Are you familiar with the EU General Data Protection Regulation (GDPR) that goes into effect on May 25, 2018? If not, you should be.
The EU treats privacy very differently than the U.S. does. The EU considers privacy to be a fundamental human right, which then dictates how citizen data is treated. The U.S., however, does not treat privacy as a fundamental human right, and its laws reflect that fact. The GDPR is intended to provide EU citizens with greater control over how their personal data is collected, protected and used.
Definition of Personal Data
The EU’s definition of Personal Data (used in place of “personally identifiable information” or PII, commonly utilized in the U.S.) is much broader than that of the U.S. Personal Data means any information (including, but not limited to, names, addresses, telephone numbers, email addresses, location data, photos, financial information, credit card information, medical information, posts on social media websites and IP addresses) that relates to an identified or identifiable natural person (who is referred to as a data subject). Such a person is one who can be identified, either directly or indirectly, from information such as a name, an identification number, location data, an online identifier (such as an IP or MAC address), or factors that are specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
The GDPR has an extremely broad jurisdictional reach. It applies to companies that process the personal data of data subjects who reside in the EU, regardless of where the company may actually be located, and to the processing of personal data by controllers and processors in the EU, regardless of where that processing may actually take place. As such, it covers personal data that is collected from individuals who are physically in the EU, regardless of their citizenship or the geographic location of the company.
Thus, a non-EU business that processes the data of EU citizens will have to appoint a representative in the EU. If your company has an office, branch or subsidiary in the EU that collects, receives, transmits, uses, stores or otherwise processes personal data, then the GDPR applies to it, regardless of where the processing occurs.
Similarly, if your company offers goods or services to data subjects in the EU, then the GDPR applies to it. Also, if your company monitors the behavior of data subjects in the EU, then the GDPR applies to it.
The following are some of the steps that you should consider taking in preparing for the GDPR.
Appointment of a Data Protection Officer
The GDPR requires that a company hire a Data Protection Officer if the controller’s or processor’s core activities require regular and systematic monitoring of data subjects on a large scale or involve processing a large scale of special categories of data, such as race, political or religious beliefs or criminal convictions and offenses. The Data Protection Officer must have expertise in data protection law and practices and be able to fulfill the responsibilities set forth in the GDPR. While the Data Protection Officer does not have to be someone outside of the company, they must be able to perform their duties in an independent manner.
Obtain Informed Consent
In the absence of a legitimate interest, contractual necessity, or compliance with a local obligation justifying the data processing, the data subject must provide appropriate consent to such processing. Appropriate consent under the GDPR means informed consent, which means companies must explain which permissions data subjects are granting the company in clear, distinguishable and plain language, not legalese.
Generally speaking, data processors and controllers can only process a data subject’s personal data after having informed the subject of both the extent of the data processing and the uses to which the data will be put. The consent provisions cannot be simply buried in a longer document. The data subject must consent through an affirmative act, such as signing a written document or checking a box on a website or app. A controller must be able to demonstrate that the data subject’s consent was both valid and documented. Consent that is not freely given is not valid consent.
A data subject must also be able to withdraw their consent at any time. Furthermore, it must be as easy to withdraw one’s consent as it is to give it.
With respect to minors, “information society services,” which include online services such as social media sites, cannot be provided to minors under the age of sixteen without the parents’ consent.
This will only tangentially touch upon some of the requirements. You should consult with a knowledgeable attorney for all of the specifics.
Right to the Data
A data subject is entitled to a copy of their personal data free of charge and in a common electronic format. The data, and the information to which they are entitled from the data controllers, must be provided without undue delay, and within one month of receiving the request.
A data subject has the right to receive their personal data in a commonly used and machine-readable format and to transmit the data to another controller if technically feasible.
Limitations on Data Collection and Processing
Only personal data necessary for the purpose of the data processing activity can be collected. Moreover, the personal data can only be retained for the time period necessary to carry out the purpose of the data processing. Personal data cannot be retained in perpetuity under the GDPR, nor can personal data be used or processed for any purpose other than that for which consent was given.
The Right to be Forgotten
Data subjects have the right, in certain situations, to have their personal data erased, to terminate any further dissemination of their data and to have third parties cease processing said data.
Data Breach Notification
The GDPR requires that, within 72 hours of becoming aware of a data breach, companies report the data breach to both the authorities and their affected customers.
Train Your Workforce
The GDPR also requires that companies train their workforce on the proper way to handle personal data under the GDPR.
If all of this leaves you thinking that you’d be better off simply ignoring the GDPR, the fines that can be assessed should change your mind. The GDPR permits fines up to the greater of 20 million euros or 4 percent of a company’s worldwide annual revenue for the previous year.
As you can see just from this morsel of information, even though the GDPR does not become effective until May 25, 2018, it would be prudent to begin working now on ensuring compliance with it. If in doubt, consult a lawyer with expertise in this area of the law.