GDPR 2018 – Will You be Ready?
Companies that routinely collect or process data of European Union residents have likely spent the past couple of years preparing for May 25, 2018. On that date, enforcement of the EU’s new General Data Protection Regulation or GDPR takes effect. However, many companies with limited or incidental activities in the EU are scrambling to put at least some level of compliance in place. There is no explicit exception in the GDPR for processing limited amounts of data. Companies that only have a handful of EU customers or incidentally collect data from individuals involved in business to business transactions still need to comply.
This comprehensive privacy regulation contains numerous requirements that go above and beyond typical privacy practices in the United States. Non-compliance can result in civil actions and administrative fines of up to 20 million Euro or 4% of your total worldwide annual turnover of the preceding financial year, whichever is higher.
The GDPR applies to processing of personal data of individuals residing in the European Union. Both “processing” and “personal data” are very broadly defined. “Processing” means any operation performed on personal data “whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” More significantly, “personal data” not only covers what is traditionally viewed in the U.S. as personally identifiable information or PII, but covers “any information relating to an identified or identifiable natural person.” Personal information includes location data and online identifiers, such as IP address or cookies.
If the GDPR applies to your company, then you likely need to designate an EU representative unless the collection is incidental and doesn't include certain special categories of information. A GDPR compliance program must address a number of issues including the following:
- In most cases, prior to processing any personal data, the individual must provide affirmative consent. If the company opts to obtain such consent through an “I accept” button, then it must have the ability to track such acceptance and document the same in the event of a civil or administrative action. Consent provides a lawful basis for processing, except in the case of special categories of personal information (e.g. race, politics, religion, sexual orientation) in which case a separate condition must be established. Lawful basis can also be established in the case of contractual necessity, compliance with legal obligations, vital interests of the data subject (such as life-or-death scenarios), the public interest, and other legitimate interests.
- The data subject has the right to be forgotten. In this regard, the individual may request that the company delete all personal data it has in its control. Third parties to whom the company transmitted personal data must also delete such data. Companies will need to engage in data mapping and understand where personal data is collected, stored and transmitted. Vendor contracts need to address personal data deletion.
- The data subject also has the right to receive the personal data concerning her or him from the company “in a structured, commonly used and machine-readable format."
- The data subject has the right to object at any time to the processing of his or her personal data in the context of direct marketing, processing based on legitimate interests or the performance of a task in the public interest or exercise of official authority and processing for research or statistical purposes. Once the company receives such objection, the company shall no longer process that data unless it can demonstrate “compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject…” or the processing is for the establishment, exercise or defense of legal claims. These exceptions do not apply to direct marketing.
The GDPR also contains some overarching principles that run counter to the typical development process in the US. Those include Privacy by Design and Privacy by Default. Under the Privacy by Design principle, companies must consider privacy in the initial design phase of a development process and continue to address privacy throughout that process. Privacy by Default requires that companies apply the strictest privacy settings by default without any manual input from the end user. Personal data must only be kept for the minimum amount of time necessary to provide the product or service. These two principles can be particularly problematic for emerging companies who realize that there is immense value in data they collect but have not yet decided how to commercialize it.
If your company does have employees in the EU, keep in mind that the GDPR imposes significant obligations on your human resources department as it relates not just to securing data, but also developing policies for responding to requested related to personal data, privacy notices, and developing a data breach notification plan for employees. Employee consent for data processing may be required in some situations and whether an employee can freely consent is a gray area given the typical imbalance of power between an employee and employer. More importantly, if employers do not rely upon consent, they must identify accepted exceptions under GDPR for processing data and sufficiently notify their employees of the applicable exceptions. As such, internal audits of international HR activities are critical at this time, along with updates of HR policies and notices.
For more information about the GDPR requirements for US companies, please contact David Axtell, Steve Cosentino, Donna Gonzales, Johnny Wang or the Stinson Leonard Street contact with whom you regularly work.