Last updated: 12 October 2017
As most are well aware – The General Data Protection Regulation (GDPR) has created a new data security standard aligning the current member state legislation across the European Union (EU). This goes for not only citizens but visitors and immigrants as well as for any company that retain EU customer data. The legislation will apply to any organization (including any third party receiving this data through the normal course of its operations) that offers goods or services, or whose activity monitors the behavior of individuals in the EU will be subject to GDPR – whether they reside and process data within the Union or not.
The GDPR deadline for all U.S.-based multinational enterprise doing business in the EU is May 25, 2018. Gartner research has predicted that only 50% of companies impacted by this protocol will be compliant by the end of 2018. All non-compliant companies are looking to face hefty fines of up to €20 million or 4% of global annual revenue, whichever is greater. In order to remain complaint, there are several issues U.S organizations would do well to consider:
- « Privacy by Design » – This states that organizations need to consider privacy at the initial design stages and throughout the lifecycle process of new products, processes or services that involve personal data. All organizations must be able to prove their compliance of this principle.
- DPO (Data Protection Officer) – According to GDPR’s three DPO specific instances, you may need one :
« DPOs will be required of all public authorities, except for courts acting in their judicial capacity.
DPOs will be required wherein the core activities of the controller or processor require “regular and systematic monitoring of data subjects on a large scale.”
DPOs will be required wherein the core activities of the controller or processor involve largescale processing of special categories of sensitive personal data, e.g., religious or philosophical beliefs, political opinions, racial or ethnic origins, biometric and genetic data for the purpose of uniquely identifying a natural person, or data concerning health. »
The lead supervisory authority will be the main authority companies will deal with though, some circumstances will allow local authorities to step in and cooperate with the former.
- Excessive Reach – Instead of being territorial, the rules follow the data. In other words, this applies to US companies not located in the EU but still offering goods or services to/monitor the behavior of EU citizens. These organizations must be in compliance with GDPR rules on the data privacy of these individuals.
- Cross-Border Transfers – Safe Harbor is no longer valid. In its place, the European Commission approved and adopted the EU-US Privacy Shield. It allows the European Commission to conduct periodic reviews to ascertain that an adequate level of data protection exists in the transferring of data cross-border. While the GDPR does not specifically refer to the EU-US Privacy Shield, it does explicitly acknowledge the current requirements for Binding Corporate Rules (BCR) for processors and controllers. In particular, this is valuable when dealing with member states that do not recognize BCRs. Prior to GDPR, standard contractual clauses required prior notice to and approval by data protection authorities. Under GDPR, they may be used without this prior approval. Codes of conduct and certifications have been approved for guidance on the requirements and proof of compliance.
- Breach Notifications – In the case of a data breach, this must be reported to the supervisory authority within 72 hours of initial occurrence. If the breach poses a high privacy risk for EU citizens, those individuals must also be notified
- Consent – Consent must reflect the data subject’s genuine and free choice. If there are any elements of compulsion, or undue pressure put upon the data subject, consent will not be valid. GDPR Article 4 defines consent as “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.” Moreover, parental consent is required to process personal data of children under age 16. Therefore, organizations must be able to show how and when the consent was received. EU citizens must have the right to erasure of personal data if it is no longer needed for the reasons it was originally collected.