How Does the EU Data Privacy Regulation Affect U.S. Businesses?
What is the GDPR?
As opposed to the U.S., the European Union has a uniform data privacy law. The General Data Protection Regulation (GDPR) went into effect on May 25th of 2018, and has a broad cross-sector scope that affects many foreign companies, including U.S. companies.
This regulation relates to both data privacy and data security. Data privacy is the right to control how information is collected and used; focusing on the use and governance of data. Data security, on the other hand, is focused on protecting data from, for example, attacks and exploitation of stolen data.
The GDPR applies to:
Businesses established in the EU – which process personal data; and
Businesses outside the EU – if their data processing activities relate to the offering of goods or services to individuals in the EU or to the monitoring of such individuals’ behavior.
Mere accessibility of a website by an EU member is insufficient alone to prove intention to offer goods or services. The GDPR requires intent to offer goods in the EU; not merely availability of, for example, a website. Just having an accessible site is not enough; intent to market is critical. Therefore, the GDP applies if: a business is located within territory; a business is marketing services in EU, and; regardless of the citizenship of user is irrelevant.
What is Personal Data?
Persona Data is any information relating to an identified or identifiable natural person (known as a “data subject”), it includes: name; identification number; location data; online identifier; and one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The GDPR regulates several moments in the lifecycle of personal data, including: collection, processing, storage, transmission, and disposal.
Who must Comply with the law?
There are several types of parties who collect and use Personal Data, including “controllers” and “processors”. Controllers are typically the persons or organization who collect the data. The data controller determines the purposes for which and the means by which personal data is processed. So, if your company/organization decides ‘why’ and ‘how’ the personal data should be processed, it is the data controller. Employees processing personal data within the organization do so to fulfil your tasks as data controller. Processors typically process the personal data only on behalf of the controller. The data processor is usually a third party external to the company. The relationship between controllers and processors is governed by data processing agreement.
How can Organizations Collect data?
In order to collect or process personal data, you need to have a legal basis for it. GDPR requires that any organization processing personal data must have a valid legal basis for that personal data processing activity. GDPR provides several legal bases for processing, including:
Consent;
Performance of a Contract;
Legitimate Interest;
Vital Interest;
Legal Requirement; or
Public Interest.
Consent occurs when the data subject has given permission for the organization to process his/her personal data for one or more processing activities. Consent must be freely given, clear, and easy to withdraw. Therefore, organizations need to be careful when using consent as their legal basis. An example of consent is the age box that a user may check when accessing content that is age-restricted.
Performance of a Contract occurs when the data processing activity is necessary to enter into or perform a contract with the data subject. An example of this is when a user provides his/her mailing address for an e-commerce purchase.
Legitimate Interest occurs during the processing activity that a data subject would normally expect from an organization that it gives its personal data to do, like marketing activities and fraud prevention. If legitimate interest is used as a legal basis for processing, the organization must perform a balancing test: is this processing activity necessary for the organization to function? Does the processing activity outweigh any risks to a data subject’s rights and freedoms? If the answer to either of those questions is “no,” then the organization cannot use legitimate interest as its legal basis for processing.
Vital Interest is a rare processing activity that could be required to save someone’s life. This is most commonly seen in emergency medical care situations.
Legal Requirement arises with a processing activity that is necessary for a legal obligation, such as information security, employment or consumer transaction law.
Public Interest is a processing activity that would occur by a government entity or an organization acting on behalf of a government entity.
What are the Rights of Data Subjects?
Persons (i.e “Data Subjects”) are entitled to several rights in regard to their personal data, including:
Right to be informed – about the collection and use of their personal data;
Right of access – to their personal data;
Right to rectification – data subjects can ask data controllers to erase or rectify inaccurate or incomplete data;
Right to erasure – data subjects have to right to ask organizations to delete their personal data if: the data has been processed unlawfully; the organization no longer needs the data for the original purpose (and has no new lawful purpose); the organization relies on consent for processing data and person withdraws it;
Right to restrict processing – individuals can ask organizations to restrict processing their personal data if, for example: they believe their data is not accurate (organizations should stop processing until they verify the accuracy of the data); or if the processing is unlawful but the individual doesn’t want the data erased;
Right to data portability;
Right to object to processing;
Rights in relation to automated decision-making and profiling.
How can Organizations Comply with GDPR?
Compliance with the GDPR starts with a data map, a flow chart of what information is collected; where it is stored; who it’s transmitted to, and all other processes until final disposal or return of said information. Organizations must develop a compliance roadmap that identifies specific implementation tasks needed to achieve or improve alignment with the GDPR keyed to the provisions that require them. But remember that compliance is a process, rather than a project. Organizations should develop systems and empower staff to achieve compliance with the GDPR on an ongoing basis. This means developing and implementing governance, operational, and technology components within organizations in order to comply with the GDPR.
What are the Risks of Non-compliance with the GDPR?
Some of the risks associated with non-compliance are:
Public relations fallouts;
Loss of business;
Fines and penalties; and
Class action lawsuits.
Public relations fallouts can expose an organization to news and media coverage relating to a security breach in the organization, which will likely result in decreased public trust and loss of business by customers.
Loss of business relationships result with regard to other companies and organizations with whom an organization may do business with, that are within scope for GDPR compliance obligations – like for example contractors who may be required by to be compliant. These third parties may no longer be in business with your organization, as they are required to be in business exclusively with GDPR-compliant business.
Fines and Penalties, known as Regulator Fines may result out of non-compliance, including, up to 4% of annual global turnover. As an example, British Airways was fined $229 million, as was Marriott Hotels for $123 Million for GDPR violations.
Class action lawsuits may be brought by customers whose personal data was breached.
Who Enforces the GDPR?
The EU’s Information Commissioner’s Office (ICO) is responsible for enforcing GDPR.
*Disclaimer: this blog post is not intended to be legal advice. We highly recommend speaking to an attorney if you have any legal concerns. Contacting us through our website does not establish an attorney-client relationship.*