The General Data Protection Regulation (GDPR) is the European Union’s new data protection law. It was passed in the spring of 2016 and following a two year grace period, will be enforced starting on May 25, 2018, replacing the current Data Protection Directive in effect since 1995. The purpose of the GDPR is to provide a single uniform law governing the protection of personal data across the European Economic Area (the EU plus three other European countries) replacing the individual national laws passed under the 1995 Directive. The GDPR was also intended to clarify, strengthen, and modernize data protection, particularly given the profound changes since 1995 in how personal information is collected and processed on the Internet and otherwise.
The GDPR applies to any organization that is processing anyone’s personal information (or “personal data”), if that processing is done in the context of the activities of an organization established in the EU (regardless of where the processing takes place). For example, a company located in France that is processing personal data of an individual in South America on a server located in the US as part of its business would be subject to the GDPR because of where the company is established. Of more relevance to US companies, if a company is offering goods or services (regardless of payment) to or monitoring the behavior of EU residents, then the company is subject to the GDPR. There are fact-based analyses as to whether, for example, a company is offering goods or services to EU residents. Mere ability of an EU resident to access the company’s website is not sufficient, but a website offering goods payable in Euros almost certainly would be.
The GDPR classifies those dealing with personal data as either a “controller” or a “processor.” The person or entity that decides the “purpose and means” of processing personal data is called the controller and has certain obligations under the GDPR. A party that merely assists a controller in processing that data on the controller’s instructions is call a “processor”. A US-based processor for a controller that is subject to the GDPR is also directly subject to the GDPR and would almost certainly have contractual exposure to the controller for GDPR violations as well.
In terms of enforcement, historically, the EU’s approach to data protection has been marked by stringent requirements (even under the current Directive), but relatively low fines and a somewhat cooperative approach, particularly with those companies showing a good faith effort to comply. There are a variety of potential ramifications under the GDPR including private and regulatory actions. However, the most attention-getting enforcement mechanism is that the GDPR permits penalties for non-compliance of up to the greater of 20 million euros and 4% of the corporate group’s annual global turnover (revenue) during the prior year for core violations. This feature appears to be what is driving the intense compliance efforts being seen, particularly by large, multi-national companies with significant revenue. That said, regulators and commentators have signaled that fines, particularly major fines, would occur at the end of an enforcement effort in which the company demonstrated a material lack of accountability and un-remediated violations. The worst thing a company could do when faced with an enforcement inquiry would be to say “GDPR? What is that?” or otherwise be able to show no or only minimal compliance efforts.
Smaller local companies may first interface with the GDPR when their EU-based or multinational customer asks them to sign a data processing agreement (a “DPA”) that perhaps has standard contractual clauses or so-called “model clauses”. Agreements like this are required in some form under Article 28 of the GDPR to flow down compliance obligations from controller to processor. Additionally, the company may have heard about “Privacy Shield” certification. The purpose of Privacy Shield or use of model clauses is to ensure that personal data transferred out of the EU is afforded protections similar to those it enjoys in the EU. It is important to remember that properly handling the transfer of personal data out of the EU/EEA is only one aspect of compliance out of many. Simply certifying under Privacy Shield or entering into model clauses is not in itself a GDPR compliance plan.
Once one determines that they are subject to the GDPR, a compliance effort would depend to a significant degree on the extent and complexity of an organization’s processing activities. A company that is merely collecting the name and shipping address of its customers and using that information solely to ship the customer’s order to them may have a lesser compliance effort than a company that is not certain what personal data they have or where exactly it is, have poor security, collected the personal data from opaque third party sources and engage in varied uses and sharing of the personal data with third parties. Much of this effort will be internal, presenting a resource allocation cost, but competent outside privacy counsel should be engaged and some companies may find external compliance tools and consultants helpful, which also present a tangible cost. Also, revisions to privacy practices, security upgrades and other changes in internal operations necessary to comply can require significant time and resources.
In general, a basic compliance effort at a high level might consist of the following:
Perform an assessment of what personal data you are processing (for yourself or for others) or are having processed on your behalf. Think of personal data very broadly. Encrypted data, public data, and even a dynamic IP address or a set of personal attributes that can only point to a few individuals can potentially constitute personal data under the GDPR.
Conduct a data mapping exercise, which can be low-tech, in which you pin down what personal data you handle, where it comes from, who you share it with, what you do with it, and what security measures (or risks) the data is subjected to.
While data mapping, engage and work with competent outside data privacy counsel with knowledge of EU data protection laws to develop a plan of action. Keep in mind that the most experienced EU privacy attorneys are extremely busy currently and may not be taking new clients. Also, it may make sense to prioritize externally facing compliance indicators, i.e. those things that draw the notice of enforcement authorities, such as poor handling of data subject rights requests (where failures could trigger a data subject complaints), public facing privacy notices that are easily reviewed by enforcement authorities for non-compliance, and preparing the processing records required under Article 30 of the GDPR, which would be one of the first items requested by authorities in an inquiry.
Don’t panic. Good faith compliance efforts, even ones that do not result in 100% compliance, can go a long way with enforcement authorities. To that point, this early in implementing the GDPR, there are many compliance questions where even experts are still unclear, so “full compliance” may remain a somewhat theoretical state for the time being. Also, don’t decide to do nothing simply because the enforcement deadline seems too close or because you want to pursue a wait-and-see approach. Many compliance measures can require relatively minimal effort or cost and will help demonstrate a good faith approach that will place you in better standing in the event of an investigation.