March 14, 2018
On May 25, 2018, enforcement of the European Union (EU) General Data Protection Regulation (GDPR), a set of requirements regulating how data is collected, used, transmitted, stored and destroyed, will begin. The GDPR replaces the 1995 EU Data Protection Directive, which only applies to EU-based businesses and data processing equipment. Under the GDPR, some U.S. organizations, including non-profits, will also be subject to requirements if they:
Organizations with a strong internet presence and those in the technology, retail, health care, insurance and banking industries have been noted as being some of the most deeply affected by the GDPR.
Data Identification and Protection
Personal data under the GDPR broadly includes “any information relating to an identified or identifiable natural person (‘data subject’).” Identifiable means the data subject can be “identified directly or indirectly…by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.” This wide range of identifiers may also include a person’s address, phone, passport, Social Security, credit card, financial account, registration plate or driver’s license number, date of birth, photo, email address and employee information. Online identifiers can include an EU region IP addresses, metadata, cookies and social media posts.
One of the key provisions requires that the relevant data protection authority be notified within 72 hours of finding a data breach, where feasible. In addition, if there is a high risk that the rights and freedoms of EU citizens will be violated by the breach, data subjects themselves must be notified without undue delay.
Consent and Rights of Data Subjects
There are also heightened conditions for consent. A request for consent to data processing must be separate from other terms and conditions and provided “in an intelligible and easily accessible form, using clear and plain language.” A data subject’s consent must be “freely given, specific, informed and unambiguous” and involve a clear affirmative action (an opt-in). The GDPR specifically bans pre-ticked opt-in boxes. It must also be easy for an individual to withdraw their consent.
Certain “special categories” of personal data, including “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation,” require “explicit” consent and “deserve specific protection.”
Data subjects have a right to request information regarding whether, how, where and for what purpose their personal data is being processed. The GDPR’s “right to be forgotten” also allows individuals to request that their personal data be rectified or erased and that no further processing or dissemination occur.
The GDPR also requires companies to record personal data processing activities, including the categories of data being processed, categories of recipients of the data and data retention schedules. Organizations should ensure they have updated privacy notices and data protection policies. The data protection supervisory authority for the UK, the Information Commissioner’s Office (ICO), has recently published detailed guidance on the GDPR’s record-keeping requirements.
Impact of Non-Compliance
Non-compliance fines and penalties will be more significant — up to the greater of 4% of global annual turnover (revenue) or €20 million (over $24 million). This penalty will be imposed upon organizations that fail to acquire customer consent or violate the privacy by design requirements. Other violations have varying penalties depending upon the type of violation.
U.S. organizations doing business or engaging in any of the above activities in the United Kingdom (UK) also should consider and monitor what effect Brexit, occurring at the end of March 2019, may have upon the GDPR and its requirements. Currently, Brexit has no effect, since the GDPR is a European regulation applicable in the UK. When the UK leaves the EU, however, the GDPR will no longer apply and the UK government will need to enact domestic legislation to apply similar standards. A data protection bill is currently being debated in Parliament.
U.S. organizations utilizing EU residents’ personal data must take privacy seriously. Compass suggests the following steps:
Compass is available to provide guidance and refer you to outside experts in this area to help you navigate these new standards and obligations.