The General Data Protection Regulation (GDPR) replaces the EU Data Protection Directive (officially, Directive 95/46/EC) from 1995 (Directive) and will be directly applicable in all member states without the need for implementing national legislation. The compliance date of May 25, 2018, for the GDPR, which was enabled in 2016, is now fast approaching. Importantly, whether a U.S. company has a physical presence in the European Union (EU) is not determinative of the regulation’s impact. Therefore, businesses should take heed.
The regulation is meant to strengthen and unify data protection for individuals within the EU, as well as address the export of personal data outside the EU. The European Commission’s stated primary objectives regarding the GDPR are to return to citizens control of their personal data and to simplify the regulatory environment for international business by unifying regulation within the EU.
The GDPR sets forth that organizations that collect, process, and secure personal data from EU citizens should adhere to specific privacy principles. The GDPR applies to the following: companies, government agencies, and other organizations offering goods or services to people in the EU; organizations that collect and analyze data on EU residents; and organizations that do not have a physical presence in the EU if the entity stores or processes personal information of EU residents.
Failure to comply with the GDPR can result in significant penalties, including fines of 2 percent to 4 percent of global revenues or $10 to $20 million, whichever is greater, for violation of specific provisions. Lesser consequences include receiving warning letters or periodic protection audits.
Differences Between the GDPR and the Directive
There are many differences between the GDPR and the Directive. As a new regulation creating a unified digital economy across the EU, the GDPR contains some important changes for companies to evaluate.
The definition of personal datahas changed. Under the current directive, each of the 28 countries developed their own interpretation concerning what constituted “personal data.” The EU GDPR, on the other hand, enforces a strict and broad definition of personal data, referring to any information that could be used, on its own or in conjunction with other data, to identify an individual.
Notably, two new data elements are specified in the new definition: location data and online identifier. These are meant to capture things like IP addresses, mobile phone identifying numbers, and Google IDs, as well as geolocation data.
The GDPR offers new individual rights. Built into the GDPR is a strong focus on citizen rights. Companies will have to disclose the intended use and duration of storage of the data acquired, and resolicit permissions each time a new use of the data is proposed. Furthermore, EU citizens will have to explicitly opt in for storage, access, and use.
The GDPR mandates breach notification. The GDPR requires companies to report qualifying data breaches to the individuals whose data was lost and to a supervisory authority within 72 hours.
Data controllers and data processors hold joint responsibility. The regulation defines data controllers as organizations that acquire EU citizens’ data; and data processors as organizations that may manage, modify, store, or analyze that data on behalf of or in conjunction with the controllers. Under the regulation, both parties are jointly responsible for complying with the new rules. This means that if an organization outsources data entry or analysis to a third party, or processes data on behalf of another organization, both parties are liable.
The GDPR requires information governance. Under the GDPR, companies are required to actively track how and where data is stored and used through the supply chain. This means adopting risk-management tools and building security and privacy into their operations by design. Any organization directly involved with the processing of data, or any organization with more than 250 employees, must also appoint a data protection officer (DPO).
The GDPR has global impact. Even though the regulation is being rolled out by the EU, it has a global impact. Companies based outside of the EU must comply with the GDPR if they handle, store, manage, or process EU citizens’ personal data. Any companies in the world that sell to European companies, or that received data from EU citizens, for example, will be affected.
As a result of the potential sweeping impact of the GDPR, companies should consider the following in preparation for the new data-protection landscape:
- Confirm whether the GDPR applies to your company.
- Conduct data mapping and data-protection impact assessments.
- Develop infrastructure to monitor data handling and demonstrate compliance.
- Account for new and expanded individual rights.
- Consider whether you are required to hire a DPO.
- Incorporate privacy by design.
- Revise privacy notices appropriately.
- Reevaluate consent provisions.
- Prepare a data breach response plan.
- Review and update data-processing agreements.
James P. Melendres is a partner at the Phoenix, Los Angeles, and Orange County offices of Snell & Wilmer L.L.P.
Copyright © 2018, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).