What is the General Data Protection Regulation?

Published by Will Marshall at June 26, 2018

How do I know if the GDPR applies to our company?

The GDPR applies to your company if:

You are “established” in the EU. There is no precise definition of being “established” in the EU. Recital 22 of the GDPR explains that establishment “implies the effective and real exercise of activity through stable arrangements” in the EU. So it could be, for example, maintaining offices there or something less.

You offer goods or services (whether free or paid) to or you monitor the behavior of EU residents. Mere ability of someone in the EU to access your website does not count as offering goods and services to EU residents. However, if you have an e-commerce site that has currency conversion to euros or has offerings tailored to the European market, then you are likely subject to the law. If you do not intentionally target the EU market, but you have a significant percentage of EU customers, you may have a hard time claiming you are not covered by the law. Monitoring of EU residents would include things like tracking an EU person’s activity across the Internet through behavioral advertising.

The other way you may face compliance obligations is if you are acting as a processor for a controller (e.g. a customer) that is subject to the GDPR. For example, if you have a customer with an EU division and you process EU personal data for them, then you’re subject as a processor under the GDPR and will have contractual exposure for compliance pursuant to the agreements you must have with the customer under the GDPR.

What is Privacy Shield and do I need to be certified?

The GDPR attempts to ensure that when personal information leaves the EU, it is covered by substantially the same protections it enjoys in the EU. A few countries (not the US) have been deemed to have sufficient protections such that transfers to those countries are automatically acceptable.

Privacy Shield is an agreement between the EU and US to allow these data transfers out of the EU to the US. While there are other mechanisms under the GDPR to make this export of personal data compliant, if you are collecting personal information directly from individuals in the EU in a B2C context, then certifying to Privacy Shield is generally the only practical way to handle that export.

Keep in mind, Privacy Shield does not equal compliance with the GDPR. It only addresses the issue of the transfer out of the EU. Also, keep in mind that a small US business may be outside the practical enforcement reach of the EU. However, if you certify to Privacy Shield, you are expressly agreeing to be subject to enforcement in the US by the FTC (or DOT). Certain organizations like non-profits are not governed by the FTC or DOT and therefore cannot use Privacy Shield.

Finally, be aware that Privacy Shield has been under attack by EU privacy activists almost since its enactment so it’s possible it may not last forever, at least in its current form.

My customer/vendor is asking me to sign a Data Processing Agreement. Do I need to sign it and what happens if I don’t?

The GDPR divides the world up into “controllers” and “processors.” Controllers are those choosing the purposes and means of the processing. Processors simply process data on behalf of a controller. Both controllers and processors have direct compliance obligations under the GDPR.

For example, if App Co. operates a consumer mobile app, App Co. is the controller. If App Co. hosts its app on Amazon Web Services, then AWS (since it has access to the data on its servers) is a processor of App Co. AWS may, in turn, have its own processors (referred to as subprocessors) and so on.

Companies are obligated to have agreements with their processors that flow down certain compliance obligations (see Article 28). They are often referred to as Data Processing Agreements (DPAs). If you’ve received a DPA for signature, it means someone with whom you do business believes you and they are sharing personal information in a way that a DPA is required.

If you sign a DPA as a processor, you’re generally agreeing to various GDPR compliance obligations for which you’d have contractual liability for breach of the DPA. If you refuse to sign one, you are likely signaling to the other party that you can’t or won’t comply with the GDPR and, assuming you are in fact sharing personal data subject to the GDPR with the other party, you’d be violating Article 28 requiring a DPA.

What about all these emails updating privacy policies and asking for my consent? Do we need to do that?

Many companies updated their privacy policies to comply with the GDPR resulting in a flurry of emails notifying people of those updates. However, some emails asked for your consent to receive further marketing emails. Email marketing is governed not just by the GDPR insofar as it uses personal information, but also by the so-called ePrivacy Directive, which has been in effect for years, governs communications (e.g. phone, email, texts) and is responsible for those cookie banners seen mostly in the EU. This area can be very complex, but companies are likely seeking these consent for one of two reasons.

First, the GDPR has heightened the standard of what constitutes valid consent. To the extent a company relied on a true opt-in consent pre-GDPR to send email marketing to someone, they would have to refresh that consent to GDPR standards. However, much email marketing is based on a so-called “soft opt-in” where a customer is given the ability to opt out of email marketing at the time of purchase, which handles ePrivacy compliance, and the company can rely on “legitimate interests” rather than consent for GDPR compliance. See these great articles here and here by Phil Lee of Fieldfisher for further information. Note that B2B email marketing has fewer requirements under ePrivacy and generally just an opt-out is sufficient.

However, others may be asking for your consent because they are uncertain as to how they collected your personal information in the first place and their legal grounds for doing so, so they are trying to remediate their list by asking for your consent. This is dangerous ground and people are more inclined to file a complaint in response to what they feel is improper marketing to them. If you have such an email list, seeking fresh consents won’t remediate the list. It will just be another non-compliant marketing email and companies have been fined for trying to remediate their lists by seeking opt-ins. Regardless, if the recipient doesn’t respond, you must treat their silence as opting out of your marketing emails and you should not send “do you really mean it?” follow up emails.

What’s a GDPR compliance effort look like at a high level?

At a very high level, a compliance program might look like the following:

Assess what personal information (or “personal data”) you are handling and how much of it might be EU data. Keep in mind personal data includes encrypted data, public data, simple names and emails and indirect identifiers.
Perform a data mapping and inventory exercise to identify what personal data you handle, where it comes from, who you share it with, what you do with it, and what security measures (or risks) the data is subjected to.
Hire competent EU data privacy counsel to help assess and develop a plan of action. Determine in what respects you are a controller and in what respects a processor. Develop an understanding of the GDPR principles and core requirements.
Enter into DPA’s where you share personal data.
Address cross-border transfers of personal data (e.g. Privacy Shield).
Purge stale personal data and minimize future collection of personal data.
Evaluate your data security policies and practices and tighten up gaps.
Implement or update internal policies like disaster recovery, incident response and data retention and train staff to them.
Revise your outward facing privacy policies or notices to meet GDPR transparency requirements and otherwise address your disclosures in collecting the data.
Implement policies and procedures to properly handle requests from individuals invoking their rights under EU data protection law.
Think about your email marketing activity relative to the GDPR and the ePrivacy Directive.
Appoint a data protection officer (Arts. 37-39) and an EU representative (Art. 27) as necessary.
Maintain processing records per Article 30.

What’s my practical risk if I do nothing or am not fully compliant?

First, it’s better to be e.g. 40% compliant than 0% compliant. The EU has a history of going easier on those who are making a good faith effort to comply in light of their size and resources.

Think of your practical risk. If you are processing basic EU names and emails on a relatively minor scale for your own purposes, are not doing anything egregious with the data, are not Privacy Shield certified, and have no assets or operations in the EU that could be targeted, then EU authorities would probably not prioritize you for enforcement and likely wouldn’t be able to reach you as a practical matter, although you may suffer reputational harm for violations.

If you’re acting as a processor, particularly for a larger company, you have the exposure of losing their business because you are non-compliant. Or, if you simply sign their DPA (or have e.g. privacy compliance obligations in your underlying contract with them), but are not compliant or breach it, you’ll have contractual exposure to the company.

To the extent you do have practical exposure, there are a variety of enforcement mechanisms under EU law from investigations to rights to compensatory damages of individuals to fines of up to the greater of 20M euros and 4% of global annual revenue. Needless to say, focus your compliance resources where you determine you have the greatest exposure.