Many local companies need to be prepared for upcoming changes to privacy laws in the EU due to the adoption of the General Data Protection Regulation (“GDPR”). Companies that access the European markets by offering goods and services will need to be prepared to follow the GDPR on May 25, 2018. The GDPR will replace the previous 1995 data protection directive and will govern how EU citizens’ personal data must be handled. This will not only affect companies that deal directly with EU citizens, it will also impact companies that deal with companies that deal with EU citizens personal data. This is set to be one of the biggest changes in the field of privacy regulation to date, and US companies should be prepared to implement necessary changes.
Many experts think that this new legislation could bring on a wave of more (and stricter) privacy laws throughout the world. As such, even small local companies that process customer data of local customers may want to pay some attention to this change happening halfway around the globe.
The definition of Personal Data according to the GDPR is “any information relating to an identified or identifiable natural person.” The regulation of the collection and maintenance of Personal Data is currently covered by each EU State’s own laws. The GDPR is intended to harmonize Personal Data protection laws throughout the EU.
Lawful Basis for Processing.
According to the GDPR, Personal Data can only be processed if there is a lawful basis to do so. There are a number of lawful bases for processing data. The lawful bases include: consent to do so from subject, processing is necessary for performance of a contract (and subject of data is a party to contract), processing is necessary in order to comply with legal obligation, processing is necessary to protect the vital interests of subject or another person, etc.
Controllers and Processors.
Under the GDPR, companies that deal with personal data will either be controllers or processors of personal data of individuals. A controller is an entity that collects data from EU residents. A processor is an entity that processes the data on behalf of the controller. Processing is obtaining, recording, adapting, or holding personal data.
In companies gathering data about European citizens, the days of failure to opt-out serving as consent are over. According to the GDPR, doing nothing, pre-ticked boxes, or inactivity will not serve as consent. Instead, the GDPR will require express, informed, unambiguous statement, or a clear affirmative action to indicate consent to allow companies to collect data. Companies will be required to have an easy way to withdraw consent.
If a company’s consent mechanism already complies with the GDPR, the company does not have to request consent again. However, if a company’s consent mechanism does not comply with the GDPR, it should promptly seek GDPR-compliant consent.
Special rules apply for obtaining consent from children.
Data Protection Officer.
Due to the foreseen complexity of complying with the GDPR, the GDPR requires companies that conduct large scale systematic monitoring of EU residents’ data or that handle especially sensitive types of data (ex. race, political opinions, and criminal convictions) to appoint a Data Protection Officer. This person should have expert knowledge of data protection law and practices. Surprisingly, this requirement does not provide any exemption for small companies, but does allow that outside counsel can be hired to act as the Data Protection Officer.
Some of the responsibilities of the Data Protection Officer is to inform and advise the company and its employees about company obligations to comply with GDPR (and other applicable data protection laws), to monitor compliance with GDPR and other data protection laws, including managing internal data protection activities, and to be the point of contact person for supervisory authorities (of EU states) and for individuals (such as employees and customers) whose data is processed.
Notification of Breach.
One of the more demanding portions of the GDPR is the notification requirements in the case of breach. Pursuant to the GDPR, a company that discovers a breach of security that leads to the “accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data…” must notify the supervisory authority of the EU member state in which EU citizens are affected within 72 hours of becoming aware of the breach. There are limited exceptions to this rule when the data breach is unlikely to result in a risk to people’s rights and freedoms. In some cases, notification of breach must also be provided to individuals concerned directly.
It will be important for each company to have a response procedure in place should a breach occur. Advanced planning and employee training can assist a company with complying with this 72 hour rule. Failure to report a breach when notification is required could result in a fine additional to the fine for the breach.
Access and Right to Erasure.
The GDPR allows individuals to request to know what information is being held about them. Except in limited circumstances, the company will be required to provide the information free of charge to the individual.
The GDPR also gives individuals the right to right to request (and often have this request granted) to have their information deleted from the company’s files.
Enforcement – Fines!
Perhaps the most nerve-racking part of the GDPR is the hefty fines that may be charged against company for non-compliance. As drafted, violation of the GDPR can result in fines of up to four percent of global annual revenue or 20 million euros, whichever is greater for large offenses and ten million euros or two percent of global annual revenue if the offense is smaller. Needless to say, this could be disastrous for many companies.
Companies that deal with personal data of EU residents should work to come into compliance with the GDPR prior to the enactment of the Regulation this spring.