United States businesses take notice: Your company has less than a year to come into compliance with the General Data Protection Regulation (“GDPR”). While it is well known that the GDPR imposes numerous obligations on EU businesses in the name of consumer privacy, you may be surprised to learn that the GDPR may affect your U.S. company as well—regardless of your organization’s size, footprint, or location. Because compliance takes time, U.S. businesses should act now to position themselves to avoid significant fines, which can rise as high as €20M (roughly $22.4 million) or 4% of the company’s total global revenue.
Enacted in 2016, the GDPR brings major changes to the way Europe protects data privacy and the use of EU residents’ personal information, with numerous new consumer protections and company requirements. And its enforcement does not end at Europe’s border. Rather, the legal obligations imposed by the GDPR extend to non-EU organizations that offer products or services to EU residents, or that monitor European residents’ behavior (for example, by using cookie-tracking or using data analytics to create profiles of users for marketing purposes). Additionally, any non-EU company processing personal data (a “data processor”) on behalf of any entity that controls EU residents’ data (i.e. a “data controller”) will now have greater obligations and liabilities than ever before.
The burden for U.S. companies is heightened by the difference between the European and U.S. approaches to data privacy. Compliance with U.S. state laws will not be sufficient for companies that handle the data of EU residents, the protection of which is a fundamental right in the EU (the equivalent to a U.S. Constitutional right). Under European law, “personal data” encompasses far more than the lists of particular identifiers and combinations that typically constitute protected personal information under U.S. state and federal laws. In the EU, personal data is any information relating to an identified or identifiable person, including online identifiers such as cookies or IP addresses, regardless of the industry sector involved. Moreover, “special categories of data”—racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetics or biometrics, health information, and sexual orientation or sex life data—will trigger additional protections and requirements. Employee data and criminal conviction data will also receive heightened protection and restrictive treatment.
Enforcement of the GDPR (and imposition of the attendant fines) begins May 1, 2018. EU regulators have not been coy about their goal of vigorous enforcement from day one, and they have added staff for that purpose. Do not expect forgiveness if your privacy safeguards are not fully in place when enforcement begins. If past enforcement actions are any guide, EU regulators will be targeting U.S. companies—particularly because this self-funding regulation can greatly increase European coffers.
So, with the clock counting down, what is a U.S. company to do? The following steps do not capture all of the GDPR’s requirements, but they are a good starting point.
1. Designate an Internal Point Person.
As a preliminary step, companies should select and appoint an internal point person to oversee GDPR compliance. Indeed, for some organizations designated in the regulation, appointing a “Data Protection Officer” (who has specific regulatory responsibilities) is legally required.
2. Map Data Flows.
Companies must also begin to map their data flows. It is not until you assess what data your company has or anticipates having, where that data originates and resides, and where higher-risk data may exist in your system, that you can accurately determine whether your company is subject to and complies with the GDPR (or, for that matter, the rapidly changing requirements of U.S. states). Under the GDPR, a company cannot process or use (“control”) a data subject’s personal data absent a “legitimate basis,” as defined in the regulation. This applies not just to data the company collects, but also to data that it transfers (for example, to vendors or service providers). Companies are also required to maintain complete documentation about the data they collect and process.
3. Identify Gaps in Compliance.
Companies should next identify where compliance falls short, weigh the accompanying risks, and prioritize the measures they will implement to achieve full compliance. No doubt changes will be needed, because the GDPR:
- increases the rights of data subjects and consumers (including rights to data portability, access, erasure, objection, and restriction);
- requires privacy by design or default;
- calls for prescriptive notices by companies;
- heightens the requirements associated with obtaining user consent to process data, stipulating that consent be “freely given, specific, informed and unambiguous,” clear and affirmative (“opt-in”), and revocable; and
- requires downstream accountability by service processors and vendors, in part by including particular clauses in the relevant contracts.
Companies should also confirm that there is a legitimate legal basis (for example, consent) for the data processing and, where applicable, for the data transfers to other countries.
Developing a strategy now for what can and must be handled before 2018, and who is responsible for what, can go a long way toward demonstrating accountability, a key concept under the GDPR. That is particularly so with regard to consumer-facing obligations, such as written policies and notices, the implementation of privacy by design or default elements, and the obtaining of users’ consent.
4. Conduct Privacy Impact Assessments (PIAs).
A company engaging in processing activities that are likely to result in a “high risk” to the data subject’s fundamental right to personal data protection is required to undertake a PIA. The PIA differs from data mapping in that its steps are specifically set out in the GDPR. What constitutes “high risk,” however, is not entirely clear. At the very least, a PIA is required if your company’s processing involves any of the following: (1) the systematic and extensive evaluation of personal data, including profiling, upon which a decision will be based that can have a legal effect on the data subject (for example, an individual’s credit score or a job applicant’s resume); (2) a large volume of data falling within the GDPR’s “special categories” or relating to criminal convictions or offenses; or (3) “systematic monitoring of a publically accessible area.” Beyond that, companies must determine for themselves what is “high risk” by relying on guidance from the EU and other supervisory authorities. Companies must also consult with, and provide PIA documentation to, supervisory authorities if their PIA reveals processing activities that, without risk-mitigating measures, would otherwise be high-risk.
5. Assess and Revise Data Security Policies and Procedures.
All data security policies and procedures, including incident and breach responses, must be assessed and revised to ensure compliance with the GDPR. In certain cases where there has been a data breach, the regulatory authority must be provided notice within 72 hours, and the affected data subjects must receive notice “without undue delay.”
6. Document Measures to Ensure Ongoing Compliance.
A company must not only comply with the GDPR, it must also be able to prove it is complying. The compliance must be reflected in pre-existing internal documentation, not merely in after-the-fact explanations. A company must be able to show that is has been actively attempting—and, ideally, achieving—compliance from the start.
Conclusion
Avoiding financial penalties is not the only reason U.S. organizations should comply with the GDPR. Many of the regulation’s requirements are already being enacted by U.S. states, as in the recent cybersecurity regulation issued by New York’s Department of Financial Services (23 NYCRR 500). Additionally, companies with a global presence are beginning to examine the data privacy practices of their business partners; they may be required, and in any event are likely, to favor those vendors and service providers that are ready to comply.
Companies’ products and services increasingly rely on the “internet of things,” data analytics, artificial intelligence, and other forms of technological integration. While taking steps to comply with the GDPR and federal and state law, companies operating in this fast-moving space are also under pressure to achieve ambitious business goals.
Prince Lobel’s business and data privacy teams are available to help your company determine whether GDPR and other data privacy compliance is needed, identify the highest-priority steps toward achieving compliance, and demonstrate compliance so as to minimize legal risks. Those companies that begin the process now, well before the May 2018 deadline, will be best positioned to meet the legal requirements without compromising their business goals.
If you would like to learn more about how Prince Lobel can help evaluate and prepare your business for compliance with the GDPR and other data privacy laws and regulations, please contact Kathryn Stone, the author of this alert, at 617 456 8091 or kstone@princelobel.com, or William S. Rogers Jr., Chair of the firm’s Data Privacy and Security Practice Group, at 617 456 8112 or wsrogers@princelobel.com.