General Data Protection Regulation (GDPR)

GDPR – Data Processing EU Data as a US Business

Due to the growing and ever-changing digital market, the EU took a major step to protect EU citizens’ personal data and privacy rights in today’s digital world. From proposal to adoption, the General Data Protection Regulation (GDPR) took over four years to become law regulating the data collection and security during processing and movement of personal data of EU citizens. The GDPR is applicable in all EU markets/countries, including by association, Norway, Switzerland, and the UK.

What Is the GDPR?

The purpose of this legislation is to protect the personal data of the EU’s citizens, including how that data is collected, stored, processed/used, and destroyed once it is no longer needed. Prior to the GDPR, there was the 1995 EU Data Protection Directive, followed by the Data Protection Act of 1998.

However, the GDPR is more specific in defining the scope of personal data so there is less room for interpretation. Personal data includes IP addresses, location data, and online identifiers. Sensitive personal data includes biometric and genetic data.

Therefore, the GDPR was created and adopted into law to give EU citizens transparency and control over their personal data, including their right to be “forgotten.” Other points include parental consent necessary for processing children’s data, cross-border data transfer, how to prevent data breaches, and strict guidelines for data breach notification when they do occur.

Furthermore, the GDPR applies not only to companies in the EU, but also to all companies globally—small- to medium- to large-sized—that market goods or services to EU citizens. In addition, it applies to any companies that control or process personal data relating to an EU citizen or that monitor the behaviors of an EU citizen.

Previously, if your company was the processor (meaning you processed personal data on behalf of another company—the controller), the compliance with privacy requirements sat squarely on the shoulders of the controller. Under GDPR, both processors and controllers are accountable and responsible for the handling of EU citizens’ personal data.

All of the aforementioned companies must be compliant with all GDPR requirements. That’s why it’s important to prepare for the GDPR based on the Information Commissioner’s Office guidelines. For certain businesses, it will be mandatory to designate a data protection officer (DPO) to oversee GDPR compliance.

GDPR Timeline

After proposing new regulations in 2012, the European Parliament and Council approved and adopted the new regulations in April 2016. Recognizing the many challenges and obstacles that companies face to become compliant with GDPR, they instituted a two-year transition period leading up to the effective date of May 25, 2018. Companies must ensure they are compliant prior to the effective date. Non-compliant companies will be subject to stiff penalties and fines.

Key Features of the GDPR

  • Requiring consent of data processing to ensure rights of all EU citizens
  • Parental consent mandatory before accessing children’s personal data
  • Right to be forgotten—the EU citizen’s right to erasure of personal data
  • Data breach notifications
  • Safe handling of data transfer across borders
  • Penalties/fines (calculated on the company’s global annual turnover of the preceding financial year) of up to 4 percent or €20 million (whichever is greater) for non-compliance with the regulation; 2 percent or €10 million for less important infringements (whichever is greater)

7 Key Considerations for US Companies

1. Consent: Consent must be clear and affirmative; inactivity or silence does not constitute consent. GDPR Article 4 defines consent as “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.” Moreover, parental consent is required to process personal data of children under age 16. Therefore, companies must be able to show how and when the consent was received. What’s more, EU citizens must have the right to erasure of personal data if it is no longer needed for the reasons it was originally collected.

If you are a service provider using third party services overseas, you must also seek authorization to process customer data overseas with accompanying procedural compliance GDPR documentation from the supplier. The supplier must comply with GDPR and have necessary audit/procedural documentation in place.

2. Territorial Reach: Essentially, this means the rules follow the data, instead of being territorial. In other words, this applies to US companies that are not located in the EU but do offer goods or services to EU citizens or monitor the behaviors of EU citizens. These companies must be in compliance with GDPR rules on the data privacy of these individuals.

3. Privacy by Design: In essence, this is data protection and privacy compliance in a service or product from its inception throughout its lifecycle to the point of delivery. Companies must be able to prove their compliance of this principle.

4. Data Protection Officer: Do you need one? You might. GDPR outlines three specific instances in which a DPO designation is required:

  • DPO’s will be required of all public authorities, except for courts acting in their judicial capacity.
  • DPO’s will be required wherein the core activities of the controller or processor require “regular and systematic monitoring of data subjects on a large scale.”
  • DPO’s will be required wherein the core activities of the controller or processor involve large-scale processing of special categories of sensitive personal data, e.g., religious or philosophical beliefs, political opinions, racial or ethnic origins, biometric and genetic data for the purpose of uniquely identifying a natural person, or data concerning health.

5. One-Stop Shop: This means companies have only to deal with a single supervisory authority. The lead supervisory authority will be the main authority companies will deal with; however, some circumstances will allow local authorities to step in and cooperate with the former. Companies doing business in the EU will find this a cheaper and easier method than dealing with a separate supervisory authority in each of the 28 EU member states.

6. Data Breach Notification: When a data breach occurs, it must be reported to the supervisory authority within 72 hours of the occurrence. If the breach poses a high privacy risk for EU citizens, those individuals must also be notified. All GDPR data breach procedures must be audited prior to GDPR compliance approval.

7. Cross-Border Transfers: Safe Harbor is no longer valid. In its place, the European Commission approved and adopted the EU-US Privacy Shield. It allows the European Commission to conduct periodic reviews to ascertain that an adequate level of data protection exists in the transferring of data cross-border. While the GDPR does not specifically refer to the EU-US Privacy Shield, it does explicitly acknowledge the current requirements for Binding Corporate Rules (BCR) for processors and controllers. In particular, this is valuable when dealing with member states that do not recognize BCRs. Prior to the GDPR, standard contractual clauses required prior notice to and approval by data protection authorities. Under GDPR, they may be used without this prior approval. Codes of conduct and certifications have been approved for guidance on the requirements and proof of compliance.

Steps US Companies Should Be Taking To Comply With GDPR

Educate your employees. Ensure everyone in your organization, from the Board down, understands EU citizens’ data privacy rights in regard to GDPR, particularly any who handle personal data. Based on the ICO’s guidance, this is how you should prepare:

1. Awareness of Data You Hold: You need to document the personal data held, where it came from, where it is, why it’s being processed, and who it is shared with. Key decision makers in your organization should fully understand and appreciate the impact of GDPR.

2. Prepare for Data Breaches: Review and update procedures you have in place to detect, report, and investigate data breaches involving personal data so you can adhere to the timeframe and rules handed down by the GDPR. This information has to be fully documented.

3. Accountability Framework: GDPR requires companies to be able to show they have effective policies and procedures in compliance with data protection principles as outlined. This includes retention policy for personal data. Contact information for the DPO and data controller must also be provided. Be aware of how to handle subject access requests within the GDPR’s new timeframes as well. Review how you are seeking, obtaining and recording consent and assess whether changes should be made. Verify the system for collecting people’s ages and gathering parental or guardian consent for data processing activity. This information has to be fully documented.

4. Embrace Privacy by Design: If you haven’t already, embrace privacy by design. It will help identify problems at an early stage and be less costly than later in the process. It assists with more effective and efficient processing of personal data.

5. Consider Your Retention Policy: Review your current data retention policies and be sure you are in compliance with the GDPR. It requires data controllers to ensure personal data is stored for a strict minimum of time; it must be deleted once it is no longer needed for the purpose it was collected. However, this may well be challenged if a US regulation cites the need to retain the data for a longer period than the GDPR states. Designate a Data Protection Officer or someone who can be responsible for data protection compliance and carve out this role as part of the organization’s structure and governance policies.

6. Check Privacy Policies and Notices: Review your privacy policies and make any necessary changes to be GDPR-compliant and update your privacy notices. This includes making individuals aware of your legal basis for processing their personal data, the intended use of their information, retention policy, and their right to complain to the Information Commissioner’s Office if they believe you are handling their personal data inappropriately. These points must be stated in clear, concise, and easy-to-understand language. This information has to be fully documented.

7. Third-Party Risks: Manage your supply chain risk. Perform your due diligence and carefully choose your supplier. Do they understand and comply with the GDPR? If not, make the necessary supplier changes well ahead of time to reduce risk exposure.

8. Cross-Border Data Transfers: Cross-border transfer of EU citizens’ personal data outside of the EU is only permissible when GDPR conditions are met fully. Violations of these conditions will incur the highest category of fines. That means if your organization operates internationally, you will need to consider which data protection supervisory authority you fall into and provide all necessary procedural legal information to your EU customers.

9. GDPR Audit: Take the GDPR audit to prove authenticity of GDPR.