[co-author: Evan Benjamin]
On May 25, 2018, the General Data Protection Regulation (GDPR) takes effect. Any violation of this regulation is subject to a fine of up to €20 million, or 4 percent of prior year revenue, whichever is higher. Given this new environment, data privacy has now come front and center for all eDiscovery and Information Governance practitioners.
The GDPR gives European Union (EU) citizens significant rights concerning how personal data is collected, processed, and transferred by various data controllers and processors.
The EU concept of “personal data” refers to any information relating to an identified or “identifiable natural person” under the GDPR, e.g. any person identified by name, identification number, and factors specific to the physical, physiological, genetic, or economic, identity of that person. Conversely, “personally identifiable information,” or “PII,” is a term more commonly used in the U.S. and includes any information used to distinguish someone’s identity such as name, social security number, date and place of birth or mother’s maiden name.
This more broad definition of personal data has far reaching implications for all United States organizations required to comply with the GDPR because of the increase in the scope of data swept up into this definition of “personal data.” The GDPR now imposes a vastly complex and broad set of requirements that present organizations with a new set of tasks and decision-making responsibilities in areas not previously addressed in their desire to comply.
Determining whether the GDPR applies can be analyzed by answering three questions. First, does the U.S. organization have an established presence in the EU? Second, does the U.S. organization process personal data of data subjects in the EU by offering these subjects goods or services? Third, does the organization process personal data in the EU by monitoring behavior (e.g. through websites)? If any of these questions apply, then U.S. organizations are compelled to comply and are subject to enforcement by EU Data Protection Authorities (“DPA”).
U.S. organizations must understand that GDPR grants enforcement authority that allow DPAs to monitor and enforce this regulation in the respective territories, which also gives each individual European member state regulatory authority to enforce the regulation. Moreover, each member state may adopt separate data protection laws to supplement the GDPR which may force U.S. companies to separately understand these laws and its impact on the application of the GDPR.
The GDPR is a fundamental paradigmatic shift for U.S. organizations, because the EU’s view of data privacy as a fundamental human right is vastly different from the manner in which data privacy is regulated under U.S. law. United States organizations will also be required to adopt pseudonymisation and data encryption throughout their data enterprise. In essence, the GDPR neatly weaves all elements of a mature privacy, security and information governance program into a broad regulatory framework.
