A new EU regulatory regime is set to take effect soon that will require U.S. companies – particularly technology companies – and their outside counsel to take note.
What is GDPR?The General Data Protection Regulation is a new data privacy and protection regime developed by the EU, which will take effect on May 25, 2018. GDPR was designed to provide stronger protections for an individual’s personal data and imposes a number of requirements on controllers and processors of such data. The regulations also allow for significant penalties for companies failing to comply with these requirements. While the GDPR is a European regulation, its reach will be long enough that it will also have an impact on U.S. companies, many of which wouldn’t generally be subject to EU laws.
Which U.S. Companies Will be Affected?U.S. companies involved in the processing of personal data of individuals living in the EU may be subject to GDPR, even if the organization has no established base in the EU. According to the GDPR, personal data is defined as “any information relating to an identified or identifiable natural person.” Processing refers to “any operation or set of operations which is performed on personal data or on sets of personal data.” These definitions are broad by design and were created to incorporate a range of data types and usages. They were also designed specifically to include U.S. technology companies. One important note is that a financial transaction doesn’t have to take place for a company to fall under GDPR’s scope. For example, if an organization merely collects personal data for the purposes of a marketing survey, the data would fall under GDPR.
How to Make Sure Your Organization is GDPR Compliant?Your legal department will need to review the new rules thoroughly to determine how they may apply to your individual situation, but one major issue is consumer consent. To ensure that EU-focused data-collection processes are compliant with the new regulations, many companies will need to adjust their online marketing forms and interactions to obtain specific consumer consent. The language of the GDPR says consent must be “freely given, specific, informed, and unambiguous.”
This also means companies will need to be transparent about what it plans to do with the data it’s collecting. If a customer signs up for a service or make a purchase, the vendor will need to obtain explicit permission for each type of processing done with the data. Once collected, companies will then need to protect the data under GDPR rules, however, those companies that currently follow existing data security standards – such as PCI DSS, ISO 27001 and NIST – are less likely to have difficulty adapting to the new regulations.
What Happens in the Event of a Breach?If there’s a breach involving “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed,” a company is required to notify an EU regulator or “supervising authority” within 72 hours of discovery. In the event of a breach considered to be high risk to fundamental property and privacy rights – usually exposure of credit card information or account passwords – then the company will also be required to notify the data subjects themselves. If a company fails to report a breach to the appropriate regulator within 72 hours, it will be fined 2% of global revenue. It remains to be seen how the EU will enforce the new regulations against U.S. and other multinational companies but it’s implementation suggests the bloc is serious about a uniform data and privacy law. As a result, many U.S. companies have already altered their web practices in an effort to fall in line.
This legal market briefing was created by the analysts at ShiftCentral and is presented through an exclusive news and analysis partnership with Big Law Business. ShiftCentral’s team helps law firms, practice groups, and legal departments keep up with fast-changing developments in the business of law.Learn more here.