• The EU GDPR is a new global benchmark on data privacy regulations, created to protect the data privacy rights of EU citizens.
• US companies may be affected by the regulation due to its extra-territorial nature.
• Taking stock of internal policies and procedures regarding data and how it is collected, processed, and utilized are important steps for organizations to take to ensure compliance with the regulation.
With an enforcement date slotted for May 25, 2018, the General Data Protection Regulation (GDPR) is a regulatory topic sweeping Europe. Individuals and corporations across the EU are readying themselves for a new era of data privacy. However, even outside the EU, GDPR has serious implications.
The question on many minds is how does this specifically affect companies based in the U.S.? Considering its European roots, what impact does it have on other markets?
You’re a U.S. Company. What Do These Scenarios Have in Common?
- You use a marketing list of global clients to inform them of a new product launch using an email campaign.
- You send an email attachment (an Excel of delinquent accounts) to Accounting, but it accidentally gets sent to the wrong person due to AutoFill.
- Visitors of your website are asked to fill out a short form for upcoming promotions – including name, birth date, and email address.
- You’re cleaning out hardcopy HR documents and contracts (decades old!) and a few slip out on the way to the trash.
Answer: They may all be breaches of GDPR.
What does GDPR impact?
GDPR is an extra-territorial data privacy regulation that is applicable to every entity that has touchpoints with EU citizens, no matter where they are located on the globe. The regulation returns power over personal data to EU citizens, impacting how personal data is collected, stored, and processed by companies (whether within the EU, or outside of it).
Compared to previous international data privacy measures (e.g. the 1995 Privacy Directive, OECD guidelines, Safe Harbor, or Privacy Shield), GDPR introduces larger geographic areas of legal application, more rules on consent, and higher penalties for breaking the law.
What counts as “personal data”?
The European Commission has stated: “Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.”
This can include:
- a name and surname
- a home address
- an email address such as firstname.lastname@example.org
- an identification card number
- an Internet Protocol (IP) address
- the advertising identifier of your phone
- data held by a hospital or doctor, which could be a symbol that uniquely identifies a person
If you have any touchpoints with EU citizens (customers, vendors, employees, partners, etc.), you will be affected by GDPR.
Data is exchanged daily within (and outside) organizations. Data is varied, voluminous, and can be difficult to manage. Don’t let this be a cause for negligent behavior.
As an initial step, work with stakeholders within your company to assess how GDPR could affect your operations – HR processes, IT systems, vendor relationships, training policies, governance practices, consent notices. Learn about the organizational status quo in terms of data.
Even though this may seem like a momentous (and costly) task, assessing your company’s current state of data affairs will allow you to understand areas of potential risk or weakness. This will save you valuable resources and potential legal complications in the future.
Becoming compliant with GDPR, or adopting any new regulatory reform, is often a journey. Get a sense of what needs to be done to get your organization from Point A to Point B.
Points to Consider:
- What proactive measures are you taking as a company to ensure that data remains secured?
- Under GDPR, you have an obligation to prove that data being processed has been secured from a technical and organizational standpoint.
- Request an audit to have someone come to your organization and “kick the tires” and assess how your organization is faring on these issues.
- Appoint a Data Protection Officer (Art. 39).
- Are you collecting more data than is necessary on data subjects – are you “abusing” data collection?
- Be aware of what kind of data you are collecting and whether your grounds for data collection reflect “legitimate interests”.
- Are you allowing individuals to give consent (and be able to withdraw it) when data is being handled or collected about them?
- Are your privacy notices and consent forms easy to understand?
- Are you able to give access to and produce data that you are collecting on an individual if requested by the data subject (Article 15)?
- Individuals have the right to see what data is being collected on them and how it is being processed (free of charge!).
- Do you have an anonymization/pseudonymization process in case a data subject wishes to invoke the “Right to be Forgotten” and have their data erased?
- Individuals have the right to request their information be erased from records verbally or in a written manner.
- What are company processes for data retention? Are you keeping data for “longer than is necessary” [Art.5(1)(e)]? What processes are you using to correctly delete sensitive data?
- Do you have adequate security standards, and do you have processes to report a data breach within the required 72 hours?
- If your company is the keeper of sensitive information and is hacked, you will shoulder all legal liability for the use/misuse of it.
- Data breaches are not just about being hacked by malicious parties – they can be triggered by human error (e.g. a wrong email, a lost hard copy document, being over-inclusive with certain parties when circulating information).
The protection of personal data is on the forefront of corporate agendas globally. Recent stories of data breaches and misuse of personal data have created havoc for many companies, from Facebook to Equifax. These types of cases can result in costly lawsuits, plummeting share prices, loss of brand credibility, and other legal sanctions.
Not all organizations outside of the EU will be impacted by GDPR. But, in an increasingly globalized world, many will. Needs to comply with GDPR may also change from year to year. For example, a firm may suddenly acquire EU clients/partners/employees through a merger, or strategic shift in operations.
GDPR is further evidence of the rising standards of corporate accountability regarding data. Breaking the law can trigger serious financial implications: fines of up to €20 million, or 4% of the worldwide annual revenue of the prior financial year.
Stay Ahead of the Curve on GDPR:
- Proactively engage and educate stakeholders to prepare for potential organizational changes (e.g. IT, Procurement, Legal departments, employees).
- Evaluate existing contracts, relationships with third-parties, processes, and how this affects your data landscape – know what data exists, where it’s coming from, where it’s being stored, and what is happening to it within your organization.
- Implement GDPR-compliant solutions to ensure your workflow processes remain compliant, secure, and to eliminate risk of manual error.
Want to learn more about tools that comply with GDPR? Check out our recent blog post about our GDPR-compliant whistleblower platform.
Disclaimer: Information contained in this blog article does not reflect the legal opinions of EQS Group AG or any other professional legal advisors. For specific European General Data Protection Regulation (EU-GDPR) legal matters, please consult your legal advisors. EQS Group AG is not responsible for any liabilities that may arise from misinterpretation of EU-GDPR.