May 25, 2018, the day by which organizations need to comply with the European Union’s General Data Protection Regulation (GDPR), is fast approaching. If your organization does any business in the European Union or the United Kingdom, whether it has employees located in the EU or UK or sells goods to or collects data from EU or UK residents, the GDPR likely applies to you. It could also apply to you if you process data on behalf of organizations that do business in the EU. The GDPR may not have hit your radar because the relatively lengthy two-year period for compliance did not ignite a sense of urgency within your organization, but the day for compliance is less than one year away, and the GDPR can be complicated. Is your organization ready?
Significantly, the GDPR differs from the previous EU framework and has broader applicability to organizations. The following are key GDPR considerations for your organization:
- The GDPR applies to your organization if it targets and/or processes data relating to EU residents and, unlike the previous EU framework, does not require the use of any equipment located in the EU to apply. The GDPR has very specific provisions for collecting, handling, processing, transferring, storing, and destroying personal data.
- Your organization must appoint a knowledgeable Data Protection Officer (DPO) who is charged with GDPR compliance if it engages in “regular and systematic monitoring of data subjects on a large scale” or conducts large-scale processing of “special categories of personal data” (such as those relating to racial or ethnic origin, political opinions, religious or philosophical beliefs).
- The GDPR now contains data breach notification requirements that are more expansive than US data breach notification laws in that it is triggered when a broader category of personal data is exposed and requires notification to a data protection authority.
- Organizations that are data controllers are liable for vendors who process personal data on their behalf.
- The GDPR codifies a data subject’s right to be forgotten. If personal data is no longer needed, a person can request that the organization delete that data. If the organization has publicized or shared that data with other organizations, it must make reasonable efforts to inform those other organizations of the request for erasure of that data, and those organizations must comply with that request.
- A data subject also has a right to data portability in accordance with which an organization must provide data concerning that person to that person upon request in machine readable form where the organization collects personal data by automated means. The data subject is allowed to transfer that data to any other data controller.
- Cross-border data transfers with the US remain complicated, but the GDPR will still allow transfer with binding corporate rules, model contracts, and appropriate certifications. Some of these mechanisms have become more formalized. The GDPR does not allow for transfer of personal data in response to a legal requirement from a third country.
- The consent for cross-border data transfer must be expressed “by a clear affirmative action” and cannot be an opt-out. As such, pre-checked boxes and implied consent will be largely in the past.
Implementing the GDPR’s provisions will take time, which is why organizations were given two years to make the transition. Before you can start planning for GDPR compliance, you need to create an inventory of all personal data you hold, why you hold it, whether you still need it, and what security safeguards you have to protect it. If you have not already, you must institute procedures to detect, report, and investigate a data breach. Accordingly, planning and executing that plan should start now to allow for time to make cost-effective decisions. You will also need time to train employees and put systems in place for the new climate in which customers have rights over their data. Will you be able to efficiently respond when customers request that you give them all of their personal data at no cost to them? Also, will you have the proper mechanisms in place to transfer personal data from the EU to the US? Not to mention, non-compliance with the GDPR can result in steep penalties. Fines for violations of the GDPR can be the higher of 20 million euros (approximately $22.5 million) or 4 percent of your global revenue. This is in addition to the consequences negative press surrounding data breaches or inadequate privacy protections will have on your organization’s reputation.