After several months of anticipation, preparation and general uncertainty, the European Union’s new privacy regulations, referred to as the General Data Protection Regulation (GDPR), is set to go into effect on May 25, 2018. With this looming deadline, the GDPR will vastly reshape how companies around the world collect, process, and share personally identifiable user information.
While many companies are working to be compliant by the May 25, 2018 date, many other companies are either unsure of whether the GDPR affects them or simply unprepared to become fully compliant. Regardless of where you find yourself at on this spectrum, it is not too late for companies to take meaningful steps to shore up their privacy practices and begin to become compliant with GDPR’s more stringent approach to data privacy.
But first, a quick primer on the GDPR:
By way of background, the GDPR applies to all companies that collect or process personal information of any EU individuals. Under the GDPR, to “collect and process user data” can mean anything from collecting log-in information of subscribers to tabulating demographic trends of customers. Similarly, “personal information” under the GDPR is broader than it is generally understood to be in the United States. Indeed, personal information and data includes not simply your name, address, phone number or other direct contact information, but also includes any additional information that can be used to identify or qualify an individual (such as IP addresses or user names).
Moreover, the GDPR applies not simply to companies that regularly conduct business in the EU or otherwise actively target EU citizens (i.e. with advertising), but the GDPR also applies to cross-border data flows. This means that US-based companies that collect personal information of individuals who are located in the EU and process that data in the US are subject to GDPR’s requirements.
If you are unsure if this applies to your company, ask yourself the following:
- Can your website be reached via a EU country’s url suffix (i.e. “.fr” for France)?
- Is your website available in any of the official languages spoken in the EU?
- Do you accept the Euro in exchange for your good or service?
- Do you actively advertise within the EU or in any of the official languages spoken in the EU?
- Do a significant proportion of your sales come from the EU?
- Do you have any company offices in the EU?
If you answered yes to any of these questions, then it is likely that GDPR will apply to your business.
Finally, and perhaps most notably, the GDPR imposes strict penalties on companies found to be in non-compliance with its standards. Indeed, penalties may be as much as 4% of a company’s annual revenue or $20 million, whichever is greater. While most experts expect that the more serious fines will be reserved for large data processors and the most overt offenders, it is paramount that companies take the GDPR seriously over the coming months and years.
In short, the GDPR will soon be here, and companies must be proactive to ensure they are not on the wrong end of non-compliance.
What steps to take to prepare for GDPR?
Given that the GDPR will take effect in the next few days, what can companies that are late to the party do to mitigate their risk?
- Become familiar with GDPR
As touched upon briefly above, the GDPR may require significant modifications to existing privacy practices for many companies. In order to prepare for and implement processes for compliance, it is important that companies assign dedicated personnel to reviewing, assessing, and understanding GDPR’s definitions and requirements. Some larger companies (more than 250 employees), organizations that engage in large-scale monitoring, and organizations that process “special categories of data” like medical, religious, or political records must hire a Data Protection Officer (DPO).
The DPO (or an employee of equivalent stature for companies that are not obligated to appoint one) can serve as the companies’ foremost authority on GDPR compliance. The DPO has additional responsibilities if one is mandated by the GDPR.
- Review current data use procedure and document every piece of the process
Companies should also audit their existing data collection processes and practices. This internal review is essential because even though a company’s data collection processes may be up to GDPR standard, if this fact is not documented, then companies will still be subject to penalties for failure to demonstrate that they are GDPR compliant.
One important caveat is that GDPR’s stricter records-keeping provisions (Article 30) only apply to entities that employ more than 250 individuals. However, small businesses are still subject to GDPR regulations if they process “special categories of data,” such as race, religious beliefs, political views, sexual orientation, biometric data, and health records.
In conjunction with a company’s review of the data it holds and processes it has in place, companies should update their public-facing privacy policies to align with GDPR’s policy requirements. From a compliance standpoint, having GDPR-compliant public-facing policies is an important way that companies can demonstrate good faith efforts to comply with GDPR requirements in advance of and/or shortly after the May 25th effective date arrives.
The following provide key GDPR requirements for privacy practices and policies:
Clarity: Privacy notices must be in clear language that a lay person can understand.
Names: Privacy notices must name all organizations that will have access to and/or process user data.
Transparency: Privacy notices for data processing must explain the explicit reason for the processing of a customer’s user data.
Unbundled consent: User consent for data collection must be separate and easily distinguishable from consent for other terms and conditions.
Affirmative opt-in: Consent to data processing must now result from affirmative opt-in procedures, precluding the former industry standard of pre-checked consent boxes. Along similar lines, companies must obtain new and affirmative consent from users who receive marketing emails in order for the company to continue sending out those emails.
Accommodate new digital rights created by GDPR
Right to be forgotten: Companies must allow users to request to erase or modify their data, so long as the consumer’s privacy interest is greater than the public interest for keeping the data.
Right for access and right for accountability: Companies must allow users to view the data that companies have on them and correct inaccuracies, respectively.
Right for breach notification: Companies must alert customers within 72 hours if their data has been breached in a way that can cause “risk to the rights and freedoms” of EU-based data subjects.
Right to data portability: Companies must supply users with the ability to virtually send the data that the company collects on them to a different business, trusted third party, or the user themselves when “technically feasible.”
- Update Internal Policies and Organizational Measures
In addition to updating public-facing policies, companies should also put into place internal policies and mechanisms for managing data and responding to potential security breaches. Companies not only need to have “appropriate technical and organizational measures” in place to comply with the GDPR, but companies will also have to respond quickly (within 72 hours) of potential data security breaches.
Planning for the how to respond to customer requests to operationalize their rights will require substantial customer service and IT expertise.
- Update Vendor Contracts
Not only does the GDPR impact companies that collect data, but it also impacts a company’s subcontractors and vendors who are tasked with processing data on a company’s behalf. In other words, if Company A collects personal information from its users (such as email addresses), and Company B processes that data for marketing purposes, for example, then Company B must be compliant with the GDPR as well. More importantly, Company A is ultimately responsible for Company B’s compliance practices.
Because of this, companies may need to update their existing contracts with their vendors who receive and/or process personal data to ensure each vendor is also fulfilling its obligations under the GDPR.
Where do we go from here?
Ultimately, the above is not an exhaustive list of steps that companies must take to become fully compliant with the GDPR. However, by taking such steps, a company can at least demonstrate that it is making good faith efforts to comply with the GDPR. And, over the next several months and even years, companies can continue to build-out their processes to achieve (or attempt in good faith to achieve) GDPR compliance.
If you have any questions regarding how GDPR will affect your business and its practices, please call Saper Law for a consultation at (312) 527-4100.