The EU General Data Protection Regulations – or GDPR – goes into effect in 90 days, on May 25, 2018. With such a name, it would be easy to conclude that the law governs only the activities of businesses established in the European Union (EU) or European Economic Area (EEA), and that those established elsewhere are not concerned.
This is not the case. Organizations that are not established within the EU/EEA are subject to GDPR when they process personal data of individuals who are in the EU/EEA if the processing activities are related to:
- The offering of goods or services to such individuals in the EU/EEA, even if payment is not required, or
- The monitoring of their behavior, to the extent that their behavior takes place within the EU/EEA. Profiling of individuals based on their use of the Internet is an example of such monitoring.
In practice, most US businesses – probably 70% – are subject to the GDPR where they collect or process the personal data of individuals located in the US. According to our observations, only a very small fraction of those US businesses that are subject to the GDPR have completed their GDPR compliance overhaul. Those who have ignored the GDPR or have failed to properly evaluate the extent to which the GDPR might apply to their activities should rethink this analysis and take action as soon as possible to address these obligations, if relevant.
The GDPR is a significant, complex document. Compliance, therefore, is commensurate to its complexity. For most businesses, evaluating their practices and conducting all activities that are required to achieve compliance can take three to six months. Numerous larger businesses, such as multinationals, have been working on GDPR implementation for more than two years.
The list of obligations under the GDPR is very long. The document is comprised of 272 provisions, which are divided into 173 recitals and 99 Articles. It is also supplemented by documents issued by the EU institutions, or the Member States themselves. The EU’s Article 29 Working Party, so far, has published at least 13 guidelines. Some local supervisory authorities have published their own guidelines. Some Member States have adopted laws or amendments that relate to the GDPR.
Here are some highlights to keep in mind, among the many others that are written in the GDPR and related documents.
- Violations of the law are subject to significant administrative fines that can reach up to 20 Million euros, or in the case of multi-national businesses, 4% of their global revenue.
- In addition, individuals have a private right of action that allows them to file a complaint in court when they believe that their rights under the GDPR have been violated as a result of the processing of their personal data in non-compliance with the GDPR. They can mandate certain non-profit organizations to lodge the complaint and exercise their right to receive compensation on their behalf, a process that, in its effect, is likely to be similar to that of class action lawsuits customary in the United States.
- Businesses are prohibited from collecting or processing personal data unless one of six circumstances occurs. They are required to state on their privacy notice why they have the right to collect and process the personal data of individuals. Company can no longer just infer from a person’s visit of a website that the individual has consented to the collection and use of his/her data. Specific consent is required.
- Businesses have significant obligations that go well beyond current common practices. In particular, there are significant record keeping requirements as well as limitation to data retention.
- Products must be designed in accordance with Data Protection by Design and Data Protection by Default principles. In some cases, businesses are required to conduct Data Protection Impact Assessments.
- Individuals have significant rights, such as right of access, right of correction, right of data portability or right to be forgotten. Businesses have 30 days to respond to a request, which makes it necessary to implement the appropriate technical measures and administrative procedures to respond promptly to requests from individuals.
- If a company’s core activities require the regular and systematic monitoring of individuals on a large scale, or the processing of special categories of data on a large scale, it must appoint a Data Protection Officer. Special categories of data include, for example, data about health, genetic data and biometric data, religion or sexual life.
- Privacy notices must be updated to include a large amount of information required by the law.
- Businesses must amend most of their contracts with third party service providers, or with their own customers if they act as service provider to another entity. These contracts must include numerous provisions mandated by the GDPR.
These are just example. There is much more. GDPR compliance project takes a significant amount of time.
To address their obligations under the GDPR, businesses must to conduct numerous activities, such as:
- Start with understanding whether and how the business may have access to personal data of individuals in the EU/EEA, what is done to or with this data, with whom it shared, and how the business interacts with the individual for marketing purposes
- Conduct a gap analysis to determine what needs to be done to comply with the GDPR, and prioritize these activities
- Address the company’s obligations as a controller or processor
- Address the restrictions to marketing, targeting, profiling
- Update the contracts with data processors, subprocessors
- Document the security program; update the security breach response plan
- Address the crossborder data transfer restrictions
- Identify the legal grounds for processing the personal data
- Update the privacy notice
- Develop processes to address obligations regarding individuals’ rights
- Update training for personnel
- Identify the lead supervisory authority
The GDPR has become a significant part of the US Privacy and Security legal landscape. It is important for US businesses to pay attention to compliance now because a majority of US businesses – as well as business located in other countries outside the EU/EEA – are and will continue to be subject to the GDPR for some of the personal data that they collect.
The GDPR will affect many of the business deals that a company may conduct. As businesses acquire or do business with businesses that are subject to the GDPR, the contracts that are drafted will likely have to address GDPR issues.
There are only 90 days left to take action and address GDPR compliance. There is still time if you have not already done so. If you don’t, those individuals and businesses located in the EU/EEA with whom you want to do business may soon inquire whether your company can demonstrate whether it is compliant with the GDPR, and if your answer is not satisfactory, may take their business to others who do comply.