As you put together your resolutions and plans for the new business year, it is important to remember that the European Union’s (“E.U.”) General Data Protection Regulation (“GDPR”) will go into effect on May 25, 2018. The impact that it could have on U.S. companies will depend on whether a company processes the personal data of E.U. citizens (note: the definition of “personal data” under the GDPR is quite broad). If you think this doesn’t apply to your company, think again – even without a physical presence in the E.U., the internet makes it easier than ever to collect personal data from E.U. residents while operating solely in the U.S. So, whether it’s the information of your customers, the customers of your clients, or even the personal data of your own employees, it is important to be aware of your obligations under GDPR and the ways by which you can comply.
As we introduced last year, underpinning the GDPR is the view that privacy is a fundamental human right. Accordingly, the GDPR takes a comprehensive approach to privacy law – much more so than the sectoral approach used here in the U.S. In the U.S., privacy tends to be regulated based on the category of information collected (e.g., protected health information under HIPAA). Under the GDPR, as well as its predecessor, the Data Protection Directive 95/46/EC, the focus is on personal data in all sectors of industry. And we should take a moment to remind everyone that stringent regulations on transferring personal data from the E.U. to the U.S. are not something new. U.S. companies should have been complying with the Data Protection Directive since 1995. Indeed, many companies are just now starting to do what they should have been doing for a long while. In truth, in some part, this lack of compliance or sufficient protection of personal data is why the GDPR has come to be.
Here is a quick rundown and reminder of some of the GDPR basics. We will expand on some of these in future posts.
- Notice and Consent. The collection, use and sharing of the personal data of E.U. citizens will require two things – notice and consent of the individual. Companies will no longer be able to use long, illegible terms and conditions that are full of legalese. Rather, “consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.”
- Access. Individuals are entitled to access to their personal data and an understanding of when, where and how their data is being used. This means companies will need to ensure they have the means to properly store such information securely, retain it and provide that access in a secure manner.
- Right to be Forgotten. Along with the right of access comes the “right to be forgotten,” which means in certain cases individuals can request that a company cease collecting information and remove/delete any information it might have stored on that individual.
- Breach Notification. The GDPR establishes a universal breach notification requirement, sometimes mandating notice to individuals of any breach within 72 hours.
- Data governance program. Companies are expected to incorporate “privacy by design” principles into their data governance programs, ensuring that technical and organizational measures exist and are appropriate and effective to safeguard personal data. (This assumes, of course, a company has a data governance program to begin with.)
- Financial Penalties. The most significant and severe change that should have U.S. companies paying attention is the new penalties associated with the GDPR.
Violations can fall into two levels of severity:
- The lower level carries a maximum penalty up to €10 million euros or 2% of worldwide annual revenue of the prior financial year, whichever amount is higher.
- The upper tier violation can be up to €20 million euros or 4% of worldwide annual revenue of the prior financial year, whichever amount is higher.
So, as you work on your new diet, workout program and savings plan, don’t forget to take a little time to reassess your company’s data footprint, including any personal data coming out of foreign jurisdictions like the European Union. U.S. companies need to understand what personal data they collect, store and use from E.U. citizens. Based on that assessment, companies should develop, update or adopt new policies, procedures and compliance mechanisms to ensure the requirements of the GDPR are met. The countdown to May 25th is underway. Tick. Tock.