The hottest data protection issue for major U.S. businesses this year is compliance with the European Union’s General Data Protection Regulation (GDPR). Even small and medium sized businesses may also need to comply with GDPR. This post covers frequently asked questions about GDPR.
What is GDPR? GDPR[1] is the European Union’s comprehensive data protection law that takes the place of 1995’s Data Protection Directive 95/46/EC.[2] By “data protection,” I am referring to both privacy and security. GDPR collects, clarifies, harmonizes, and expands data protection requirements throughout the European Economic Area (EEA). The European Economic Area consists of the 28 countries of the European Union plus Norway, Iceland, and Liechtenstein.
Why is GDPR such a concern for U.S. businesses? First, the fines for violating GDPR are potentially heavy. EU data protection authorities can fine businesses up to 20 million euros ($23.5 million) or 4 percent of their global revenues for violations, whichever is greater. Fines, moreover, will likely be based on the revenue of the global parent and any subsidiaries involved with the violations. Second, U.S. businesses find GDPR to be complex and unfamiliar. Questions arise concerning jurisdictional scope, defining the kinds of personal data covered, obtaining consents from individuals, maintaining an audit trail of consents, managing cross-border data flows, and handling new forms of individual rights given to EEA residents.
What is the deadline for compliance? Businesses must have compliance programs in place by May 25, 2018.
Who is covered? There are a number of categories of businesses that fall under GDPR, including U.S.-based businesses. First, multinational businesses with operations in the EEA collecting or processing personal data of EEA residents there have to comply. Second, even if the business is only in the U.S., GDPR applies if it is offering goods or services to EEA residents while they are located in the EEA. Also, it must comply if it is monitoring the behavior of EEA residents while they are located in the EEA, for instance for analyzing their web browsing behavior. Third, businesses processing data for companies collecting personal data in Europe will most likely have to sign an agreement to protect that personal data consistent with GDPR requirements. Most likely, they will have to sign EU-drafted “Standard Contractual Clauses” as part of a data processing agreement, or self-certify their data protection commitments under the U.S. Department of Commerce’s EU-U.S. Privacy Shield Framework. There is also a Privacy Shield program for U.S. importers of personal data from Switzerland.
What kinds of personal data are covered? Article 4(1) of GDPR defines “personal data” very broadly. The term “personal data” “means any information relating to an identified or identifiable natural person.” Personal information of the kind protected under federal and state law in the U.S. is covered. Examples include financial account information and medical records. It also includes contact information that can be used to push advertisements to individuals.
GDPR also defines a set of “special categories of personal data.” These categories require particular protection and impact any risk analysis done on systems collecting and processing personal data. Under GDPR Article 9(1) the “special categories” are: “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.”
What should businesses be doing now to prepare for GDPR? The most important thing to do now is to analyze if your business must comply with GDPR and, if so, take action to plan and implement a compliance program. I will be covering more topics for GDPR compliance in later posts with steps a business can take to comply with GDPR. Given the impending deadline for compliance, however, it is important to start now.
Stephen Wu has written or co-written seven books on data security legal topics, and leads the International Network of Boutique and Independent Law Firms’ global GDPR working group. For assistance to determine if you must comply with GDPR or regarding your GDPR compliance program, please contact Stephen Wu by completing the web form here.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
[2] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.