April 20, 2018
Do you need to comply with the EU’s sweeping changes to data privacy? It’s more likely than you might think.
The European Union (EU) has revamped its approach to data regulation. Its General Data Protection Regulation (GDPR) goes into effect on May 25th of this year. If you think you do not need to comply, think again. The GDPR applies to every organization, regardless of size, that has customers or clients in the EU – even if the organization itself is based outside the EU. Non-compliance may not only land you in court; you may face hefty fines reaching up to EUR 20,000,000 or 4% of global revenue, whichever is greater.
Under the GDPR humans have been defined as “data subjects” and granted rights regarding their data. Data subjects must consent to being included in a company’s database, for example, and that consent must be based on clear plain-language explanations about the data being collected, its intended use and how long it will be held. The same applies for comprehensibility of disclosures made to children. Even after consent, a data subject has a right to be forgotten which requires a business to de-link and erase data on a subject at the subject’s request “without undue delay”. Again, some exceptions apply.
For clarity, a company that “owns” or “controls” data is a “Data Controller” and a company that performs manipulation of the data is a “Processor” and both have responsibilities under the GDPR. For some companies, the new rubric also requires appointment of a “Data Protection Officer” expert in data protection laws and practices with access to the “highest management levels”. Such officer has the predictable responsibilities – and is required to have authority within the organization – to act. The GDPR also grants such officer employment protection for carrying out their jobs, which could have American employment law implications.
Further, data profiling (including target marketing), requires disclosure and compliance with the data subject’s directions on that issue. There are definitions of data breaches under the GDPR and rules about notification of data breaches which are broader than their American analogs. And, as with every regulation, some exceptions apply to all of the rules under the GDPR.
Drilling down, though, the following are the top 10 issues and recommended next steps to consider, to ensure compliance:
- Review and amend all legal text and documentation which describes how companies use personal data to ensure it is GDPR compliant.
- Create and implement proper policies and procedures that govern the use of personal data, handling data subjects rights and which ensures accountability in the compliance of all obligations established by the GDPR.
- Employ and train suitable individuals to oversee the company’s data processing activities and GDPR compliance obligations.
- Appoint a representative within the EU, if appropriate, to ensure they only have to deal with one single national data protection authority.
- Train all staff who process customers’ personal data to ensure they are aware of their new obligations under the GDPR.
- Ensure that all data processors enter into proper Data Processor Agreements.
- Maintain a register or record of all data processing activities.
- Ensure that all data transfers to and from other regions outside the EU meet the standards defined by the GDPR.
- Incorporate robust data security systems to minimize the likelihood of data breaches and have proper procedures in place to follow in case of a breach.
- Ensure that data privacy is incorporated ‘by design’ into any new system adopted by a company which processes personal data.
Clearly the GDPR imposes upon companies a number of obligations in terms of the processing (capture, use and storage) of personal data.
If you have any questions or would like to discuss your potential exposure, please don’t hesitate to contact us.