"GDPR Enforcement Day is Here!"
Today, May 25, 2018, is a historic day in the global data privacy and security world as it is the effective day of the European Union's (EU) General Data Protection Regulation (GDPR), a regulation designed to protect the "personal data" of EU residents by mandating standards for processing, using, and storing that data. Many organizations do not realize the full magnitude of what the GDPR requires, and non-compliance can cost organizations dearly. However, we are here to help.
Some Very Quick Background
Europe has generally had more stringent rules around organizations' collection and use of personal data of its residents, and the GDPR was adopted due to increased public concern regarding privacy. The GDPR focuses on a few main principles, namely that organizations need individuals' consent to collect data and individuals should only be required to share data necessary to allow the organizations' services to work.
The GDPR was adopted by the European Parliament in April 2016, replacing the EU Data Protection Directive from 1995, which had become outdated. While the law was passed in 2016, enforcement was delayed two years, until today, to give organizations time to come into compliance. The GDPR provisions are consistent across all 28 EU member states, so organizations will need to meet only one standard within the EU. However, that standard is quite high.
Does the GDPR Even Apply to U.S.-Based Organizations?
That's a European law, and you are an American organization, so this does not apply to you, right? Not necessarily. The GDPR provides protections to EU residents no matter where in the world their data travels. The GDPR applies to you if:
- You have offices, branches, subsidiaries, etc. in the EU
- You offer goods or services to individuals in the EU (paid or free)
- You have employees in the EU
- You collect data, communicate with, or monitor the behavior of EU residents (even if you have no EU presence)
- OR you have services providers or suppliers in the EU
It is not surprising that data privacy professionals have had laser-like focus working with U.S. organizations doing business in the EU in order to meet today's GDPR effective date. However, commentators have suggested that less than half of U.S.-based organizations will be substantially compliant by today (this is based upon self-reporting, and so it is likely that this number is even lower).
This update provides answers to some of the most frequently asked questions, along with recommended next steps for use in your way toward GDPR compliance.
Frequently Asked Questions about the GDPR
Q: Why should I care about complying with the GDPR?
A: Non-compliance will cost you. Violators of the GDPR may face penalties as high as €20,000,000 ($23.4 million) or 4 percent of global revenue, whichever is greater.
Q: I only do business in the U.S. Does the GDPR apply to me?
A: As explained above, "doing business" in the EU is not the only way to fall under the GDPR's jurisdiction. If you communicate with any EU residents in your business operations, if any of your suppliers are in the EU, or if your service providers are in the EU, the GDPR applies to you.
Q: I am not in the consumer product business, so the GDPR does not apply to me, right?
A: Similar to the above question, you do not have to be in the consumer product business to be subject to the GDPR. There may be a lower probability that you are subject to the GDPR. However, if you have employees in the EU, communicate with EU residents using email, or your website is accessible in the EU, you will likely be required to comply with the GDPR.
Q: Does the GDPR apply to me if I do a very small amount of business with EU residents or organizations?
A: Unfortunately, there is no de minimis exception to the GDPR, and it will apply even if you only conduct a small amount of business with EU residents.
Q: What is "Personal Data"?
A: "Personal data" is defined as "any information relating to an identified or identifiable natural person (‘data subject’)." To clarify, the GDPR provides that "an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
This includes a lot of information, and whether specific data constitutes "personal data" often depends on the context in which the data was collected. In general, any of the following can constitute "personal data": general identity information (e.g., name, address, ID numbers), web data (e.g., IP address, RFID tag, cookie data), health and genetic information, biometric information, and racial or ethnic information.
Q: What if the only information I receive from my contacts in the EU is work contact information?
A: It does not matter that the only information you receive from the EU is work contact information. The EU says that even the most basic of personal information (name, email address, phone number) contain "personal data" (defined above), which is now subject to protection under the GDPR. Even a simple email address, phone number, or IP address can be sufficient to meet the definition of "personal data" under the GDPR.
Q: What do I need to do in order to be GDPR-compliant?
A: The steps of GDPR compliance will look different for every organization depending on business operations and how "personal data" is collected, processed, used, and stored.
Some of the first things to consider include the following:
- Review and update your privacy policy and privacy notices
- Assess and revise your written information security program
- Hire or designate a data protection officer
- Conduct a gap analysis to audit your current data security system to identify high risk areas and update processes accordingly
- Create a data inventory, including reviewing (or obtaining) data mapping and storage so you know where you are collecting and storing "personal data"
- Run table-top exercises to test your incident response plan, as you will need to be prepared for a 72-hour data breach notification timeline under the GDPR
- Analyze and amend legacy contracts. Under the GDPR, you are responsible for ensuring that your contractors who have access to "personal data" from your organization comply with the data security and privacy requirements of the GDPR. You can comply by either using Standard Contractual Clauses, which are predetermined by the EU, or an organization-specific addendum
- Create (or update) your vendor management program, including adding GDPR to your vendor assessment and due diligence process so you seek out third-party vendors who are GDPR-compliant
- Educate your staff, particularly staff that interact with new customers/users, have data entry/analysis positions, or who operate or maintain systems that access or house "personal data"
- Make your IT department your best friend - they are going to be integral to these efforts and they will need increased resources and support; and
- Determine whether to register under US Privacy Shield, which is part of an agreement between the U.S. and EU that allows certain U.S. entities to self-certify compliance with the GDPR
So What Do I Do Next?
First, do not panic. As we mentioned, you are not alone if you have not come into full compliance with the GDPR. But you do need to get moving.
Next, reach out to your attorney to determine how the GDPR applies to your organization and get leadership on board for the compliance efforts ahead. The entire organization will need to get involved, including IT, procurement, human resources, marking, sales, research and development, compliance, operations, and legal. It is not necessary to start from scratch, as you can seek assistance from professionals in the industry (legal counsel, consultants, etc.) whose expertise and previous experience can be leveraged to bring your business into GDPR compliance in the most cost- and time- efficient manner.
For questions about the GDPR, assistance with GDPR compliance, or data privacy and security generally, please contact any of the authors or your Quarles & Brady Data Privacy and Security attorney.