Editor’s Note: Strictly speaking, this blog post isn’t really about human resources management or employment law. But it might be; the GDPR is vaguely written and it is not at all clear how it will be applied in relation to various other laws that might apply in a given situation, such as laws relating to the retention of data concerning former employees. Further, in light of the current Facebook scandal, GDPR may represent the future for businesses everywhere. Many thanks to Pat and Harrison for sharing this important and timely news!
What is GDPR?
GDPR is the comprehensive data protection regime being implemented by all 28 European Union member countries to protect the personaldata of their citizens.
When Does GDPR Take Effect?
May 25, 2018
Who Does It Cover/To Whom Does It Apply?
EU citizens/Any company processing Personal Data of EU citizens.
What is “Personal Data” Under GDPR?
It’s any information relating to an identified or identifiable person (in regulator-speak people are known as ‘data subjects’). Personal data is any information that could identify a person.
What Is the Territorial Reach of GDPR?
Theoretically, worldwide. For those with customers in or from the EU, GDPR obviously cannot be ignored. At the very least, businesses will need to carry out a data audit to understand their risks and liabilities.
Some companies in the United States may prefer to take on the additional expense and “brain damage” of maintaining two separate data handling processes, treating personal data obtained from different geographies differently, rather than streamlining everything under a GDPR compliant process. But doing so means managing multiple data regimes. And at the very least runs the risk of bad public relations if the public believes you are offering a lower privacy standard to your home users vs customers abroad (or the public vs. your management as just was alleged about Facebook). Ultimately, it may be less risky and less costly for US businesses to simply handle all personal data as though it were subject to GDPR, regardless of where it comes from or to whom it belongs. And while not every company harvests Facebook or Google levels of personal data, almost every company harvests some personal data.
What Does GDPR Require for Companies? What’s Really New?
GDPR requires organizations to appoint a “Data Protection Officer” (“DPO”) if they process sensitive data on a large scale or are collecting info on many consumers, such as by performing online behavioral tracking.
Under GDPR, EU citizens can ask you to reveal, correct, or erase their personal data. They can also ask you to stop processing their data in specific ways (e.g. no personalized advertisements) and may even ask for a portable, machine-readable copy of their data. EU citizens also have the “Right to Be Forgotten.” These requests can bog down your IT department and support staff if not automated. Ideally, you and your clients should try to simulate GDPR requests and figure out how to automate them.
“Controllers” control personal data – any information that could identify a person (name, email, address, location, etc.). “Processors” process that personal data on behalf of controllers. You could be a processor in some relationships and a controller in others. You could even have multiple processor-controller relationships with one company.
EXAMPLE:
Do your sales and marketing teams use SalesforceÔ? If so, in this example, you’re the controller, and Salesforce is the processor. If customers ask you to delete their Salesforce record, exercising GDPR’s “Right to be forgotten,” you’re responsible for fulfilling the requests. Salesforce is responsible for enabling you to fulfill the request. Processors make the delete button; controllers click it.
Get clear on which role your firm or your clients play in every relationship. Before GDPR is enforced, every contract will need an addendum defining who is controller versus processor. Don’t assume that your vendors or clients are clear on the differences and responsibilities.
What Are the Penalties for Non-Compliance?
GDPR’s top fine is €20 million (which is about $25 million US dollars) or 4 percent of revenue, whichever is greater. An equally important change is cultural: regulators don’t just send a bill to whomever they assume is responsible – they investigate. After a breach, Controllers have 72 hours to alert regulators and must notify people at risk “without undue delay.” Processors are expected to notify the Controller ASAP if they detect the breach first. More importantly, EU regulators want to see that your company (whether you’re the controller or processor) did everything reasonably possible to prevent the incursion and protect personal data. They’ll focus on your company’s cybersecurity processes and information governance, including how you protect information, detect breaches, execute your incident response plans and processes, and remediate.
Is There A Safe Harbor?
The GDPR was designed to protect the privacy of individuals within the EU, and to protect their privacy when their data is transferred outside of the EU. There are multiple ways for US companies to comply with the GDPR, including establishing “standard contractual clauses” or “binding corporate rules” (which some companies find to be a burdensome and lengthy process) or utilize the “Privacy Shield” framework. The Privacy Shield framework replaced the now defunct “Safe Harbor” framework.
In order to comply with the Privacy Shield framework, a US company would need to, among other things: (a) revise the Privacy Policy to incorporate the framework’s principles; (b) certify its compliance with the Department of Commerce; and (c) register with an independent recourse mechanism. If the US company were to certify that it complies with the framework, it may either: (a) make that certification through a self-assessment; or (b) engage a third-party to conduct the assessment. A law firm with a Data Privacy & Cybersecurity workgroup, like ECJ, can counsel companies in either case.
Pursuant to one of the principles in the framework (i.e., the Accountability for Onward Transfer Principle), the US company would also need to amend its contracts with their third-party vendors that process personal data from EU citizens. “To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles; (iv) require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under (iv), take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.”
There is a $250 annual certification fee, and the US company may be subject to random audits from the US Department of Commerce.
What Does This Really Mean?
Simply put, GDPR enshrines the principle that people are the masters of their own data. This has not been the philosophy here in the US, for the most part. That is why the “Privacy Shield” has been necessary – because European regulators considered the US an unsafe territory for the data of EU citizens. Depending upon how deeply ingrained this philosophy becomes, this could also be a turning point for cloud technology vendors.
