GDPR: Less Than 100 Days and Counting to "G-Day" — Here's What You Need to Know
The European Union’s (“EU”) General Data Protection Regulation (“GDPR”) goes into effect on May 25, 2018. As the EU’s website succinctly states, “GDPR is the most important change in data privacy regulation in 20 years.”[1]
The territorial reach is expansive. The terminology is unique. The requirements are at times very specific and at times very vague (and sometimes undefined). And the penalties and fines for non-compliance are severe. The bottom line – it is critical that every organization conduct an internal analysis to determine whether GDPR applies to all or part of your business, and work expeditiously to become GDPR compliant if it does.
This Legal Alert summarizes the basic framework of GDPR and outlines several steps that organizations need to consider to become GDPR compliant with the “G-Day” Effective Date less than 100 days away.
What is GDPR?
GDPR is the EU’s attempt to create a more comprehensive and more uniform data privacy regime for EU citizens. GDPR replaces and significantly expands the scope of the current Data Protection Directive (“DPD”) and mandates more security and transparency in the storage and processing of personal data.
How Can GDPR Apply To My Business?
One of the most striking features of GDPR is its extra-territorial application. On its face, GDPR is global in scope and applies to companies that may not conduct business in an EU country.
GDPR applies to any organization involved in the processing of personal data of individuals located in the EU. “Personal data” is defined to include “any information relating to an identified or identifiable natural person”, affectionately referred to as a “data subject.”[2] “Processing” is defined to include “any operation or set of operations which is performed on personal data or sets of personal data.”[3]
To effectuate this extra-territorial scope, GDPR expands on DPD and applies to both “controllers” (who determine the purposes and the means of processing the data) and “processors” (who actually process the data for the controller).[4] Regardless of where the controllers or processors are located, GDPR applies if: (a) the controller or processor maintains an establishment in the EU and processes personal data, regardless where around the world the data is stored or processed: (b) the controller or processor engages in processing activity “related to the offering of goods or services to data subjects in the Union,” regardless where around the work the data is stored or processed; or (c) the controller or processor engages in processing that is related to “monitoring” in the EU or the “behavior” of data subjects in the EU.[5]
What Does GDPR Require?
GDPR creates a framework for the storage and processing of personal data and requires specific, written documentation of all decisions and steps related to processing.
Controllers can only process personal data for five permissible lawful bases listed in Article 6 of GDPR. If the processing does not fit within one of the five bases, the controller must have the individual’s consent – and GDPR places new restrictions on how consent can be obtained.[6]
If a controller relies on a processor to process personal data on its behalf, the controller must have a written contract with the processor and the contract must: (a) explicitly confirm that the processor will comply with GDPR; and (b) specifically delineate a number of terms regarding the purpose, scope and nature of any processing of the data.[7]
The GDPR also gives new rights and benefits to EU citizens to protect their personal data. Controllers must allow EU citizens to correct inaccurate or incomplete personal data (“the right to rectification”) and must accommodate a request to erase personal data upon request if the personal data is no longer necessary for the purposes for which it was originally collected or processed (“the right to erasure”). EU citizens also have the right to request and obtain information regarding how their data has been processed (“right to information” and “right of access”) and also have the right to request a copy of their data and to transmit the data to another controller (“the right to data portability”).[8]
What If I Don’t Comply with GDPR?
The GDPR imposes potential draconian penalties for non-compliance – with fines up to 20,000,000 euros or 4% of worldwide sales volume/revenue, whichever is higher.[9]
What Do I Need to Do?
It is imperative that every organization conduct an internal analysis and determine whether GDPR applies to all or some of its business. GDPR is a 200+ page regulation with new terminology and a number of carve-outs. If you conduct an analysis and conclude that GDPR does not apply, you should consider documenting that decision in case it is questioned by EU regulators or customers/individuals in the future.
If the GDPR is applicable to all or some of your business, there are numerous specific requirements that need to be on your checklist for consideration and implementation before May 25, 2018 (with slight variations between controllers and processors). Here are our top ten considerations:
1. Appoint a Data Protection Officer (“DPO”): GDPR requires the creation and appointment of a DPO in many organizations and provides a detailed list of responsibilities and powers which the DPO must have; in fact, the DPO must also have certain employment protections to preclude retaliation or termination for performing DPO responsibilities.[10] The creation of this new position sounds overly simple at first, but GDPR will require every company to review its reporting structure and organizational flow chart to account of this new position. In addition, if your organization is not established in the EU, you still may also be required to appoint a local representative.[11]
2. Establish New Record Keeping Requirements (and follow them!): GDPR imposes a framework heavily reliant on written documentation of all decisions regarding the processing of data.[12] GDPR also gives supervisory authorities wide investigative powers to undertake on-site data protection audits of the written documentation.[13] There is some relief from some of these requirements for companies with less than 250 employees in certain circumstances – but even the decision to take advantage of the relief should be documented. Organizations must implement requirements which create paper trails and satisfy GDPR requirements. And if you are an organization that historically is lax on internal documentation, now is the time to commit to better internal documentation.
3. Review and Amend Contracts Between Controllers and Processors: As discussed above, GDPR has a lengthy list of topics which now must be specifically addressed in any contract related to the processing of personal data.[14] Every controller and processor needs to review their contracts and determine whether all topics are covered and whether the contracts need to be amended before May 25. 2018.
4. Conduct Data Protection Impact Assessments (“DPIA”): Organizations must now conduct DPIAs for any type of processing that is “likely to result in a high risk to the rights and freedoms of natural persons.”[15] The goal is for organizations to think more critically about the nature, scope and needs/risks of processing before any processing occurs and to document and justify the decision-making process.
5. Implement “Data Protection by Design and by Default” For Future Development: Organizations must implement policies to comply with the GDPR’s “Data Protection by Design and by Default” principle which requires companies to design for the inclusion of data protection at the onset of designing a system. GDPR also calls for data minimization (holding and processing only data absolutely necessary for the completion of the task) as well as limiting access to personal data within the company.[16] While these may be generally good business practices, GDPR mandates them (and, again, requires written documentation).
6. Assess and Update Data Breach Notification Procedures: GDPR requires organizations to provide notice of a data breach “without undue delay and, where feasible, not later than 72 hours after having become aware of it.”[17] This requirement is fundamentally different than most US state notification requirements and presents a number of legal and practical problems. Companies need to examine their Information Governance and Incident Response Plans to accommodate this short notice period and evaluate how this would impact their notice obligations under various US state laws as well.
7. Update informed consent procedures: GDPR places a number of restrictions on how controllers can obtain consent and emphasizes that consent must be freely given, specific, informed and unambiguous.[18] Companies need to evaluate how they obtain consent going forward and whether their current process is compliant with GDPR.
8. Analyze and revise data storage policies: The individual rights granted under GDPR (i.e, right to rectification, right of erasure, right to access, etc.) may create technical and practical problems depending on how you store personal data. Organizations need to analyze their data architecture and tools to determine whether they have the capabilities to accommodate these new rights and individual requests.
9. Monitor Developments Regarding the EU-US Privacy Shield: Participation in the Privacy Shield currently provides some level of protection to US companies (in addition to using standard contract clauses approved by the EU). The European Commission recently endorsed Privacy Shield but made several recommended amendments which have not been codified. Expect more activity in this area as May 25 approaches.
10. Educate, Educate, Educate: Like with any new regulatory framework, it is important to work with and train employees regarding policies and compliance, especially with respect to the enhanced rights of individuals making individual requests regarding personal data. We could outline ten more steps for this consideration alone – as part of this analysis, consider how to educate or reinforce good data privacy management policies and principles with your work force to protect both personal data and corporate data.
Whether your organization is governed by GDPR or not, GDPR is a good catalyst for generally evaluating your data protection strategies. Even if your data analysis concludes the GDPR does not apply, several states and other countries are considering similar regulatory frameworks to GDPR, both generally and for specific industries like health care and finance, so you may have to update and amend your strategies and policies going forward in response to other statutory or regulatory initiatives. Every organization needs an Information Governance strategy for accessing, storing, processing, and deleting data – “G-Day” provides a good deadline for conducting a new internal analysis and reviewing Information Governance policies to adopt better practices in this changing landscape.
KMK’s Cybersecurity & Privacy Team is a cross-disciplinary team which advises organizations on Information Governance, helps develop and implement appropriate policies and procedures, and manages Data Breach Incidents. We welcome the opportunity to meet and advise on your Organization’s GDPR, Information Governance, and Cybersecurity and Data Privacy needs.
KMK Legal Alerts and Blog Posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. Please consult with counsel of your choice regarding any specific questions you may have.
ADVERTISING MATERIAL.
© 2018 Keating Muething & Klekamp PLL. All Rights Reserved
[1] www.eugdpr.org.
[2] Art. 4, ¶1, GDPR.
[3] Art. 4, ¶2, GDPR.
[4] Art. 4, ¶¶7 and 8, GDPR.
[5] Art. 3, ¶¶1 and 2, GDPR.
[6] Art. 6, ¶4, GDPR (“Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes: (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority invested in the controller; [or] (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”); see also Art. 7, GDPR (regarding conditions for consent).
[7] Art. 28, ¶3(a)-(h), GDPR.
[8] Arts. 13-20, GDPR (Information and Access to Personal Data).
[9] Art. 83, GDPR.
[10] Art. 39, ¶1(a)-(e), GDPR (“The data protection officer shall have at least the following tasks: (a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; (b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits; (c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35; (d) to cooperate with the supervisory authority; [and] (e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.”); see also Arts. 37-39, GDPR.
[11] Art. 27, GDPR.
[12] Art. 30, GDPR.
[13] Arts. 55-59, GDPR.
[14] Art. 28, ¶3(a)-(h), GDPR.
[15] Art. 35, GDPR.
[16] Art 25. ¶1, GDPR (“Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.”); see also Arts. 25 and 32, GDPR.
[17] Arts. 33-34, GDPR.
[18] Arts. 13-15, GDPR.