September 30, 2020

Volume X, Number 274

September 29, 2020

Subscribe to Latest Legal News and Analysis

September 28, 2020

Subscribe to Latest Legal News and Analysis

Less Than One Year to Go to Get General Data Protection Regulation Compliant

May 25, 2018, the day by which organizations need to comply with the European Union’s General Data Protection Regulation (GDPR), is fast approaching. If your organization does any business in the European Union or the United Kingdom, whether it has employees located in the EU or UK or sells goods to or collects data from EU or UK residents, the GDPR likely applies to you. It could also apply to you if you process data on behalf of organizations that do business in the EU. The GDPR may not have hit your radar because the relatively lengthy two-year period for compliance did not ignite a sense of urgency within your organization, but the day for compliance is less than one year away, and the GDPR can be complicated. Is your organization ready?

Significantly, the GDPR differs from the previous EU framework and has broader applicability to organizations. The following are key GDPR considerations for your organization:

  • The GDPR applies to your organization if it targets and/or processes data relating to EU residents and, unlike the previous EU framework, does not require the use of any equipment located in the EU to apply. The GDPR has very specific provisions for collecting, handling, processing, transferring, storing, and destroying personal data.

  • Your organization must appoint a knowledgeable Data Protection Officer (DPO) who is charged with GDPR compliance if it engages in “regular and systematic monitoring of data subjects on a large scale” or conducts large-scale processing of “special categories of personal data” (such as those relating to racial or ethnic origin, political opinions, religious or philosophical beliefs).

  • The GDPR now contains data breach notification requirements that are more expansive than US data breach notification laws in that it is triggered when a broader category of personal data is exposed and requires notification to a data protection authority.

  • Organizations that are data controllers are liable for vendors who process personal data on their behalf.

  • The GDPR codifies a data subject’s right to be forgotten. If personal data is no longer needed, a person can request that the organization delete that data. If the organization has publicized or shared that data with other organizations, it must make reasonable efforts to inform those other organizations of the request for erasure of that data, and those organizations must comply with that request.

  • A data subject also has a right to data portability in accordance with which an organization must provide data concerning that person to that person upon request in machine readable form where the organization collects personal data by automated means. The data subject is allowed to transfer that data to any other data controller.

  • Cross-border data transfers with the US remain complicated, but the GDPR will still allow transfer with binding corporate rules, model contracts, and appropriate certifications.  Some of these mechanisms have become more formalized. The GDPR does not allow for transfer of personal data in response to a legal requirement from a third country.

  • The consent for cross-border data transfer must be expressed “by a clear affirmative action” and cannot be an opt-out. As such, pre-checked boxes and implied consent will be largely in the past.

Implementing the GDPR’s provisions will take time, which is why organizations were given two years to make the transition. Before you can start planning for GDPR compliance, you need to create an inventory of all personal data you hold, why you hold it, whether you still need it, and what security safeguards you have to protect it. If you have not already, you must institute procedures to detect, report, and investigate a data breach. Accordingly, planning and executing that plan should start now to allow for time to make cost-effective decisions. You will also need time to train employees and put systems in place for the new climate in which customers have rights over their data. Will you be able to efficiently respond when customers request that you give them all of their personal data at no cost to them? Also, will you have the proper mechanisms in place to transfer personal data from the EU to the US? Not to mention, non-compliance with the GDPR can result in steep penalties. Fines for violations of the GDPR can be the higher of 20 million euros (approximately $22.5 million) or 4 percent of your global revenue. This is in addition to the consequences negative press surrounding data breaches or inadequate privacy protections will have on your organization’s reputation. 

©2020 MICHAEL BEST & FRIEDRICH LLPNational Law Review, Volume VII, Number 164


About this Author

Michelle L. Dama, Attorney, Litigation, Michael Best Law Firm

Corporate clients turn to Michelle for her experience litigating commercial and intellectual property disputes, among other matters. Michelle also serves as a member of the firm’s Class Action/Multidistrict Litigation team. She tries cases in both federal and state courts at  the trial and appellate levels.

Michelle assists a diverse group of clients, many of them long-standing, in the following areas:

  • Complex commercial disputes
  • Intellectual property and trademark litigation
  • Product liability actions
  • Consumer law,...
Adrienne Ehrhardt, Michael Best Law Firm, Corporate and Transactional Attorney

Known for giving practical and actionable legal advice, Adrienne counsels clients on the many complex aspects of privacy and data management matters.

Her extensive background includes experience with issues relating to the Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), and the Telephone Consumer Protection Act (TCPA), as well as privacy programs and cyber security issues.

Prior to joining Michael Best, Adrienne served as the in-house lead attorney in privacy and data protection at CUNA Mutual Group. She also served as Associate General Counsel at Land’s End, Inc., where she managed litigation, counseled the company on internal legal matters and negotiated and drafted a variety of transactional agreements. Previously, she was a member of the commercial litigation practices of two international business law firms, and began her career as a Judicial Law Clerk in United States District Court for the Northern District of Illinois.