On May 25, 2018, the EU’s new data protection law goes into effect. The General Data Protection Regulation, commonly known as the GDPR, is the biggest change to European data protection law in over 20 years and seriously impacts businesses across the U.S. and around the world.
Although you should have complied by now if you are subject to GDPR, it is not too late! Supervising data protection authorities will regard late compliance as far better than no compliance and indications are that in most cases organisations will not be punished for taking a short further period to get their house in order.
If you have not already addressed GDPR in your business, this Quickstudy highlights key points for you to now consider.
Does GDPR apply to you?
The first and most important thing for non-EU businesses to consider is whether they are subject to the GDPR - it can apply even if you don’t have a legal or physical presence in the EU.
You are very likely to have to comply with GDPR if:
-
you have an “establishment” in the EU;
-
you intentionally offer goods or services to individuals in the EU; or
-
you monitor their behavior on the Internet.
If GDPR applies under 2 or 3 and you are not established in the EU, you need to appoint an EU based data protection representative.
Over recent months, Locke Lord has advised numerous U.S. and internationally-headquartered clients on whether the GDPR applies to their businesses.
Fines
The maximum fine for breaching the GDPR is up to 40 times larger than under the previous law and even more for big business – EU data authorities have been given the power to levy fines up to €20 million or 4% of the annual worldwide gross revenue of the whole group, whichever is greater.
That said, fines must be proportionate and are discretionary and applied on a case-by-case basis.
Fines are only part of the story. In cases of breach, adversely affected individuals can claim compensation and the company may suffer negative publicity which can have a severe financial impact and in extreme cases, destroy a business.
Enhanced Rights of Data Subjects
Individuals have a right to obtain copies of all their personal data you are processing, generally within 30 days. They also have the right to have it ported to another provider or to object to its processing on certain grounds. They may also be able to require its erasure – the “right to be forgotten.” This must be explained to them in your privacy policy.
Privacy Policies and other notices
You must provide individuals with extensive information about how you will process their data – in a transparent, intelligible and easily accessible way, using clear language. As a first step to GDPR compliance, organisations will have to update their privacy policies to comply with this obligation.
Reporting Data Breaches
There is a legal obligation to report a personal data breach to the authorities without undue delay – generally within 72 hours. This includes instances of hacking or where you have lost personal data you were holding, wherever there is a risk to individuals.
In serious cases, all individuals potentially affected by the data breach must also be notified, unless the data accessed is properly protected, e.g., by encryption.
Consent
The GDPR has raised the bar if you rely on “consent” for processing personal data. Separate consents are now required for different processing activities. Pre-ticked boxes and blanket consents are not valid and individuals must be able to easily withdraw consent at any time.
For these reasons, most organisations are having to identify other legal bases which they can rely on to process information about individuals in compliance with GDPR and demonstrate that these are legitimate.
Processors Now Liable
Under the previous law, where a business processed personal data strictly on someone else’s instructions, it was a data “processor” rather than a data “controller” and not directly subject to EU data protection law. This is no longer the case. Data processors have many of the same obligations as data controllers and both are jointly liable for breaches in which they are involved.
Data Protection Officers – “DPOs”
Organizations whose core activities require regular and systematic monitoring of data subjects on a large scale, or which process special categories of data on a large scale, must appoint a DPO. Other organizations which process significant personal data are recommended to make such an appointment.
The DPO must carry out a variety of data protection advisory, monitoring and other functions. DPOs must be suitably skilled and experienced, properly resourced and report to the highest levels of management without receiving any instructions and without conflict of interest.
Privacy Impact Assessments
If you are engaged in “high” risk processing – processing that presents a risk of infringing a person’s rights and freedoms, such as large scale processing of sensitive data or monitoring and profiling individual activities – you must carry out a Privacy Impact Assessment or “PIA.” This is a thorough exercise and organizations are likely to require guidance on how to undertake it.
Cybersecurity
Organizations must have appropriate security measures in place to protect personal data. In particular, this requires technical cybersecurity, such as ISO 27001 certification, but also includes organizational policies and staff training. More detail on this requirement can be found in our article, “Cybersecurity - The Victim Becomes the Law Breaker.”
