The EU’s General Data Protection Regulation (GDPR)
The clock is ticking down and the 25 May 2018 deadline to demonstrate compliance with the EU’s General Data Protection Regulation (“GDPR”) is quickly approaching. There are a number of issues that companies should be considering and discussing with their partners. The following summarizes some of the GDPR’s requirements. This is not intended to be a complete list of all of the requirements of the GDPR but addresses some of the high points.
- Who must comply with GDPR?
The GDPR applies to a broad number of businesses. Any entity that has a presence in the EU must comply with the GDPR, but also any entity that collects, processes or stores personal data of individuals in the EU in connection with offering goods or services within the EU. Given that many U.S. companies without a physical presence in the EU offer goods or services to EU residents, the GDPR is likely to affect many U.S. companies.
- Definition of Personal Data
The GDPR broadly defines “personal data” to include any information related to a natural person that can be used to directly or indirectly identify that person. This includes many typical categories of personal data (i.e. name, address, photo, email address) but also includes location, IP address and cookie data that can be combined with other information to directly identify a person.
- Know Your Role and How You Use Data
It is important for companies to understand their role in the collection and processing of personal data of EU data subjects. The GDPR applies to both “data controllers” and “data processors.” A data controller is the entity that determines the purposes and means of the processing of personal data. A data processor is the entity that processes personal data on behalf of the controller. Although the GDPR creates potential liability for both data processors and data controllers, the obligations of each party are related but somewhat different. As the GDPR comes into effect, businesses will need to revisit their relationships with any third-parties that it works with to send, receive, process or store the data of EU data subjects to ensure that the agreements in place with these parties comply with the requirements of GDPR. As part of this process, companies should work to identify the different data flows into and out of the company and understand at each step, who has access to the data, how it is stored, how long it is stored, what security measures are in place, why it was collected and what processes are performed in relation to the data. This type of information will be essential for properly structuring agreements with third-parties and demonstrating compliance with the requirements of the GDPR.
- Consent or Other Basis
Companies can still utilize personal data collected or received from individuals in the EU upon consent, but the GDPR has strengthened the requirements for securing the necessary consent. A request for consent must be given in a clearly understandable and easily accessible form which identifies what information is being collected and how it will be used. The user’s consent must be affirmatively and freely given. The consent to data collection must be distinguishable from other matters. For instance, the consent to a general terms of service may not be sufficient to qualify as consent to data collection. The GDPR also requires that individuals be able to easily withdraw their consent to the collection or use of their personal data.
If a company has not secured the consent of an individual to the collection of personal data, there may still be a basis for collecting the data (i.e. contract; legitimate interest; etc.). Companies need to carefully consider the basis upon which it is relying to collect the data and ensure that the use of the data does not exceed the scope for which it was originally collected. The stated purpose of the implementation of the GDPR is to increase transparency and implement concepts of data protection by design and data protection by default, and so, data collection of EU data subjects may be closely scrutinized to ensure the collection is consistent with an allowed basis.
- Data Access, Portability and Erasure
The GDPR requires data controllers to provide data subjects with information and access to the data that has been collected from the individual. This includes confirming that data concerning the individual has been collected and is being processed, where the data is being stored and for what purpose the data is being used. The GDPR also requires that the individual be provided a copy of the personal data (generally free of charge) in an electronic format upon request. Further, the personal data is considered portable, and the data subject can transfer his or her data to another entity or organization.
The GDPR also provides data subjects with broad rights to require that their personal data be erased and that further use or dissemination of the data to cease. Even absent such a request, the GDPR restricts the length of time that a data controller or data processor can hold on to personal data and requires that the data be deleted when it is no longer necessary for the purposes for which the data was collected.
- Data Security and Breach Notification
The GDPR requires that companies provide appropriate technical and organization measures to ensure a level of security appropriate to types of data collected and the risk of exposure. The level of security will depend on the sensitivity of the information being processed and levels of data security provided by others in the same industry and the level of technology currently available.
In the event of a breach, the GDPR provides condensed timeframes (i.e. for controllers - 72 hours from first awareness) within which notice must be provided to the applicable regulatory authority. Complying with timeline requires advanced planning and the ability to quickly assess a potential breach and act to provide notice.
The GDPR includes the potential for significant fines for non-compliance. The fines may include up to 4% of annual global turnover or €20 Million, whichever is higher. Whether a fine will be imposed and the size of the potential fine depend on several factors, including the efforts a company makes to comply with the requirements of GDPR and the nature and scope of the use of personal data.
Although there is still some time before the 25 May 2018 deadline to demonstrate compliance with the requirements of the GDPR, companies need to address these issues with all of the appropriate stake-holders immediately to avoid any potential compliance issues.