What is GDPR? Why should I care?
The General Data Protection Regulation (GDPR) is a European privacy law due to take effect on May 25, 2018. It sets forth new rules governing how companies may collect, store, and use personal data pertaining to and/or originating from individuals in the EU. If you do any business with individuals located in the EU you will need to be sure your website and/or store complies with the GDPR.
You can find a copy of the full text of the GDPR here: http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf.
In addition, you can find a step-by-step guide explaining the provisions of the GDPR and how to comply through the UK’s Information Commissioner’s Office here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.
What are some of the key changes to data privacy under GDPR?
- Broader Territorial Applicability – the GDPR applies to any company processing the personal data of persons in the EU, regardless of whether or not the company is located in the EU (the test being whether products or services are being offered to them (for example through a website) or their activity is being monitored in the EU);
- Consent – if you are relying on consent for the processing of personal data (consent being one ‘lawful basis for processing’) this must be intelligible, specific, and unambiguous, and, where sensitive personal data is to be processed (i.e. health information and certain other data types called “special categories” in the legislation), explicit consent is required. One example of where you will need to rely on consent is for the conducting of direct marketing by electronic means;
- Penalties – companies found to be in breach of GDPR may be subject to penalties of up to the greater of 4% of annual global turnover and €20 million;
Expansive Data Subject Rights – under the GDPR, data subjects in the EU have broad and additional rights with respect to their personal data, including among other things, the right to access, correct, port and erase such personal data (i.e. the “right to be forgotten”), and to withdraw their consent for the processing of personal data;
- Heightened Accountability Obligations – companies processing the personal data of persons in the EU need to ensure that they have documented a lawful basis for data processing activities, engage in ongoing recordkeeping of data processing activities, document their compliance with the principles set out in GDPR and notify relevant authorities of data breaches within 72 hours, and take additional steps to protect and secure personal data;
- Compliance – some companies may be required to hire a Data Protection Officer, while all companies are required to train employees on data privacy and ensure vendor compliance with the GDPR; and
- Definition of Personal Data – the GDPR broadens the definition of personal data to include any information that can be used to directly or indirectly identify an individual, including IP addresses and device IDs.
You can read more about the key changes under the GDPR here: https://www.eugdpr.org/the-regulation.html
How do I know if I am a data controller or a data processor under the GDPR?
A data controller determines the purposes and means of the processing of personal data, while a data processor processes personal data on behalf of and according to instructions from the data controller. Depending on the personal data and processing activity in question, you may be either a data controller or a data processor.
How do I prepare for the GDPR? How do I know if I am compliant?
To determine whether you process personal data as a data controller or a data processor, and to understand and assess your compliance with the GDPR, you can use the checklists and self-assessment tools available through the UK’s Information Commissioner’s Office here: https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/.
Disclaimer: The information presented is for general information and discussion purposes only and may not be relied upon as legal advice. You should consult a licensed attorney before relying on the general information provided herein.
What Happens if a Company in the US Does Not Comply?
TBD. The regulation goes into effect May 25, 2018 and until there is a test case in the US, nobody knows how things will play out here. For multinationals with divisions in Europe, compliance is mandatory to avoid fines. For US-based businesses that control or process the personal data of European citizens, compliance is recommended, but not necessarily mandatory until the real-world impact of GDPR is better understood.