The General Data Protection Regulation (“GDPR”) establishes protections for the privacy and security of personal data regarding individuals in the European Economic Area countries (all European Union member states, Norway, Iceland and Liechtenstein – referred to for purposes of the GDPR as the “EU”). The GDPR became effective on May 25, 2018, and is a substantial change to EU privacy and security laws. The GDPR has significant implications not only for EU-based organizations, but for non-EU based organizations that conduct business or business communications in EU countries.
On a very basic level, the GDPR regulates the collection, use, disclosure or other “processing” of “personal data” by controllers and processors. GDPR requires organizations to let individuals know how their data is being used, and requires them to get individualized consent – in clear, specific language – before using their data. If the reason for using the data changes, the organization will need to obtain the individual’s consent again. For example, if an organization collects someone’s medical history for clinical care, the organization would not be allowed to use that history for medical research without receiving a second consent.
Individuals also have new rights under the regulation, including the “right to be forgotten.” If an individual asserts this right, all of the individual’s personal data must be erased immediately as long as the data is no longer needed for its original processing purpose, and there is no other reason for maintaining the data (e.g., statutory recordkeeping requirements).
If an organization violates the GDPR, it will be subject to maximum fines of 4% of annual global revenue or 20 million euros, whichever is greater. That’s a considerable difference when compared to what US companies have paid for data breaches to date. In 2016, for instance, Advocate Health Care agreed to pay $5.55 million to settle data protection violations that affected about 4 million patients. If it had faced the maximum GDPR fine, that would have amounted to over $200 million.
Extraterritorial Reach
As mentioned above, an important aspect of the GDPR is its extraterritorial reach. US-based companies with no physical presence in the EU are subject to the GDPR in the following situations:
a. Offering goods and services (even if for free) to individuals in the EU. This is more than the mere access to a website or an email address. If a company’s marketing activities, for example, are intended to recruit individuals in the EU, this may bring the company under the parameters of GDPR.
b. Behavior monitoring of individuals in the EU (e.g., tracking individuals on a website through the use of cookies or logging IP addresses).
Basic Definitions
In order to help you understand how GDPR applies, the following are some basic definitions for terms commonly used in the regulation:
“Data Controller” is defined as any individual or entity that determines how and for what purposes personal data is processed.
“Data Processor” is defined as any individual or entity that processes personal data for a data controller, other than the controller’s employee.
“Personal Data” is defined as “any information relating to an identified or identifiable natural person” who is in the EU, regardless of the individual’s EU citizenship status. An individual is identified or identifiable if the individual can be “identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
“Processing” is very broadly defined and essentially applies to anything that is done to or with personal data.
Steps to Take Now
- Understand the types of personal data your business is handling. Perform a data audit so that you know what data you are collecting, and determine how that data is obtained, how it’s used, where it’s stored and how long it’s stored.
- Develop a consistent policy to process personal data and acquire consent from your customers. Under the GDPR, consent needs to be clear and specific. Make sure your privacy policy explains the legal basis for processing personal data.
- Review and update your security measures and policies for GDPR-compliance.
- Prepare for data requests. The GDPR provides that customers have the right to access their data, correct inaccurate data, object to their data being processed, or even completely erase any of their personal data that you hold. Such requests must be processed and completed within the time frames required under the GDPR.
- Make your consent process clear, specific and transparent. Under the GDPR, consent must be in the form of a request separate from other terms and conditions. It must also require a positive opt-in in, which means users must check “yes.” Opting for a mailing list does not give the business the ability to use a customer’s data for something else unless that secondary purpose is outlined and consented to. Individuals should also know how to withdraw from your company’s database at any time.
By Gray Derrick of Baird Holm