The European Union’s (EU) comprehensive General Data Protection Regulation 2016/679 (GDPR) replaces the long-standing Data Privacy Directive 95/46-EC (Directive), regulates the collection, processing, and transfer of an individual’s personal data by other parties and starts being actively enforced by authorities on May 25, 2018. Among the GDPR’s new features is the creation of extraterritorial application to entities handling personal data outside the European Economic Area (EEA), including processors in the United States. The EEA includes all EU countries as well as Iceland, Liechtenstein and Norway.
What is Personal Data?
Personal data is broadly defined as any information relating to an identified or identifiable natural person (data subject) that is a citizen of a country in the EEA. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. In addition to the information historically considered personal data pursuant to the Directive, the GDPR includes location data, online identifiers (cookies and IP addresses) and one or more factors specific to the genetic identity of an identifiable person.
Sensitive personal data, including genetic data and biometric data (referred to as special categories of personal data), is subject to additional protections. The GDPR defines genetic data as “personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.” Biometric data is defined as personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or fingerprint data.
Why Does the GDPR Matter For Companies Based in the United States?
While the GDPR only protects data of individuals who are citizens of a country in the EEA, the protections apply even when the data is transferred from the EEA to any other country. Given this broad territorial scope, every company – wherever located – that conducts business which may involve personal data, even if that business is performed through an affiliate, needs to be aware of its GDPR obligations in advance of the May 25, 2018 compliance deadline.
For example, a company in the United States may have an affiliate or a business counterpart in the EEA with access to personal data of its own employees or customers. If the domestic company has access to any personal data from its affiliate or counterpart (increasingly likely with cloud-based networks), the domestic company needs to comply with the GDPR’s requirements in order to avoid the law’s monetary and other sanctions.
Additionally, ecommerce businesses that collect or process personal data need to be aware of their GDPR obligations, regardless of where they are located.
How Do Companies Comply With the Key Provisions of the GDPR?
All companies that do business with the EEA need to be aware of, and prepared for, their GDPR compliance obligations. Not all provisions of the GDPR apply to non-EEA companies doing business through an EAA affiliate or counterpart, but there are several key provisions highlighted below that have been the focus for companies in the United States.
Implement Appropriate Data Protection Policies. The GDPR requires companies that process or collect personal data to provide a “reasonable” level of protection for that personal data which was also required by the Directive. Policies and procedures will vary amongst companies, depending on the size of the organization, the data collected or processed and various other factors. There is no “one size fits all” when it comes to data protection policies but companies are encouraged to implement – and to thoroughly document – policies and procedures appropriate to their unique risks.
Upgrade Vendor Agreements. Until its judicial invalidation, companies in the United States relied on the Safe Harbor mechanism permitted under the Directive to ensure a reasonable level of protection. Following the judicial invalidation of the Safe Harbor mechanism, many companies integrated standard contract clauses approved by the European Commission into their vendor agreements with EAA affiliates or counterparts. For the time being, European authorities have confirmed that the existing form of standard contractual clauses will continue to be honored as an authorized mechanism for the cross-border transmission of personal data. (European regulators have noted, however, that a revised and updated form of those standard contractual clauses may issue in the future. If such a revision is issued, it has yet to be determined whether the old form of those clauses will be “grandfathered” or will need to be replaced across the board in business relationships where they already have been implemented.)
Implement Appropriate Polices for Erasing Personal Information. The GDPR requires companies to erase an individual’s personal data upon request from the data subject. Companies that have personal data should have adequate policies and procedures in place – and which should be thoroughly documented – for receiving and honoring such requests.
Implement Procedures for Disclosing Data Breaches. Companies subject to the GDPR are required to disclose any data breach within 72 hours, and the parties entitled to such notice – for example the data controller exporter, data subject, and relevant authority – will vary depending on the particular circumstances of the breach. Given this short window, it is very important that companies have policies and procedures in place to comply with this requirement.
Implement Policies and Procedures for Responding to Subpoenas and Other Discovery Devices in Litigation. Complying with the comprehensive protections of the GDPR and the often strict discovery rules that govern litigation in the United States can put a company in a very difficult situation. The GDPR’s protections of personal data are often in conflict with the requirements of courts located in the United States for the production of information in discovery which can provide for the sanction of parties refusing to produce discoverable information, with little or no regard for overseas laws restricting the cross-border dissemination of discoverable data. Companies should have policies and procedures in place for responding to discovery demands seeking the disclosure of personal data, reflecting the need to seek a protective order or other mechanism to ensure compliance with the GDPR.
Appoint a Data Protection Officer. Companies of all sizes may also be required to appoint a data protection officer tasked with informing and advising the controller or the processor and the employees who carry out processing of their obligations pursuant to the GDPR and to other Union or member state data protection provisions; monitoring compliance with the GDPR, with other Union or member state data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, raising awareness and training staff involved in processing operations, and the related audits; providing advice where requested as regards the data protection impact assessment and monitor its performance; cooperating with the supervisory authority; and acting as the contact point for the supervisory authority on issues relating to processing, and to consult, where appropriate, with regard to any other matter. A data protection officer is required to expand these responsibilities if warranted by the risk associated with processing operations based upon the nature, scope, context, and purpose of processing. Whether or not a company is required to appoint a data protection officer is not based on the size of the company, but rather depends on the type and amount of data collected, whether processing is the company’s main business and whether the company processes data on a large scale.
What Should Companies Do Before the May 25th Deadline?
Despite all attention placed on the GDPR, many companies remain out of compliance in advance of the May 25, 2018 deadline and non-compliance can have significant consequences. Fines for violations of the GDPR can reach 20,000,000 Euros or 4% of a company’s global turnover, whichever is higher. The GDPR also creates a private right of action for individuals who have suffered damages as a result of a violation, and in certain cases a not-for-profit organization can bring a representative action on behalf of a class of claimants. The potential for significant civil and regulatory liability, coupled with the reputational damage caused by negative publicity, should cause any company to take its obligations seriously.
If your company has not taken steps to ensure compliance with the GDPR, there is still time to act in advance of the May 25, 2018 deadline.
