On May 25, 2018, the European Union’s new data protection legislation, the General Data Protection Regulation (GDPR), will take effect. This law heralds a new era of rigorous data privacy and security and makes data privacy a fundamental right for EU citizens. Of course, all EU companies and many multinational companies doing business in the EU have to be fully compliant with this legislation on Friday. What is important to note is that some U.S.-based businesses, even those without employees or offices within the EU, may also be required to comply with the GDPR.
Does my U.S.-based business need to comply with this law?
If your business processes and/or holds personal data of individuals residing in the EU (including employees) or you are marketing/selling products to consumers in the EU, then your business must comply with GDPR. In a broad sense, the GDPR requires businesses to understand what data they are collecting, be able to articulate why they are collecting it and which of the six categories of lawful processing its purpose falls into, what the business’s strategy is in the event of a data breach, what the timeline for retention of personal data is, and how such data is destroyed when the purpose for collecting and retaining the data no longer exists. There is a record keeping exception that companies with less than 250 employees may qualify for.
But what is ‘personal data’ and what do you mean by ‘processing’?
‘Personal data’ is any information related to a person that could be used to identify such a person. This includes the person’s name, identification number, location data or online identifier, email addresses, bank information, social media posts, or other factors specific to the physical, genetic, physiological, economic, mental, cultural, or social identity of that person. The EU is taking a very broad approach to defining ‘personal data’ so it is best to consider almost any information you collect about an EU citizen to be personal data.
‘Processing‘ means any operation performed on personal data, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction.
Most, if not all of us, have a website and if a German resident stumbles upon our website, the GDPR will likely not apply just because that person found the website. However, if you are actively encouraging EU residents to visit your website, ship your products to the EU, market or translate your webpage in a language of an EU country, or if you engage with EU residents and process their personal data in any other way (for example track and collect information on webpage users from the EU to analyze online behavior), the GDPR may be applicable to your business.
The GDPR requires all businesses to protect the personal data of EU citizens, and specifically prescribes how this should be done.
How do I ensure compliance before May 25?
There is a “quick fix” that you can implement before Friday: add a ‘cookie banner’ to your website that allows your business to ask permission before processing an EU resident’s data and also allows you to stop collecting data from any IP address from an EU country if they do not consent.
For the permission or consent to be valid in terms of GDPR, be sure not to use legal jargon or to bury the consent in fine print. Consent needs to be specific, in plain language, explain what you will be using the personal data for, and positive (i.e. the person must opt in to allow you to process the data).
Is there more to it?
Yes, the GDPR’s requirements are far-reaching and ensuring full compliance may take a bit more time.
One of the biggest and most important tasks is to map your data, i.e. figure out what personal data you store and collect in your databases (online, on computers, tablets and phones, and on paper), how that data is being used, and how long the data is being stored.
Once you have an idea of your data collection and retention practices, you need to determine what data relates to EU residents.
All EU residents need to consent (i.e. opt in) to your processing of their data, so the business will have to reach out to these residents to obtain consent or, alternatively, destroy the data.
Another key step is to update your data privacy policy and ensure that your business puts the necessary controls in place to adequately process personal data going forward. This policy should be in writing and become part of your existing and future service contracts with third parties.
What if my business doesn’t comply?
The penalties for non-compliance are quite steep: 4% of your company’s worldwide annual turnover of the preceding financial year or € 20 million, whichever is greater, for serious infringements of the GDPR; 2% or € 20 million, whichever is greater, for less serious infringements.
Contact us to schedule a consultation.
Tonya Price (tonya@jrwiener.com)
Francisca Pretorius (francisca@jrwiener.com)