The European Union’s next generation privacy law, the General Data Protection Regulation is being implemented now, and full compliance is required by May 25, 2018. The GDPR will directly or indirectly affect companies in Georgia and around the world that do business in the EU or otherwise process personal data that comes from the EU. Penalties for noncompliance can be as much as 20 million euros (approximately $23.5 million) or 4 percent of an organization’s global turnover, whichever is greater. Meeting GDPR requirements can take some time, so, if your organization is impacted by the GDPR and compliance efforts are not already underway, it is time to get started.
Article 3 of the GDPR asserts a broad extraterritorial reach, so your organization does not have to have EU locations to be affected. Collecting personal data about individuals that are in the EU in the course of offering goods or services is sufficient. If your website includes prices in euros or other EU currencies or has French, German or other EU language versions, your organization could be subject to GDPR. Monitoring behavior in the EU through website tracking tools or other means also could bring an organization in scope. Even if your organization does not collect personal data directly from individuals in the EU, your organization still may be affected indirectly as a result of GDPR contract-related requirements if your organization acts as a service provider (often a “processor” in EU terminology) for someone that is covered.
The GDPR, which builds on existing EU privacy law, consists of 99 articles and 173 explanatory recitals. For organizations with robust programs for compliance with existing EU privacy laws, the GDPR includes a number of new requirements that will require enhanced compliance measures. For organizations new to EU privacy rules, compliance likely will be a heavier lift. Some key areas include:
Basis for Processing, Notice and Consent
Unlike in the U.S., where personal data usually can be processed unless there is a prohibition, under EU law there must be a lawful basis for all processing of personal data.
Consent of the data subject can be one such lawful basis for processing, but it must be freely given, specific, informed and unambiguous. These are not new features of EU data protection law, but the GDPR does include enhanced notice obligations which means consumer notices may need to be revised. GDPR Articles 5-7, 12-14.
For “special categories” of personal data, such as health information, genetic information, biometric information or information about racial or ethnic origin, political opinions, sex life or philosophical, beliefs processing continues to be prohibited except in limited circumstances. Article 9.
Controllers (decisionmakers) are only permitted to use processors that provide “sufficient guarantees” that processing will be done in compliance with the GDPR and contracts with data processors must address specific points identified in the GDPR. Since these are new requirements, existing contracts will need to be amended. Processors also must flow these requirements down to subprocessors and controllers must approve (or at least have the ability to reject) each subprocessor that a processor may want to involve in the processing of personal data. Article 28.
Controllers and processors are required to keep detailed records of their processing activities, including information about the categories of information being processed, the purposes for which data is being processed, the categories of recipients of the data, documentation of transfers to third countries and the basis for that those transfers, a general description of data security measures and, where possible, the anticipated length of data retention. Article 30.
Data Security and Data Breach Notification
The GDPR includes broad data security obligations and, in the event of a data breach, controllers are expected to notify EU regulators within 72 hours of becoming aware of it. Consumers also must be notified without undue delay if the breach is likely to result in harm to the consumer. Articles 32-34.
Data Erasure/The Right to Be Forgotten
The GDPR builds on EU case law to give individuals an enhanced “right to be forgotten.” This right is not unlimited, but it gives individuals the right to have personal data about them erased if certain circumstances apply.
In certain cases, controllers must provide individuals with their personal data in a structured, commonly used and machine readable format and individuals must be able to transmit this information to another controller without hindrance. Article 20.
Data Protection Impact Assessments
Building on concepts of privacy by design, controllers are required to conduct assessments of processing activities, particularly those involving new technologies, which could present high risks to individuals. Article 35.
Data Protection Officer
Controllers and processors that, as part of their core activities, monitor individuals on a large scale or process sensitive categories of data may be required to appoint a qualified data protection officer and provide funding and resources necessary to carry out the DPO’s responsibilities. Articles 37-39.
Transfers of personal data to the U.S. or other third countries lacking “adequate” privacy protections
As is the case under existing EU law, transfers of personal data from the EU to the US or other countries that the EU does not find to have an “adequate” level of data protection are prohibited unless additional safeguards are in place, such as participation in the EU/US Privacy Shield program, use of standard or (“model”) contractual clauses, or binding corporate rules. Articles 45-49.
One of the goals of the GDPR is to create a more uniform set of rules for data protection applicable across the EU and regulators are issuing guidance on an ongoing basis to promote uniform application of the GDPR’s rules. Nevertheless there will be a number of areas where law may vary from one EU member state to another so it is important to consider the law in individual EU Member States where your organization does business.
Kevin Coy is a partner at Arnall Golden Gregory and advises privacy sensitive organizations on U.S. and international privacy and data security issues.