The countdown has officially begun.
On May 25, 2018, the European Union's ("EU") General Data Protection Regulation ("GDPR"), a sweeping data privacy and security regulation resulting from years of regulatory and political negotiations, will officially go into effect. Because EU enforcement will begin promptly on the effective date, compliance must begin before May 25th.
Many U.S. companies and business people, including sole proprietors (all business entities such as corporations and limited liability companies, as well as individual sole proprietors are collectively referred to as "U.S. Businesses") who obtain data regarding EU residents are either doubting or are in denial about the applicability of the GDPR to their business practices—after all, the United States still doesn't have an over-arching data protection law.
However, the new GDPR requirements make the cybersecurity world a lot smaller by substantially broadening the reach of the EU's data privacy compliance requirements, and the effects of the GDPR will ripple across the pond and impact many U.S. Businesses. The complexity and scope of the GDPR leave U.S. Businesses that are more accustomed to the patchwork of U.S. data privacy laws with more questions than answers. U.S. Businesses are also vulnerable to possible business disruptions and significant financial penalties.
The GDPR was enacted to give EU residents more control over their "personal data," and at its core, directs how such personal data may be collected, stored, transmitted and destroyed (collectively, "processed").
Personal data means any information relating to an EU resident. This definition is purposefully broad and includes even non-sensitive information such as a name, identification number, telephone number, email address, financial information, location, online identifier or screen name, IP address, as well as certain genetic, economic, or cultural information, among other categories.
The GDPR imposes new requirements not only on those organizations or individuals located in the EU, but also on organizations or individuals located anywhere in the world that process an EU resident's personal data. The GDPR requirements apply no matter the size of the business processing the information or the amount of information being processed. This means that any company—from a large U. S. based corporation to a small family-owned business located in Johnston County, North Carolina—could subject itself to GDPR requirements by selling its products online to EU residents, if during that transaction it collects personal data from an EU resident. Again, for purpose of GDPR applicability, this personal data can be as innocuous as a name, email, or mailing address.
The new GDPR framework will mean an overhaul in many U.S. Businesses' data privacy programs, even for those that already have robust data privacy programs in place. The following GDPR provisions will likely produce the most significant impacts for U.S. Businesses that are required to comply with the GDPR:
- Consent – Except in certain specified instances, the GDPR requires the consent of a person before that person's personal information can be processed. Consent must be "freely given, specific, informed, and unambiguous," which implies that any consent forms must be written in plain language and easily accessible. Any consent form that contains legalese or illegible terms and conditions will likely not pass muster. Additionally, a person must be allowed to withdraw consent at any time. There are additional consent requirements when the person is a child under the age of 16.
- Privacy Notices – A business must, at the time of, or prior to, the processing of personal data, provide a detailed list of all the personal data that will be processed, the business's contact information, the purposes for which the personal data will be collected, whether the business intends to transfer the personal data to another party, and any other information related to the individual's rights regarding the personal data and how those rights can be exercised.
- Breach Notification – The GDPR's breach notification structure is far more rigorous than many of the breach laws adopted by individual states in the United States. Specifically, the circumstances requiring notifications are much broader and more liberal, and the time frame for the required notifications much shorter.
- Data Protection Officer – One of the more controversial requirements of the GDPR is the requirement that a business appoint a Data Protection Officer" ("DPO") if the business will engage in certain activities, such as monitoring the persons whose personal data will be processed, processing special categories of personal data, or processing data relating to criminal offenses.
- Rights in Personal Data – The GDPR enumerates a number of fundamental rights that belong to all persons whose personal data is processed. These include the right to access the personal data (called the "Right to Access"), the right to request the deletion of personal data (called the "Right to be Forgotten"), and the right to receive personal data concerning the data subject and transmit that data (called "Data Portability"). No matter how a business implements the GDPR, the business should design its privacy programs with these rights in mind.
- Personal Data Security – Businesses are required to implement the "appropriate level of security" for the personal data they process, including protection against loss, destruction, damage, or unauthorized access. Businesses will also have to maintain records of their personal data processing activities.
- Cross-Border Data Transfer – Perhaps the most significant impact for many U.S. Businesses will be the GDPR's requirements on the permissible transfer of personal data from the EU to non-EU countries. "Cross-Border Data Transfer" requirements are complex, extremely onerous, country specific, and include certain Codes of Conduct and certifications that should be reviewed and understood prior to transferring any EU resident's personal data.
The monetary penalty for non-compliance with the GDPR can be astronomical. Fines will generally be based on factors such as the nature, gravity, and duration of the violation, whether the business took steps to mitigate the damage, prior infringements, the types of personal data involved, and whether the violation was intentional or negligent. Businesses found in violation of the GDPR may also face substantial business disruptions and become subject to periodic audits to ensure future compliance.
The GDPR is over 100 pages long and presents complex, stringent, and potentially expensive requirements for U.S. Businesses that process EU residents' personal data or provide goods or services to EU residents. U.S. Businesses should consider the types of data they have, and from whom they receive that data, to determine whether the new GDPR requirements will apply to their business practices.