The EU General Data Protection Regulation
by James P. Melendres and Aloke S. Chakravarty
This Friday is the deadline for General Data Protection Regulation (“GDPR”), yet many companies are still in the process of planning for compliance. Companies not able to meet the deadline may want to consider, notwithstanding, continuing to work toward compliance.
A New Data Protection Landscape
The frustration felt by businesses operating in the EU, and beyond, by the lack of harmonization across the Member States, despite the increasing flow of data across borders, was the catalyst for the GDPR. The regulation is meant to strengthen and unify data protection for individuals within the EU, and address the export of personal data outside the EU. The European Commission’s stated primary objectives regarding the GDPR were to return citizen’s control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.1
The GDPR replaces the EU Data Protection Directive (officially Directive 95/46/EC) from 1995 (the “Directive”), and will be directly applicable in all Member States without the need for implementing national legislation. While the Regulation entered into force on May 24, 2016, it will not apply until May 25, 2018.
There are many differences between the GDPR and the Directive and eight key changes for companies to evaluate:
- One Set of Rules – The GDPR is a regulation, not a directive. A directive is a set of rules presented to the entire EU that can then be interpreted and implemented differently by each of the 28 countries within the union. By contrast, the new regulation creates a unified digital economy across the EU, and will be implemented uniformly by one supervisory authority across the entire union.
- Definition of Personal Data – Under the current directive, each of the 28 countries developed their own interpretation concerning what constituted “personal data.” The EU GDPR enforces a strict and broad definition of personal data, referring to any information that could be used, on its own or in conjunction with other data, to identify an individual. Notably, two new data elements are specified in the new definition: location data and online identifier. These are meant to capture things like IP addresses, mobile phone identifying numbers and Google IDs, as well as geolocation data.
- New Individual Rights – Built into the GDPR is a strong focus on citizen rights. Companies will be required to disclose the intended use and duration of storage of the data acquired, and re-solicit permissions each time a new use of the data is proposed. Further, EU citizens will be required to explicitly opt in for storage, access, and use.
- Mandatory Breach Notification – The GDPR requires companies to report qualifying data breaches to the individuals whose data was lost and to a supervisory authority within 72 hours.
- Financial Repercussions – To ensure compliance with the new regulation, steep fines are being put in place. If violations occur, companies could be charged either 4 percent of their global turnover or 20,000,000 EUR, whichever is higher.
- Joint Responsibility – The regulation defines data controllers as organizations that acquire EU citizens’ data, and data processors as organizations that may manage, modify, store, or analyze that data on behalf of or in conjunction with the controllers. Under the regulation, both parties are jointly responsible for complying with the new rules. This means if an organization outsources data entry or analysis to a third party, or processes data on behalf of another organization, both parties are liable.
- Information Governance – Under the GDPR, companies are required to actively track how and where data is stored and used through the supply chain. This means adopting risk management tools and building security and privacy into their operations by design. Any organization directly involved with the processing of data, or with more than 250 employees is required to appoint a Data Protection Officer (“DPO”).
- Global Impact – Even though the regulation is being rolled out by the EU, it has a global impact. Companies based outside of the EU are required to comply with the GDPR if they handle, store, manage, or process EU citizens’ personal data. Any companies in the world that sell to European companies, or received data from EU citizens, for example, will be affected.
GDPR Readiness Assessment
There are 10 critical steps companies may want to consider in preparation for the new data protection landscape under the GDPR:
- Confirm Whether the GDPR Applies to Your Company
The GDPR will significantly expand the territorial scope of the EU data protection regime. In particular, even companies with no EU presence will be required to comply with the GDPR if they process personal data of “data subjects” who are in the EU in connection with (1) “offering of goods or services” to data subjects; or (2) “monitoring” of the data subjects’ behavior online. Notably, the “offering of goods or services” prong of the GDPR’s territorial scope is a very fact-specific inquiry regarding whether the company’s online presence is designed to serve individuals located in the EU and does not require that any payment be made.
- Data Mapping and Data Protection Impact Assessments
Before a company can determine what changes need to be made to its data protection procedures to ensure GDPR compliance, it needs to understand exactly what kinds of personal data it handles and processes at each stage of its life cycle. In general, but especially for GDPR purposes, data mapping will involve assessing both how personal data are collected, processed, stored, and shared.
Additionally, under the GDPR, Data Protection Impact Assessments (“DPIAs”) are required where companies undertake large-scale processing of sensitive personal data or data subject profiling. In short, DPIAs are data privacy risk assessments, designed to assess whether a company is addressing its unique data protection risks appropriately and, if necessary, provide remediation. (Even if it is not required under the GDPR, companies may be served well by conducting an impact assessment to ensuring compliance with GDPR requirements).
- Develop Infrastructure to Monitor Data Handling and Demonstrate Compliance
The GDPR requires that companies document their processing activities internally, and maintain and continually update the record so that it can be provided to Data Protection Authority on request. In particular, records that are required to be maintained include records of consent from data subjects, records of processing activities under the company’s responsibility, and documented processes for protecting personal data.
- Account for New and Expanded Individual Rights
The GDPR creates several new individual rights, including data portability and the “right to be forgotten.” It also enhances some rights already in existence, such as the right to receive information about the processing of an individual’s personal data. These new and enhanced rights are designed to increase individuals’ ability to control the way in which their personal data is handled. Accordingly, companies may want to consider developing policies and procedures for responding to such requests and complaints.
- Consider Whether You Are Required to Hire a Data Protection Officer
The GDPR mandates that companies appoint a DPO if their “core activities” consist of data processing that requires systematic monitoring of data subjects “on a large scale.” Further, where a DPO is required, a company is required to also guarantee that the DPO has the qualifications and expertise required by the GDPR and establish a structure under which the DPO can perform the duties and tasks specified in the GDPR.
- Incorporate Privacy by Design
The GDPR requires that privacy be the default setting for companies when they are handling EU individuals’ personal information. When designing products or setting up services, privacy concepts are required to be built in to their architecture, rather than being an afterthought or a one-time process. Privacy considerations are required to be a fundamental part of the product design and development process, which is a significant new obligation. Companies may want to consider developing and documenting procedures for satisfying this requirement.
- Revise Privacy Notices Appropriately
As noted above, one of the central objectives of the GDPR is to increase transparency regarding the handling of personal data, which, in turn, will widen the types of information that companies will be required to provide to EU data subjects to ensure that their data is processed fairly and transparently. Therefore, privacy notices or policies published on websites and elsewhere may need to be updated to provide additional information about, including, but not limited to, the following:
- International data transfer safeguards;
- Data retention periods; and
- Contact information for the company’s DPO, where applicable.
According to the GDPR, the foregoing information is required to be provided in “concise … and easily accessible form, using clear and plain language.”
- (Re)evaluate Consent
Under the Directive, companies are lawfully permitted to process personal data based on consent. This will remain the case under the GDPR. Importantly, however, with the GDPR, the definition of a valid consent is stricter than some Member-states’ existing regulations. Accordingly, if your company processes personal data on a consent basis, you may want to consider whether those consents remain valid under the GDPR. Specifically, companies may want to review whether existing consents are (1) unique to the particular processing activity; (2) voluntary; and (3) active (requiring a positive step rather than inaction on the data subjects’ part).
- Prepare a Data Breach Response Plan
The GDPR includes a data breach notification mandate, requiring companies to notify EU supervisory authorities and, in some cases, affected individuals regarding qualifying personal data breaches. Notifications are required to be made without undue delay and in any event within 72 hours. Given this very short time frame, companies covered by the GDPR may want to consider implementing a data breach response plan. This plan may include mechanisms for determining whether notifications about a breach have to be made and, if so, the procedure for making the notifications.
- Review and Update Data Processing Agreements
As mentioned previously, data controllers and processors are jointly responsible for complying with the GDPR. This means that if a company outsources data entry or analysis to a third party, or processes data on behalf of another organization, both parties are liable. Therefore, companies may want to review existing contracts with third parties that process personal data on their behalf to ensure that they comply with GDPR requirements. In particular, data controllers may want to confirm that these agreements set forth the necessary requirements on data processors, such as data breach reporting assistance, appropriate data security measures, and audit rights.
- Presidency of the Council: “Compromise text. Several partial general approaches have been instrumental in converging views in Council on the proposal for a General Data Protection Regulation in its entirety. The text on the Regulation which the Presidency submits for approval as a General Approach appears in annex,” 201 pages, 11th June 2015, PDF, http://data.consilium.europa.eu/doc/document/ST-9565-2015-INIT/en/pdf