GDPR – The EU’s Response to Data Privacy
Data has the power to change industries, change the nature of competition, and its sale may be a potentially lucrative revenue stream for your business. In fact, data is being hailed as being more valuable than oil 1 . However, a reminder of the importance of data privacy, data handling, and data use will come into force on May 25, 2018. On this day, the General Data Protection Regulation (“GDPR”), will apply to all European Union(“EU”) member states.
This article investigates three main questions. First, what is the GDPR. Second, which key provisions affect US companies based in the EU and lastly, what actions US companies can take to protect themselves from exposure.
What is the GDPR?
The GDPR 2 , also known as Regulation 2016/679, is the EU’s data protection, data collection, and data use law. The GDPR replaces the Data Protection Directive 95/46/EC and works to harmonize European data privacy laws, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. The EU takes a different approach to privacy than the US. In the US, there is no single law regarding data collection and data use. Instead there are a multitude of federal and state acts that cover sectors of data which essentially try to determine which personal data may be collected and in what circumstance it may be used and collected. The EU values privacy and personal control of information. The GDPR works to embody the idea that people have the power to control what happens to their personal data and that there is an onus on companies to responsibly handle the information it collects, processes, and uses.
Key provisions of the GDPR Affecting US Companies
There are many provisions in the GDPR that may affect your business. Provisions outlining applicability
of the GDPR, consent, data access, privacy by design, and enforcement and fines are of particular
TO WHOM DOES THE GDPR APPLY?
A company is subject to the GDPR if that company processes information in the context of a controller, or a processor in the EU. 3 Thus, a US Company that targets the EU for business, and collects data, will still be subject to the GDPR even though it is located outside the EU. However, the GDPR would not apply if an EU citizen actively sought out a US company that does not target the EU. A data controller is a natural or legal person, such as a company or agency that “determines the purposes and means of the processing of personal data 4 .” Personal data is “any information relating to an identified or identifiable natural person 5 .” A processor is a natural or legal person who “processes personal data on behalf of the controller 6 ” These are broad definitions and whether your company handles personal data, or is a processor or a controller may be based on the facts of your business.
The idea of consent is of the utmost importance to the GDPR. It is an idea that is woven throughout the law. A controller must be able to show that a person clearly consented to the processing of their personal data. Further, this consent may be withdrawn at any point of time by the consenting party. 7 Notification Breach, Right to Access, The Right to Be Forgotten, Data Portability The GDPR strengthens a host of rights which includes, the right of a person to access data 8 , the right to be forgotten 9 , breach notification 10 , and data portability 11 . Broadly, a person has the right to know what their data is being used for, they may request it be deleted, and they may ask for a copy of the data a company has collected on that individual. The right to be forgotten clause states that a person may request that all the personal data a company has on that individual be deleted. In the event of a data breach, a person must be notified within 72-hours. Under the data portability provision, a company must also provide the data it has on an individual in an appropriate format should a person request.
PRIVACY BY DESIGN
The GDPR requires that a company implement privacy at the start of their system design. 12 This is known as privacy by design. The reason is to ensure that data access and deletion of an individual are possible. The GDPR requirements may be expensive and not even possible to implement into a system after it has been designed. The goal is to ensure that regulations are taken into consideration at the start of the system design.
ENFORCEMENT AND FINES
EU member states are empowered to take all measures necessary to ensure GDPR laws are enforced. 13 Fines include up to 4% of annual global turnover or €20 Million (whichever is greater) 14.
What actions can US companies can take to protect themselves from exposure?
Be proactive! There are several steps you can take to ensure you are ahead of the curve with compliance with the GDPR.
1. Determine whether the GDPR applies: It is important to understand whether the GDPR will apply to your company. If you have data on an EU resident the GDPR is likely to apply. If it is questionable you may want to consider getting an evaluation of the matter.
3. Appoint a Data Privacy Officer: A data privacy officer (“DPO”) can be the single point to investigate privacy matters within the company. This would include reviewing privacy policies and start to investigate all entry points for data collection and from the start of system design. A DPO may or may not need to be appointed for your company. This really depends on what you do with the data you
collect. If you want to appoint one, know that the position comes with great responsibility. The GDPR outlines some requirements for a DPO 15 .
4. Privacy by Design: It is easier to make changes during the design of a system rather than waiting until after everything is operational to make such changes. The GDPR has some very stringent requirements that may only be able to be met if the requirements are considered at the start of system design. Further, data flow maps and a clear understanding that de-identified data is no longer enough to be considered deleted data.
5. Investigate the Company’s use of data: Determine the actual use of data that is collected. If a company does not require data, there may be no use to collect it.
6. Rights of the Data Subjects: Understand that data subjects have expanded rights under the GDPR and investigate the gap between your company’s policies and what the GDPR requires. An important provision is a data subject’s right to be forgotten. This right to be forgotten may be a big hurdle and this may require putting obligations in down party contracts, so you can ensure data subject that
downstream controllers have also removed their data.
7. Trace the lifecycle of your data: Ensure you understand where the data you collect goes. If it is involved in cross border transactions your company may be liable. Data trail audits may be important, because AWS, Azure and even Oracle move their clouds around all the time.
The GDPR has expanded privacy laws and rights for EU member states. It is important to take the proper steps to ensure compliance and avoid potential exposure. It is quite possible the EU will take a strong stance of enforcement after May 25, 2018 to make it a point of how important privacy is to their citizens.