The General Data Protection Regulation (GDPR) issued by the European Union (EU) becomes effective May 25, 2018. Although some organizations have already adopted privacy processes and procedures in response to the regulations, many are still unclear as to the impact upon their business, and the steps necessary to comply.
Does GDPR apply to your organization? For virtually every organization, the answer is “yes.” In basic terms, any US entity that has a web presence and markets to or gathers information on EU residents is subject to GDPR. More specifically, Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your organization is subject to the requirements of the law. It’s important to note that a financial transaction doesn’t have to take place to be subject to the regulation. The bottom line is that the GDPR applies to any organization that collects and holds “personal data” of individuals residing in the EU, regardless of the organization’s location.
Failure to comply could result in significant fines and penalties. On top of that, complying with GDPR will require organizations handling EU residents’ data to undertake significant operational reform. Below I summarize the main mandates imposed by GDPR that organizations should focus on. I will be writing a further series of posts to provide additional guidance on insuring full compliance.
It’s My Data – GDPR is a game changer
From a US perspective, GDPR imposes a new paradigm. Perhaps most significantly, it redefines what has traditionally been considered to be protected information by broadening the concept of personal data to anything that can be used to identify a person, including an email address, twitter handle or even an IP address associated with a mobile device. It’s crucial to recognize that personal data that is collected is never owned by the organization, for it is the individual who perpetually retains control over personal data. This key public policy maintains that data belongs to the person it identifies, and that the person has a right to control how it is processed. Therefore, while organizations may use, within well-defined limits, the data they collect, they will need to obtain explicit consent from those individuals who “own” it.
Explicit Consent is the New “Opt In” – What is It?
While organizations may continue to rely on “consent” as a lawful basis to collect, use and transfer personal data under the GDPR, what constitutes acceptable “consent” is now at a higher bar. No longer will “implicit” or “opt-out” consent be acceptable. Rather, GDPR requires that the individual signals his or her agreement by “a statement or a clear affirmative action.” It’s also important to note that GDPR introduces restrictions on the ability of children to consent to data processing without parental authorization.
No “Passing the Buck” – Responsibility for Third-Party Vendors
GDPR squarely puts the onus on the organizations which collect data to ensure that their third-party vendors (data-processors) are acting appropriately, and that any “processing activities” are performed in compliance with the regulations. Organizations must “implement appropriate technical and organizational measures” not only not only to ensure compliance, but to be able to demonstrate the measures that they have in place. Under certain circumstances, organizations will have specific responsibility for carrying out data-protection “impact assessments.” Most importantly, the organization will be liable for the actions of its third-party vendors and any failure on their part to comply with GDPR’s personal data processing principles.
“Use It – Then Lose It” – Limits on Data Retention
Many organizations keep personal data information for much longer than is reasonably necessary. GDPR imposes restrictions on this practice, effectively mandating that organizations create, implement, and then follow a data-retention policy.
“It Don’t Come Easy” – New Obligations for Cross-Border Data Transfers
The GDPR permits personal data transfers to a third country or international organization subject to compliance with a number of conditions, including conditions for onward transfer. For those countries that are not considered to provide an “adequate” level of data protection, transfers are only permitted under certain circumstances, such as by use of standard contractual clauses or binding corporate rules. Note that the United States is not considered to have an “adequate” level of protection, so organizations wishing to transfer data to the US must take additional actions.
A “Target” on Targeting? – Restrictions on Profiling
Today, nonprofits often engage in donor-data analysis for a variety of purposes, including drawing conclusions about a donor’s wealth and capacity to give to develop target marketing campaigns. In its sweeping efforts to define and enhance the subject’s rights to control personal data, the GDPR contains many restrictions on such automated data processing – and decisions based upon such processing – to the extent they can be characterized as profiling.
A Higher Bar – New Data Security and Breach Notification Obligations
GDPR imposes strict obligations on organizations with regard to data security as well as expected security standards. The GDPR also adopts specific breach notification guidelines for the first time.
It’s All About Them – Additional Rights to Control Personal Data
As part of its effort to expand individual control over the use of personal data, the GDPR introduces two new rights. The first is the literal right to be “forgotten.” This empowers individuals to request that your organization delete their personal data. It also mandates that if requested, you provide an individual’s personal data to them. The GDPR also augments the existing rights of individuals to receive notice about your processing activities, gain access to the information that is being processed, and to request that any inaccuracies be remedied.
Keep “em” Separated – “Pseudonymization” of Personal Data
The concept of “personally identifying” is one of the essential elements driving and informing GDPR. Any “personal data,” defined as “information relating to an identified or identifiable natural person ‘data subject’,” falls within the domain of GDPR. The regulation introduces the concept of “pseudonymization” into European data-protection law. Pseudonymization is the separation of data from direct identifiers so that linkage to a person is not possible without additional information that is not digitally connected. The intent is to minimize the risks associated with sharing and processing of data.
I can certainly appreciate that the regulatory obligations summarized above may seem overwhelming – they are – and that organizations may be tempted to take a “wait and see approach.” It is essential, however, to keep in mind that by any measure the fines for violations of GDPR are severe (regulators are authorized to levy fines in amounts exceeding the greater of 20 million euros or four percent of annual global revenue). So in this case, an ounce of prevention will truly be worth the pound of cure.