U.S. Companies and the GDPR
The European Union (EU)'s General Data Protection Regulation (GDPR) came into effect on May 25, 2018. The purpose of the GDPR is to ensure that data subjects have greater control over their personal information; including the right to actively consent to every use of personal data, the right to limit that use, the right to be forgotten, the right to have their data be portable, and the right to seek damages should they suffer from misuse/breach of their data.
The GDPR applies to all businesses that collect and use personal information of anyone in the EU, including not just residents, but visitors and immigrants, as well. U.S. companies, regardless of whether they have a presence in EU countries, may be subject to the GDPR if they offer products or services or monitor information on these data subjects.
The GDPR replaces the EU’s 1995 Data Privacy Directive (the Directive) which addressed the protection and rights of the individual to control how his/her personal data is collected is used. The Directive was not binding on Member States, although each was required enact its own national data privacy law. This resulted in inconsistent implementation and application of the Directive. Because the data security landscape is vastly different today than in 1995, the GDPR was developed to provide the following benefits:
* The GDPR is a regulation, as opposed to a directive, and is therefore automatically applicable as internal law in all Member States. Accordingly, there is no requirement that Member States enact their own national data privacy law incorporating the GDPR. Member States will need to revise their current privacy laws to supplement the GDPR in areas that are not finally settled by the GDPR, hence the importance of monitoring legal developments at both the EU and national level in the months leading up to the effective date of the GDPR this May.
* The intent of the GDPR is to establish a single set of privacy rules across the EU compliance easier, although enforcement remains in the hands of the Member States.
* The GDPR requires each Member State to establish an independent Supervisory Authority (SA) to investigate complaints and conduct other enforcement actions.
* For business that have multiple locations in the EU, the SA in the Member State where the entity has its “main establishment” will be the lead enforcement authority for that entity’s data processing activities throughout the EU.
* Member States retain primary jurisdiction over certain privacy issues that are not addressed by the GDPR. That requires entities operating in the EU to take steps to not only comply with the GDPR, but to also observe Member State laws or regulations that operate in conjunction with or as a supplement to the GDPR.
The GDPR seeks to strengthen the ability of EU residents (Data Subjects) to be informed about and control what data is collected about them and how it is used.
GDPR Glossary of Terms and Definitions
Here are some definitions under the GDPR:
* Binding Corporate Rules (BCRs)- a set of binding rules put in place to allow multinational companies and organizations to transfer personal data that they control from the EU to their affiliates outside the EU (but within the organization)
* Biometric Data - any personal data relating to the physical, physiological, or behavioral characteristics of an individual which allows their unique identification
* Consent- freely given, specific, informed and explicit consent by statement or action signifying agreement to the processing of their personal data
* Data Concerning Health - any personal data related to the physical or mental health of an individual or the provision of health services to them
* Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data
* Data Erasure - also known as the Right to be Forgotten, it entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data
* Data Portability - the requirement for controllers to provide the data subject with a copy of his or her data in a format that allows for easy use with another controller (more info here)
* Data Processor - the entity that processes data on behalf of the Data Controller
* Data Protection Authority - national authorities tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the Union
* Data Protection Officer - an expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR (more info here)
* Data Subject - a natural person whose personal data is processed by a controller or processor
* Delegated Acts - non-legislative acts enacted in order to supplement existing legislation and provide criteria or clarity
* Derogation - an exemption from a law
* Directive - a legislative act that sets out a goal that all EU countries must achieve through their own national laws
* Encrypted Data - personal data that is protected through technological measures to ensure that the data is only accessible/readable by those with specified access
* Enterprise - any entity engaged in economic activity, regardless of legal form, including persons, partnerships, associations, etc.
* Filing System - any specific set of personal data that is accessible according to specific criteria, or able to be queried
* Genetic Data - data concerning the characteristics of an individual which are inherited or acquired which give unique information about the health or physiology of the individual
* Group of Undertakings - a controlling undertaking and its controlled undertakings
* Main Establishment - the place within the Union that the main decisions surrounding data processing are made; with regard to the processor
* Personal Data - any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person
* Personal Data Breach - a breach of security leading to the accidental or unlawful access to, destruction, misuse, etc. of personal data
* Privacy by Design - a principle that calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition
* Privacy Impact Assessment - a tool used to identify and reduce the privacy risks of entities by analyzing the personal data that are processed and the policies in place to protect the data
* Processing - any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.
* Profiling - any automated processing of personal data intended to evaluate, analyze, or predict data subject behavior
* Pseudonymisation - the processing of personal data such that it can no longer be attributed to a single data subject without the use of additional data, so long as said additional data stays separate to ensure non-attribution
* Recipient - entity to which the personal data are disclosed
* Regulation - a binding legislative act that must be applied in its entirety across the Union
* Representative - any person in the Union explicitly designated by the controller to be addressed by the supervisory authorities
* Right to be Forgotten - also known as Data Erasure, it entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data
* Right to Access - also known as Subject Access Right, it entitles the data subject to have access to and information about the personal data that a controller has concerning them
* Subject Access Right - also known as the Right to Access, it entitles the data subject to have access to and information about the personal data that a controller has concerning them
* Supervisory Authority - a public authority which is established by a member state in accordance with article 46
Key changes and requirements in the GDPR
Below is a summary of key changes from the 1995 Directive and new requirements under GDPR:
* Extended Jurisdiction –The GDPR applies to the processing of personal data of EU data subjects in the EU regardless of where in the world the controller or processor is located or where the processing is performed, if the activities relate to:
o Offering goods or services to EU citizens (irrespective of whether payment is required)
o Monitoring of behavior that takes place within the EU
o Non-EU businesses processing the data of EU citizens will also have to appoint a representative in the EU
* Penalties - Organizations in breach can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
* Consent - Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to allow.
* Breach Notification - Breach notification is mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”.
o Notification must be done within 72 hours of first having become aware of the breach
o Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach
* Right to Access - The right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format.
* Right to be Forgotten - Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.
* Data Portability - The right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly use and machine readable format' and have the right to transmit that data to another controller.
* Privacy by Design - Privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than as an addition.
* Data Protection Officers - DPO appointments are mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences. Importantly, the DPO:
o Must be appointed based on professional qualities and expert knowledge on data protection law and practices
o May be a staff member or an external service provider
o Contact details must be provided to the relevant DPA
o Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
o Must report directly to the highest level of management
o Must not carry out any other tasks that could results in a conflict of interest.
Determining Whether a U.S. Company is Subject to GDPR
Answering “Yes” to any one of the following questions, means your organization needs to address the GDPR:
1) Does your organization have a physical presence in the EU?
2) Regardless of whether your organization has a physical presence in the EU, does your organization processes personal data of European residents?
3) Does your organization perform Self-certification under the “EU-U.S. Privacy Shield Framework”?
4) Do you target EU-based Data Subjects?
a. Language Availability: If your website offers multiple languages and your organization isn’t located in a country that officially speaks any of those languages, it can be seen as an indication that you are targeting EU-based data subjects.
b. Currency Availability: Offering transactions in Euros or another EU-based currency could be seen as targeted servicing of EU subjects.
c. EU-based Domain Name: Having an EU domain, such as .fr , .ie, co.uk, or .eu, may indicate that you are aiming services at EU subjects.
5) Does your data processing encompass any of the following?
a. impacts to the rights and freedoms of data subjects?
b. is not occasional?
c. includes special categories of data or sensitive personal data?
d. relates to criminal convictions and offences?
GDPR Readiness Checklist
The GDPR requires a comprehensive review of current data privacy practices, policies and procedures of all covered organizations. Below is a checklist to help identify areas that need review:
___ Conduct an Information Audit –Identify and document what data is collected, from whom, from where, how it is processed, how long is it retained and why, and to which third parties is it disclosed and why.
___ Update customer-facing privacy policies – GDPR requires companies to obtain “express consent” from individuals whose Personal Data is collected, which means users must affirmatively agree – either by statement or a “clear, affirmative action.” Pre-clicked boxes will not be sufficient under the GDPR.
___ Update vendor agreements -- Review current vendor agreements for data protection terms and update to include GDPR requirements.
___ Update processor agreements – Review current processor agreements to ensure that the specific elements for these agreements as set forth in the GDPR are included.
___ Determine if a Data Privacy Impact Assessment is necessary – A formal Data Privacy Impact Assessment (DPIA) is to be conducted where the data processing presents “high risks to the rights and freedoms” of the individuals whose Personal Data is collected. A DPIA is required where data processing includes profiling of individuals, large-scale processing of “special categories” of Personal Data, or if there is large-scale and systematic monitoring of a public area.
___ Implement “Privacy by Design” – “Privacy by Design” (also known as “Privacy by Default”) means taking steps to ensure development of new products which involves data collection and processing, provides for privacy and must collect the minimum necessary data for the intended purpose. Organizations must implement appropriate protections for any Personal Data they collect.
___ Appoint a Data Protection Officer (if required) -- Data Controllers and Data Processors are required to appoint an internal DPO if their “core activities” include data processing that involves “regular and systematic” monitoring of individuals or large-scale processing of certain “special categories” of Personal Data.
___ Create/update procedures for processing user access requests and complaints –Implement internal procedures to respond to individual’s requests and complaints regarding how their Personal Data is collected and processed. Make sure to account for data deletion requests, too.
___ Review and update data breach response policy and procedures – Organizations must ensure that their Data Breach Mitigation Plan is updated to reflect the GDPR requirements.
___ Review and update record keeping procedures and policies – Data Controllers and Data Processors must keep detailed records of their data processing activities.
___ Develop a cross-border transfer strategy (if required) -- Data Controllers and Data Processors must comply with cross-border transfer restrictions if Personal Data is sent outside the EU for processing.
___ Conduct employee training on new requirements, processes and procedures and update employee guidance and policies – Educate and train employees on new GDPR privacy protection requirements and processes. Update all written policies and procedures, too.
___ Periodic employee monitoring and security checks for compliance – Conduct periodic reviews of employee practices and security protections to confirm compliance with GDPR requirements.