The General Data Protection Regulation: Its Time Has Come
After several years of review and negotiations among various stakeholders, the European Parliament gave the final nod to the EU General Data Protection Regulation ("GDPR"). The GDPR replaces the current EU data protection framework with a uniform set of requirements that apply to EU Member States without the need for individual Member State legislation.
While the regulation will go into effect shortly, companies subject to the regulation will have two years to come into compliance. Given the breadth of the regulation and the expanded scope of requirements, it is imperative that companies immediately begin the process of evaluating and modifying current policies and practices to ensure timely compliance. Indeed, failure to comply with the GDPR can result in significant fines of the greater of up to 4% of a company's annual global turnover or €20 million.
Here are some GDPR highlights:
1. Expanded Jurisdictional Scope
The GDPR applies not only to EU-based data controllers and processers, but also to data controllers and processors outside the EU when their processing activities relate to the offering of goods and services to, or monitoring the behavior of, individuals in the EU. In other words, companies that target consumers in the EU will be subject to the GDPR. This will also necessitate appointing a representative in the EU.
2. Data Processors Directly Subject to Obligations
The GDPR imposes certain obligations directly on data processors and fines can also be imposed on data processors for GDPR violations.
3. Modified Consent Standard
The GDPR clarifies what does, and does not, constitute the unambiguous consent needed for certain data processing activities, thereby creating more stringent requirements for satisfying the consent standard.
4. Enhanced Data Subject Rights
Data subjects now have additional rights, such as the "right to be forgotten," the right to object to data profiling and the right to direct the transfer of their personal data.
5. Compliance Accountability and New "Privacy by Design" Requirements
The regulation requires data controllers to satisfy onerous additional compliance obligations, such as conducting and documenting privacy impact assessments. The GDPR also explicitly requires data controllers to design their data processing arrangements with the idea of core data protection principles in mind ("privacy by design") and to ensure only the minimum data necessary is processed for the specific purpose.
6. Breach Notification
Data breaches must be reported to the Data Protection Authority within 72 hours of discovery if the breach is determined to pose a risk to the data subject. Data subjects must also be notified if the breach poses a "high risk" to their interests.
7. Data Protection Officer
Data controllers and processors will need to appoint a data protection officer ("DPO") if their regular activities involve monitoring individuals on a large scale or processing large amounts of sensitive data. The GDPR requires that DPOs be permitted to act independently within the organization and that they have direct access to executive management.
Compliance with these and other GDPR requirements will be a challenging and resource-intensive exercise both for companies subject to current EU privacy legislation and those newly subject to EU data protection obligations through the broader jurisdictional reach of the GDPR. Despite the two-year lead time, companies should begin taking steps now to address the GDPR. Appropriate initial steps include:
- Determining whether GDPR applies to your business.
- Performing and documenting impact assessments. Companies should determine to what extent their current policies and practices comply with the GDPR, including in the first instance whether their processing practices are lawful under the GDPR. Deviations from the GDPR's requirements must be identified, and companies must begin to assess operational and policy changes needed to address the gaps. For example, changes will likely need to be made to your existing consent processes and forms and new requirements, such as "privacy by design" and new data subject rights, must be addressed.
- Reviewing contractual relationships that involve data processing activities and addressing changes to operational functions and written contractual terms, as necessary.
- Employing or contracting with a data protection officer, if required.