After being introduced in April 2016, the European Union’s General Data Protection Regulation (GDPR) officially comes into enforcement effect today, replacing the existing EU Data Protection Directive. Although similar to the previous data protection law, the GDPR includes new and enhanced requirements aimed to protect the fundamental rights of natural persons with respect to their personal data. The territorial reach of the GDPR is also broad, requiring businesses processing personal data of EU and European Economic Area (EEA) individuals to comply with its obligations, whether those businesses are performing the processing directly or through the use of downstream vendors and regardless where that processing activity takes place. Failure to comply with the regulation risks imposition of significant monetary sanctions – starting at the greater of either 10 million euros or 2% of a company’s global revenue for the prior fiscal year per incident. If you have not already, the time is now to consider whether and how your business may be affected by the broad reach of the GDPR.
Who and what does the GDPR affect?
The GDPR centers on the principal that the protection of personal data is a fundamental right enjoyed by all Europeans. The GDPR affirms that fundamental right, including the right of access, right to correction of inaccuracies in their personal data, right of erasure (popularly known as the “right to be forgotten”), and the right to restrict processing, among others. The new regulation requires companies to create mechanisms for natural persons in the EU and EEA to exercise these rights and control how their data is used. Individuals are also empowered to enforce these rights with the ability to bring a complaint to the supervisory authorities, as well as bring a private cause of action in court against the companies processing their personal data illegally.
Under the GDPR, “personal data” is information about a living natural person that can be used on its own or combined with other information to identify that person (a “data subject”). Personal data includes not only the familiar – names, mailing addresses, EU/EEA Member State ID card, passport numbers, and credit card information – but also less obvious online personal identifiers such as an individual’s IP address, location data, and cookie data. Additional obligations and restrictions apply to the processing of specific categories of sensitive personal data including personal data revealing racial or ethnic origin, genetic data, or religious beliefs, as well as processing of the personal data related to children, criminal convictions, and criminal offenses.
The regulation applies to “processing” of that personal data, which is any operation performed on the personal data such as collection, storage, consultation, use, transmission, and even activities like erasure or destruction. Both data controllers (the organizations originally collecting, storing, and using personal data) and data processors (the vendors hired by data controllers to analyze or use that personal data for business purposes of the data controllers) are subject to these requirements when either a data controller or their engaged data processors (1) operate within the EU/EEA; (2) are located outside the EU/EEA but offer goods and services to individuals in the EU/EEA (regardless if payment is required); or (3) monitor the behavior of individuals in the EU/EEA. Essentially, simply possessing personal data about a person from the EU or EEA constitutes processing sufficient to require your compliance with the GDPR.
What are the main GDPR requirements?
The GDPR’s enhanced requirements on companies processing personal data fall into several general categories: (1) openness and transparency about what is being done with an individual’s personal data, (2) how that personal data is being protected, (3) with whom it may be shared, (4) whether and how it is transferred outside of the EU/EEA, (5) notification to individuals that they may manage how their personal data is used and informing them how to do so, (6) updating existing and new contracts between controllers and processors to address the mandatory terms imposed under the GDPR, and (7) appropriate and timely response to data breaches. Here are some of the big-ticket items that must be addressed by every company handling personal data of EU/EEA data subjects.
Lawful basis. Companies must identify and document an appropriate lawful basis for its processing activities before it begins processing personal data. Companies can choose from a number of lawful bases, including freely given and informed consent from the data subjects, legal obligations, and legitimate business interests (which includes direct marketing); which one is most appropriate depends on your particular circumstances and intended activities. Under the notice and transparency principles of the GDPR, companies are obligated to inform data subjects of their processing activities, the lawful bases for that processing, and how to exercise their rights with respect to the processing activities, commonly done through direct notification and updates to the company privacy policies.
Contracts. The GDPR now requires that whenever a controller uses a processor to process data subject to the GDPR, the controller must engage only vendors, regardless of where those vendors operate, who agree to comply with the requirements of the GDPR so long as they are processing EU/EEA personal data. These controller-processor relationships must be governed by a written agreement making clear each party’s obligations under the GDPR and must include certain terms mandated by the regulation. These obligations extend to agreements in force as of May 25, 2018, so companies need to audit their agreements to ensure that the mandatory terms are present and, if not, execute addenda as necessary to bring those contracts into compliance. These mandatory terms including, among others, that data processors:
- Only act under the written instructions of the data controller;
- Ensure that the employees of the processor have committed to ensuring the confidentiality of the data shared by the data controller;
- Ensure the security of the shared personal data;
- Only engage sub-processors with the prior approval of the data controller;
- Assist the data controller with responding to requests from EU/EEA data subjects to exercise their rights over their own data, as well as requests from regulatory bodies to confirm compliance with the GDPR; and,
- Keep appropriate records of the processing activities.
Cross-border transfers of personal data subject to specific frameworks. The GDPR is also specific about how personal data may be transferred from the EU to other countries where privacy laws are less strict and protections less obvious, including the United States. The GDPR provides certain approved frameworks that are permitted to allow for legal cross-border transfers of data subject to the GDPR. Each transfer mechanism comes with its own obligations, advantages, and disadvantages, so it is important to review your organizational and technological security practices and select accordingly. Additionally, some of the mechanisms are under attack in European courts, so companies may wish to build in redundancies to ensure the on-going legality of their cross-border transfers of personal data.
Data breach notification. Responding to data breaches is a serious matter under the GDPR. In the event of a data breach, controllers and processors are required to notify the appropriate authorities to the extent possible without undue delay and no later than 72 hours after learning of the breach. Controllers and processors must also notify the affected individuals without undue delay if the breach results in a high risk to the rights and freedoms of individuals. If the processors is breached, they are required to notify the controller of that data breach without undue delay after becoming aware of the event and with enough time to enable the controller to fulfill its 72 hour notice obligations. At minimum, the notification must include:
- The nature of the data breach;
- Categories and the approximate number of data subjects and personal data records concerned;
- Contact information for the organization’s data protection officer;
- Likely consequences of the breach; and
- Measures the controller has taken or proposes to take to mitigate the breach.
Where to go from here?
The GDPR is a far-reaching regulation that touches on the business operations of companies around the world. In a global economy where multinational companies engage vendors in many countries to assist with their operations, personal data about EU/EEA data subjects can be touched by companies anywhere and regardless of whether they directly seek out European business. Downstream vendors are subject to GDPR just as much as the multinational data controllers who hire them. There are many ways that the GDPR can touch your business that may not be initially obvious, and, as the regulation begins to be enforced, more will be learned about how far its reach actually extends. As such, it is important for companies to assess their obligations under the GDPR now and act appropriately to update their operations and policies as necessary to comply.
If your business may receive personal data from the EU/EEA either by directly operating in Europe, marketing your goods or services to Europeans, or you provide services to companies who may share personal data from EU/EEA data subjects, you should carefully assess how the GDPR may impact your business. The attorneys at Protorae Law are working with many clients to assess their obligations under the GDPR and to execute the policies, procedures, and contracts necessary as businesses work toward GDPR compliance. If you would like to learn more about the GDPR and how it may affect your business contact us.