On May 25, 2018, the General Data Protection Regulation will go into effect, changing the data protection requirements for any company doing business in the EU, even if it is not based or physically located in the EU. The GDPR marks a significant update to the existing EU Data Directives. The GDPR enhances the protection of subject user information, and harmonizes data protection requirements across the 28 EU member states, thus avoiding the need for a patchwork of separate national regulation across the EU. Major changes in data protection regulations under the GDPR include:
- broadening of the definition of “personal data”;
- requiring explicit consent before processing subject data;
- providing subjects users with access to his or her personal data;
- new subject rights, “the right to be forgotten” and the right of “data portability”;
- mandatory breach notification within 72 hours of first becoming aware of the breach if the data breach is likely to “result in a risk for the rights and freedoms of individuals”;
- “Privacy by Design” requirements to design in data protection in the technical and organizational structure, and “data minimization” requirements to keep and use only the data absolutely necessary for the consented function, in addition to restrictions on disclosure and limitations on access; and
- reduced requirements for appointment of a Data Processing Officer (“DPO”), but new internal record keeping requirements.
Failure to comply with the GDPR can result in the levying of fines of up to 4% of the offender's annual global revenue or €20 Million, whichever is greater. How fines will be assessed against companies not present in the EU remains uncertain at this time.
As intensive as the data protection requirements may appear, GDPR impacts are not limited to IT and data management. Organizations should expect that GDPR requirements will also affect sales, marketing, and many operational processes for companies. But take heart -- while compliance with GDPR may be time-consuming and could be costly, the enhanced security processes and internal transparency of company data may, ultimately, prove beneficial to many operations, result in improved user relationships, reduce data and privacy breach risks, and increase overall company value.
Who is subject to the GDPR?
The GDPR is not limited to companies based or located in the EU, or to data processing or storage that occurs within the EU. The GDPR applies to all companies processing the personal data of data subjects residing in the EU, regardless of location of the company or processing activities, if related to the offering of goods and services to EU citizens (irrespective of payment) or the monitoring of behavior that takes place in the EU.
Personal Data subject to the GDPR is extremely broad in scope, including “any information related to an identified or identifiable, natural person” – a much broader scope than Personally Identifiable Information (“PII”) under most U.S. laws. Personal Data can arrive from a variety of sources besides the typical client, customer, and other direct external sources, and may be received from employees, contractors, distributors, vendors, and other internal or indirect sources as well. Personal Data may also arrive through unanticipated channels, such as via responses to questionnaires, email, and marketing data.
What next steps should I take now?
As with most new laws or regulations, much remains to be clarified, and interpretation of the GDPR requirements will continue as implementation and application of the GDPR takes place. But don’t wait to prepare – the clock is ticking!
There are many resources available online to consult for information and advice on how to prepare for GDPR. Data management software designed for GDPR is available, and may be useful in some cases. Organizations operating in the EU or with extensive Personal Data exposure may wish to engage data specialists or consultants with GDPR expertise to assist with compliance.
The Office of the European Union Data Protection Commissioner (DPC) has compiled a step-by-step guide, “The GDPR and You”, to explain the requirements of the GDPR and to prepare for it to take effect on May 25, 2018.
The ICO (Information Commissioner’s Office) in the United Kingdom also has outlined a Checklist of 12 Steps to Take Now to prepare for the GDPR. These steps are summarized as follows:
ICO - 12 Steps to Take Now to Prepare for GDPR
|
1 |
Awareness |
Inform decision makers and key people in your organization about the changing law under the GDPR. They need to appreciate the impact this is likely to have. |
|
2 |
Information You Hold |
Document what personal data you hold, where it came from, and who you share it with. You may need to organize an information audit. |
|
3 |
Communicating Privacy Information |
Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. |
|
4 |
Individuals’ Rights |
Check your procedures to ensure they cover all the rights individuals have under the GDPR, including how you would delete personal data or provide data electronically and in a commonly used format. |
|
5 |
Subject Access Requests (SAR) |
Update your procedures and plan how you will handle requests within the new timescales and provide any additional information. |
|
6 |
Lawful Basis for Processing Personal Data |
Identify the lawful basis for your processing activity in the GDPR; document it; and update your privacy notice to explain it. |
|
7 |
Consent |
The GDPR requires that individuals opt-in to data processing and storage. Review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard. |
|
8 |
Children |
Start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity. |
|
9 |
Data Breaches |
Make sure you have the right procedures in place to detect, report and investigate a personal data breach. |
|
10 |
Data Protection by Design |
Familiarize yourself now with the ICO’s code of practice on Privacy Impact, and work out how and when to implement them in your organization. |
|
11 |
Data Protection Officers |
Designate someone to take responsibility for data protection compliance and assess where this role will sit within your organization’s structure and governance arrangements. Consider whether you are required to formally designate a Data Protection Officer. |
|
12 |
International – EU Cross-Border Processing |
If your organization operates in more than one EU member state (i.e., you carry out cross-border processing), you should determine your lead data protection supervisory authority. |
The GDPR is a major regulatory update that should not be ignored if any Personal Data of EU citizens is stored or processed in connection with the promotion of goods or services in the EU, or the monitoring of behavior in the EU.
The GDPR is an additional body of regulations protecting EU citizen’s data rights, and is separate from and in addition to other data protection laws and regulations in the United States, such as those addressing health information, financial information, data breach response, and the privacy and data protection laws in other countries, such as the China Cybersecurity Law.