All You Need to Know About the General Data Protection Regulation.
The General Data Protection Regulation (GDPR) went into effect on May 25, 2018. It replaced the 1995 EU Data Protection Directive. The principal aim of the GDPR is to give consumers (EU Citizens) greater control over their data. The biggest change in law is the scope of the territory covered by the regulation.
US companies are also affected by the GDPR, as are those from other countries across the world.
The GDPR applies to all companies processing the personal data of subjects in the EU, regardless of the company’s location (and apparently the consumer’s location – citizenship is the key.)
BUT: Those data subjects must be targeted.
The GDPR does not kick in where an EU resident merely happens upon your site via Google search.
Some evidence of targeting of EU consumers could include accepting the currency of an EU nation, providing marketing content in an EU nation’s language, or having a domain suffix that corresponds with an EU nation.
The kind of information that falls within GDPR is “personal data” – any information that can be used to identify a natural person. Examples include: name, identification number, address or location data, religion, ethnicity, marital status, IP addresses, cookie strings, social media posts, online contacts, and mobile device IDs.
The GDPR applies to “processors” and “controllers” of personal data. “Processing” personal data means, collecting, recording, gathering, organizing, storing, using, disclosing, or otherwise making it available by electronic means. The “Controller” determines what to do with the personal data.
Under the GDPR, Controllers must: review data processing activities and conduct an Impact Assessment; identify their data processing activities and ensure they understand their responsibilities; implement appropriate measures to ensure compliance with the GDPR, including processes for identifying, reviewing and promptly reporting data breaches.
Under the GDPR, Processors must: review data processing activities; ensure that there is a lawful basis (or consent or an exemption) for each processing activity; review and update mechanisms for obtaining consent to ensure they comply with GDPR.
Here are the salient points you should note:
- Consents must be clear and distinguishable from other matters. They cannot simply be hidden in Terms of Service. It must be as easy to withdraw consent as it is to give consent.
- Train employees who process personal data to recognize and respond to request from individuals exercising their rights.
- Controllers and Processors may be required to appoint a Data Protection Officer to monitor compliance with GDPR.
- If a US company sells or markets products via the internet specifically targeted to EU residents, the GDPR applies even if no financial transaction occurs.
- Just having a web presence that could reach the EU is not enough to trigger GDPR itself.
- US-based companies with a strong internet presence should consider being GDPR compliant.
- Companies required to be GDPR compliant may also have to take certain steps with their vendors. Some liability under GDPR can be transferred by contract.
- As between Controllers and Processors, contracts should; address the subject matter and duration of the processing; the nature and purpose of the processing; structure obligations and rights of the parties; ensure that the data being processed is subject to a confidentiality agreement; and set forth breach notification requirements.
- Under the GDPR, EU subjects have a number of rights with respect to their data. They must be informed about: data breaches within 72 hours of any occurrence; whether or not their personal data is being processed, where and for what purpose. And they have a “right to be forgotten” – in other words: data erasure, including how to halt third-party processing of personal data.
- Only data which is absolutely necessary for completion of a duty (such as an order) may be held or processed, and access to the data must be limited to those carrying out the processing.
- Records of processing activities must be maintained, and personal data must be deleted once no longer needed.
- An organization found to be in breach of GDPR could be fined up to 4% of their annual global turnover.
- The fine for failure to report a breach within 72 hours is up to 2% of annual global turnover.
- Requirements of the GDPR will vary based on a company’s particular operations.
Here’s what you can do:
- For companies with a presence in the EU, compliance is required but it is not something to be scared about. We are pragmatically and methodically working with companies to address this new paradigm.
- You could have a customer who has lived in New Jersey for 25 years who happens to be an EU citizen — technically a GDPR issue, but practically that person is just another customer to be coddled and respected.
- Buyer beware! There are new services and products and software tools being sold to help with, solve and remediate GDPR issues. Mostly nonsense!
- Be sure to seek appropriate advice from experienced advisors. Do your homework and do the right thing.
Thanks to Rachel Leeds Edelman for her research, writing and analysis of the GDPR source material.