GDPR 2018 – Will You be Ready?

By Steve Cosentino and Donna Gonzales

Companies that routinely collect or process data of European Union residents have likely spent the past couple of years preparing for May 25, 2018. On that date, enforcement of the EU’s new General Data Protection Regulation or GDPR takes effect. However, many companies with limited or incidental activities in the EU are scrambling to put at least some level of compliance in place. There is no explicit exception in the GDPR for processing limited amounts of data. Companies that only have a handful of EU customers or incidentally collect data from individuals involved in business to business transactions still need to comply.

This comprehensive privacy regulation contains numerous requirements that go above and beyond typical privacy practices in the United States. Non-compliance can result in civil actions and administrative fines of up to 20 million Euro or 4% of your total worldwide annual turnover of the preceding financial year, whichever is higher.

The GDPR applies to processing of personal data of individuals residing in the European Union. Both “processing” and “personal data” are very broadly defined. “Processing” means any operation performed on personal data “whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” More significantly, “personal data” not only covers what is traditionally viewed in the U.S. as personally identifiable information or PII, but covers “any information relating to an identified or identifiable natural person.” Personal information includes location data and online identifiers, such as IP address or cookies.

GDPR's broad scope can potentially entangle US companies operating a website that is accessible to EU residents. That could include almost any website. Article 3 of the GDPR states that the GDPR applies to a controller or processor outside of the EU where the processing activities relate to "offering of goods or services, irrespective of whether a payment of the data subject is required" and "monitoring of their behavior as far as their behavior takes place within the Union." Fortunately, GDPR Recital 23 provides some potential relief by stating that "mere accessibility" of a website in the EU does not alone constitute intent to offer goods or services. A US focused website, however, should be careful to avoid other indicia of intent such as use of a language generally used in one or more Member States or mentioning customers in the EU. Stating that the website is intended for US residents only could be helpful. Use of cookies and other tracking devices, however, might subject a website to the GDPR through the behavior monitoring prong of Article 3.

If the GDPR applies to your company, then you likely need to designate an EU representative unless the collection is incidental and doesn't include certain special categories of information. A GDPR compliance program must address a number of issues including the following:

  • In most cases, prior to processing any personal data, the individual must provide affirmative consent. If the company opts to obtain such consent through an “I accept” button, then it must have the ability to track such acceptance and document the same in the event of a civil or administrative action. Consent provides a lawful basis for processing, except in the case of special categories of personal information (e.g. race, politics, religion, sexual orientation) in which case a separate condition must be established. Lawful basis can also be established in the case of contractual necessity, compliance with legal obligations, vital interests of the data subject (such as life-or-death scenarios), the public interest, and other legitimate interests.
  • The data subject has the right to be forgotten. In this regard, the individual may request that the company delete all personal data it has in its control. Third parties to whom the company transmitted personal data must also delete such data. Companies will need to engage in data mapping and understand where personal data is collected, stored and transmitted. Vendor contracts need to address personal data deletion.
  • The data subject also has the right to receive the personal data concerning her or him from the company “in a structured, commonly used and machine-readable format."
  • The data subject has the right to object at any time to the processing of his or her personal data in the context of direct marketing, processing based on legitimate interests or the performance of a task in the public interest or exercise of official authority and processing for research or statistical purposes. Once the company receives such objection, the company shall no longer process that data unless it can demonstrate “compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject…” or the processing is for the establishment, exercise or defense of legal claims. These exceptions do not apply to direct marketing.
  • The company, at the time when personal data is collected, needs to set forth the rights above and provide other information related to the processing of such data. Such notification may take the form of a revised website privacy policy.

The GDPR also contains some overarching principles that run counter to the typical development process in the US. Those include Privacy by Design and Privacy by Default. Under the Privacy by Design principle, companies must consider privacy in the initial design phase of a development process and continue to address privacy throughout that process. Privacy by Default requires that companies apply the strictest privacy settings by default without any manual input from the end user. Personal data must only be kept for the minimum amount of time necessary to provide the product or service. These two principles can be particularly problematic for emerging companies who realize that there is immense value in data they collect but have not yet decided how to commercialize it.

If your company does have employees in the EU, keep in mind that the GDPR imposes significant obligations on your human resources department as it relates not just to securing data, but also developing policies for responding to requested related to personal data, privacy notices, and developing a data breach notification plan for employees. Employee consent for data processing may be required in some situations and whether an employee can freely consent is a gray area given the typical imbalance of power between an employee and employer. More importantly, if employers do not rely upon consent, they must identify accepted exceptions under GDPR for processing data and sufficiently notify their employees of the applicable exceptions. As such, internal audits of international HR activities are critical at this time, along with updates of HR policies and notices. 

For more information about the GDPR requirements for US companies, please contact David Axtell, Steve Cosentino, Donna Gonzales, Johnny Wang or the Stinson Leonard Street contact with whom you regularly work.

Related Capabilities

Subscribe to Stinson's
News & Insights
Jump to Page

We use cookies on our website to improve functionality and performance, analyze website traffic and enable social media features. For more information, please see our Cookie Policy.