it still have their work cut out for them (the GDPR is over 200 pages long!).
What is the GDPR, and why should US businesses care about it?
The GDPR is intended to provide greater protection of EU residents’ data privacy rights, and places significant restrictions (see below) on what businesses can do with EU residents’ personal data.
The GDPR applies to businesses that are processing personal data in the EU. Importantly for US businesses, it also applies to businesses that are outside the EU that are processing personal data in relation to offering goods or services to, or monitoring the behavior of, EU residents.
The terms “processing” and “personal data” are defined very broadly. “Processing” includes data collection, use, storage, sharing, deletion, etc. (basically, just about anything a business can do with data). And, “personal data” means any information relating to an identified or identifiable natural person (“data subject”). An “identifiable person” is one who can be identified, directly or indirectly, including by reference to a name, an ID number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. So, for example, an advertising business’s use of “cookies” would be considered processing personal data.
Privacy is seen as a fundamental right in the EU, and the penalties for violating the GDPR are tremendous: up to the greater of 20 million Euros or 4% of annual global revenue. Hence, the GDPR has the business world’s attention.
Key points of the GDPR
Consent: Under the GDPR, businesses will often need affirmative consent before processing an EU resident’s data. This consent must be “freely given, specific, informed and [an] unambiguous indication of the data subject’s wishes.” An example of affirmative consent includes website check-boxes not being pre-checked. For the consent to be “informed,” businesses will need to specifically and clearly explain what will be done with the collected data. In addition, data subjects must be able to withdraw their consent at any time.
Children: Processing the data of children under 16 will require the consent of a parent or legal guardian.
Lawful processing and storage limits: The processing of personal data must be limited to the stated purpose of its collection, and only stored for long enough to meet that purpose.
Privacy by design: Businesses will be required to adhere to the principle of “privacy by design.” This means promoting and incorporating data privacy into every part of a business, from the very design of a product or technology, and then minimizing the data collected and the duration it is kept, as well as keeping it secure.
Access: Businesses that are data controllers (e.g., those who determine the purposes and means of data processing) must, upon request of the data subject, confirm if they are processing his/her personal data and provide a copy of it.
Right to be forgotten: Data subjects have the right to request that their data be erased, and if the business has previously shared the data with others, it must notify the others of the erasure request.
Data Protection Officer: Businesses that process sensitive personal data on a large scale, or regularly and systematically monitor data subjects on a large scale, must appoint a Data Protection Officer (DPO). When a DPO is required, he/she: (1) is responsible for ensuring that the business’s processing complies with the GDPR; (2) must report directly to the business’s highest level of management; and (3) must be in a position to perform tasks independently.
Breach notification: Businesses must notify regulators of data breaches as soon as possible, and always within 72 hours (in the world of data breaches, 72 hours is a very short time). While the GDPR states that breaches that are unlikely to result in risks to the data subject don’t require notification, I expect this exception will rarely be applicable.
What steps should US businesses take to prepare for the GDPR’s enforcement in May of 2018?
While this article discusses some key points of the GDPR, it only represents a very small portion of the GDPR’s 200+ pages. A few initial items every business should consider include:
- Inventory your data: What data does your business collect, store, and share, how is it done, and who has access to it?
- Risk assessment: The GDPR will impact several aspects of many businesses. Assess the risks posed by your business’s data practices. This should include not only IT, but all business functions. Third-party assessments are often very beneficial.
- Review policies and procedures: Review all of your business’s policies and procedures and update them as needed for GDPR compliance.
- Documentation: Businesses subject to the GDPR may be audited for compliance, and should therefore document the steps taken to comply (including requests by data subjects and the business’s response to such requests).
It’s the final countdown. Tick-tock, tick-tock…