A brief overview of the GDPR and how it may potentially impact US businesses.
On May 25, 2018, the General Data Protection Regulation (GDPR) took effect. As the full impact of this legislation is still being analyzed, many online business owners are asking “what exactly is the GDPR?” and “will it affect my U.S. based business?” This article is intended as a general overview of the GDPR, what it is, and what types of businesses may be affected. However, the information below is not intended to be taken as legal advice, or as a substitution for legal counsel. If you have any questions about the information below, or if you think your business may be regulated by the GDPR, you should contact an attorney for a more detailed assessment.
The GDPR and What it Regulates:
The GDPR is considered one of the most comprehensive frameworks of modern legislation regarding digital privacy. This regulation is intended to protect personal data of European Union (EU) citizens, and generally governs how that data is collected, stored, processed, and destroyed.
The GDPR affects all businesses that directly target or profile EU residents, or that otherwise process personal data of EU residents, regardless of whether or not that processing is conducted within the EU. Therefore, it is possible that U.S. companies may be directly affected by GDPR.
Under GPDR, personal data is broadly interpreted to involve “any information relating to an identified or identifiable natural person.” Such information can include “name, identification number, location data, an online identifier, or factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity of a person.” In addition, personal data can include internet protocol (IP) addresses, cookie tracking, social media posts, online contacts, and mobile device identifiers.
On the positive side, the GDPR does not generally apply to online content or marketing that happens to be accessible throughout the Internet. Just because an EU resident can access and view your website does not automatically subject your business to GDPR regulation. However, the “targeting” or “profiling” required by the GDPR can occur if a U.S. business accepts EU currency, has an EU domain extension, offers shipping for an EU country, monitors behavioral trends of EU citizens, or markets or provides translation in a language of an EU country.
The GDPR can further apply if a U.S. business is either a data controller or data processor of EU personal data. A data controller collects and manages personal data, and a data processor simply processes personal data on behalf of a data controller. Under the GDPR, both the data controller and processor may be liable for processing data of EU citizens.
Key Privacy Issues Under the GDPR:
Consent: All individuals that are protected by the GDPR (protected parties) must freely give valid, legal consent before their personal data is collected or processed. Any such individual party may withdraw that consent at anytime. Parental consent is also required for children under the age of 16.
Data Protection Officer: Outside of narrow exceptions, businesses that are regulated by the GDPR must designate a data protection officer (DPO) to monitor data-involved activities and ensure compliance with data protection regulations. Failure to appoint a DPO is an offense subject to fines.
Encryption: Businesses are highly encouraged to encrypt personal data. The GDPR also provides incentives for companies who take appropriate measures, including:
- Employing pseudonyms and encryption to protect data;
- Maintaining confidentiality, integrity, availability, and resilience of processing systems and services;
- Promptly restoring data after a physical or technical incident;
- Developing a standing process for testing and evaluating organizational security measures.
Information Obligations: Data controllers and processors must be transparent with protected parties about the collection of their personal data. Communication requirements are equally applicable for data obtained either directly, or indirectly, from the protected party.
For data that is collected directly, the protected party must be immediately informed of several details, including but not limited to the identity and contact information of the controller and the controller’s DPO, the purpose and legal basis for processing the data, any recipients of data, and if the controller intends to transfer data to another country or international organization.
For data that is collected indirectly, the protected party must be informed of the same information listed above within a reasonable period, not longer than 1 month, after the data has been collected.
Privacy by Design: Data controllers are required to implement appropriate technical and organizational measures to ensure that only necessary data is processed for a specific purpose.
Records of Processing Activities: Data controllers must maintain written records of data processing procedures. The records must include information about the data processing, a description of data and recipient categories, the purposes for the processing, time limits for erasure, and the technical or organizational security measures that have been implemented.
Rights of Access: Protected parties have a right to access their personal data. Upon request by a protected party, a data controller must provide the requested information, without undue delay. If an individual’s request cannot be performed within 1 month, the data controller must inform the individual of the time extension with justification for delay.
Right to Be Forgotten / Right of Erasure: The GDPR provides that protected parties have the “right to be forgotten” which allows individuals to request a deletion of their personal data.
Notification of Breach: Data controllers must report breach of their data to the supervisory authority within 72 hours. Notifications must be accompanied by a report detailing the breach and any remedial actions taken. If the timing requirement is not met, the data controller must provide reasons for delay.
Fines / Penalties: Noncompliance with GDPR may result in steep fines, up to 4% of a company’s total global revenue from the preceding fiscal year or €20 million, whichever is greater.
The points above are intended only to serve as a general discussion of the GDPR, and are by no means comprehensive. There are many far-reaching implications of the GDPR, and the full impact of the regulation is still being analyzed. It is possible that some of the GDPR terms will have an even wider application than initially anticipated. If you believe that your business may be affected by the GDPR, or if you have any questions about what steps you can take to minimize your liability, you should contact an attorney to discuss and assess your business in more detail.