By Shari Claire Lewis
The business news media has been abuzz with talk of the European Union General Data Protection Regulation (GDPR), a new data privacy rule that goes into effect on May 25, 2018.
What, if anything, does the GDPR mean for U.S. businesses? What steps does a Long Island company need to take to comply with the rule, and what are the risks of failing to comply? The answers to these questions may surprise you.
What is GDPR, and what led to its enactment?
The GDPR’s purpose is to protect the personal data of EU residents wherever that data is located. Therefore, the GDPR regulates entities outside of the EU that have EU subsidiaries, provide goods and services to EU residents or who collect or process data concerning any EU resident.
At this stage, it is difficult to know how robustly the GDPR will be enforced around the globe. Part of the purpose of enacting the GDPR was to respond to the crisis of cyber breach events and create a uniform approach if a data breach occurs.
Which U.S. companies are covered by the GDPR?
The threshold question a business must answer to determine if it is subject to the GDPR is whether, and to what extent, the company is conducting business in the EU or with EU residents. This also includes customers acquired through a company’s online presence.
If a company determines that it does not receive, use or process any personal data on any EU residents, then the GDPR does not apply to it. However, in this day and age, many previously “local” companies provide goods and services beyond their immediate geographical area, whether as a result of their internet presence, globalization in trade or increased personal, international travel.
What does the regulation say about data collection?
The next step is to understand the regulation’s objective, which is to shift control over data collection practices from the entity that collects the data to the individual whose personal data is being collected. To accomplish this, the GDPR sets forth principles that a business must incorporate into its data collection practices:
• Personal data must be “processed lawfully, fairly and in a transparent manner in relation to the data subject.” In other words, businesses must have a legal reason for collecting and using the data and, except where collection is legally required, a person’s express consent must be obtained on an “opt-in” basis. An entity that wants to collect personal data must solicit an opt-in using clear language to explain exactly what data is to be collected and its specific proposed use. This is different from the typical U.S. business practice of permitting collection by default unless someone “opts out.”
• Once collected, the personal data may only be used for “specified, explicit and legitimate purposes” and may not be further “processed” in a manner that is incompatible with that purpose. Accordingly, under the GDPR, a company may no longer routinely collect personal data in hopes that it eventually may want to use that data for marketing purposes.
• Data collection is restricted to what is “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” The personal data must be accurate and up to date, and “reasonable steps” must be taken to erase or rectify inaccurate personal data “without delay”. Similarly, personal data must be handled in a manner to protect is “integrity” and “confidentiality.”
• Finally, personal data may be kept for only so long as it is needed for the purposes to which the individual consented.
I think GDPR applies to my business. Now what?
According to the regulation, your company must be responsible for complying with the GDPR collection principles outlined above and be able to demonstrate that compliance. That means documenting what personal data is held by your company, who has access to it and with whom that data is shared.
Your company’s privacy notices must be updated to provide full disclosure about your company’s data collection practices to require customers to affirmatively opt in to have their data collected and explain how customers can change their consent or assess their data’s accuracy over time. Your company is also required to assess the security of the personal data it holds, including how it is collected, stored and accessed, and make necessary adjustments to address existing and emerging cyber security threats.
Additional requirements exist for governmental bodies, public authorities and private entities whose “core activities” consist of “large scale” processing of personal information. A local business may be surprised that its possession of private data concerning employees, customers, prospective customers, business affiliates or others may, in the aggregate, be enough to qualify it as a large scale processor of personal data.
If so, the business maybe required to meet the enhanced requirements of the GDPR, one of the most notable of which is the appointment of an in-house or outside “Designated Privacy Officer.”
How will the GDPR be enforced?
Initial GDPR enforcement efforts will likely focus on organizations that have a substantial EU presence or target EU citizens. If a company’s connection to EU residents involves more than mere random or sporadic contact, it is wise to take steps to comply with GDPR. Conversely, businesses should document the analysis that produced the conclusion that GDPR does not apply to them.
The GDPR permits regulators to impose significant fines and penalties on companies that fail to comply with the rule. Maximum fines are separated into two tiers. The lower tier applies to a failure to comply where no real harm has occurred to EU residents. In this case, a fine of up to the greater of 2 percent of net profit in the prior year or 10 million euros may be assessed. When EU residents’ rights are violated, however, the maximum fine can be up to the greater of 4 percent of net profit or 20 million euros.
How can I reduce my company’s risk of an enforcement action?
The first step is to undertake a frank and full assessment of your company’s data practices. This includes policies for collection, storage, security and disposal of data, and whether the company is likely to fall within the GDPR’s purview.
Next is to prioritize the steps that are most critically needed and feasibly achievable. High on this list may be revising the company’s privacy statements and practices, which are usually set forth on a company’s website, apps, social media pages and other interactive media.
It is also important for a company to address its privacy framework, including who is in charge of privacy for the company and what the company’s and its vendors’ practices are regarding collecting, holding and processing personal data. Companies should create a proactive plan to improve its data practices moving forward to achieve GDPR compliance in the near future.
Finally, companies are advised to create a rapid-response plan that will comply with GDPR requirements and applicable federal and state regulations. In every case, maintain documentation to demonstrate the company’s compliance efforts.
The reality is that many, if not most US companies will not be in full compliance with GDPR by the May 25, 2018 deadline. However, company efforts, if undertaken in good faith, may mitigate against the risk of GDPR fines or penalties. Equally important, it makes good business sense to create a long-term, proactive data strategy to address the potentially catastrophic impact of a cyber security event regardless of what law is applied.
For more information about the GDPR and for assistance in assessing whether it applies to your business, contact your attorney.
Shari Claire Lewis is a partner in Rivkin Radler’s Privacy, Data & Cyber Law Practice Group.