European General Data Protection Regulation: GDPR Compliance for U.S. Business
Cybersecurity and Privacy Alert
The General Data Protection Regulation (GDPR) was approved by the European Union (EU) in 2016 and replaces the 1995 EU Data Protection Directive 95/46/EC. Enforcement begins May 25, 2018 – including the application of heavy fines.
The GDPR is intended to update and further harmonize EU data privacy laws. More specifically, GDPR is intended to:
- Protect EU citizens’ data privacy rights and mitigate data breach injuries
- Regulate organizational data privacy practices
- Reflect realities of current data-driven world
Any GDPR compliance strategy must begin with an understanding of the exceedingly broad EU definition of Personal Data. Personal data means any information relating to an identified or identifiable natural person (Data Subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
In addition to an expansive definition of data, the GDPR has an expansive jurisdictional reach. The GDPR applies to companies processing personal data of data subjects residing in the EU, regardless of the company’s location, as well as to the processing of personal data by controllers and processors in the EU, regardless of where the processing takes place. Non-EU businesses processing the data of EU citizens will have to appoint a representative in the EU.
GDPR fines can be up to €20 million or 4 percent of annual global turnover (revenue), whichever is greater. The GDPR also provides for tiered fines based upon multiple violations:
- 2 percent for not having their records in order (Article 28)
- 2 percent for not notifying the supervising authority
- 2 percent for not informing data subject about a breach or not conducting impact assessment
Fines will apply to controllers and processors; “clouds” will not be exempt from enforcement.
The GDPR also increases the requirements for consent. Consent must be distinguishable, clear and in plain language – think US UCC liability disclaimers.
- Request for consent must be given in an easily accessible form, without legalese
- Purpose for data processing must be included with the consent
- Must be as easy to withdraw consent as it is to give it
The GDPR expands the rights of Data Subjects. Data subjects have the right to obtain details from the data controller regarding processing of personal data, where and for what purpose. Controllers are obligated to provide a copy of the personal data, free of charge, in a common electronic format.
The GDPR also introduces data portability. Data subjects have the right to receive their Personal Data in a “commonly used and machine readable format,” and have the right to transmit data to another controller.
The GDPR also establishes “the right to be forgotten.” Data Subjects are entitled to have their Personal Data erased, terminate further dissemination of data and have third parties stop processing the data.
Breach notification is mandatory where a data breach is likely to “result in a risk for the rights and freedoms of individuals,” and must be done within 72 hours of becoming aware of the breach.
Appointment of a Data Protection Officer is mandatory for controllers and processors whose core activities require regular and systematic monitoring of Data Subjects on a large scale, or involve special categories of data or data relating to criminal convictions and offenses.
Additional Uncertainty Remains
A recent decision of the Irish High Court puts the Privacy Shield safe harbor provisions for the exchange of privacy data between the EU and the U.S. in question -- more specifically the “standard clauses” used by most American businesses to comply with EU data protection regulations.
Reminiscent of the October 2016 Schrems I case which effectively dismantled the prior U.S. Safe Harbor procedures used to comply with the 1995 directive, the Irish High Court has referred the EU privacy issue to the EC Court of Civil Justice for a determination of whether an EU citizen’s privacy rights are adequately protected by the current Privacy Shield.
As a result, in addition to the complexities of understanding and complying with the GDPR, U.S. concerns may be at further risk of noncompliance if the EC Court of Civil Justice dismantles the current Privacy Shield.
GDPR Compliance Strategies – Assess, Mitigation and Operational Change
Assess Operations – Personal Data Rights
- Employment-related agreements, policies and procedures
- Non-disclosure and confidentiality agreements
- Customer, distribution and joint development agreements
- Procedures for tracking Personal Data and consents
- Physical and cybersecurity of Personal Data
Mitigate Risk – Advance Preparations and Response Planning
- Evaluate true need for Personal Data, uses and locations
- Select qualified DPO and EU Representative
- Evaluate possible response strategies and mitigation plans
- Identify jurisdictions involved and pre-determine resources for rapid response
Operational Change - Checklist
- Description of Personal Data in possession
- Accurate contact information for Data Subjects in the event of a breach
- Updated compliant policies, protections and procedures
- Training of employees and contractors
- Implement required EU safeguards for export of data
More information is available from the European Union at: