The European Union’s General Data Protection Regulation, or GDPR, takes effect on May 25, 2018, and will have major implications for businesses with connections to Europe.
GDPR is designed to protect an individual’s right to control the use of his or her personal data and is broadly drafted to apply to a wide range of personal data on any natural person, regardless of his or her nationality. Under GDPR, personal data includes, but is not limited to, customer data, such as dates of birth, mailing addresses, IP addresses, product purchases, payment information, supplier data, and employee data. Personal data also includes “sensitive data,” such as health information and information on race and sexual orientation.
The broad nature of GDPR and its potentially large fines for noncompliance — up to 20 million euros ($24.9 million) or 4% of a company’s global annual revenue for the prior year — are causing alarm among U.S. and European companies.
Our experience indicates that many companies required to be compliant with GDPR are not, and only some have begun the process of reviewing their operations. Companies should take action now to avoid the risk of penalties for noncompliance and other liabilities.
GDPR automatically applies to any company (U.S. or otherwise) that has established a business presence in the EU and to any company that controls or uses personal data of an individual who is in the EU. Companies may qualify as data controllers (controllers) and/or data processors (processors) under GDPR. A controller is any company or organization that determines (independently or with others) how and for what purposes personal data is processed, regardless of whether the company holds or processes the data itself. A processor is any company or organization that processes personal data on behalf of a controller, which includes recording, storing, or carrying out operations on personal data.
A company does not have to process data in order to qualify as a controller under GDPR. As a result, a U.S. company that controls or uses personal data gathered from an individual in the EU will not escape the GDPR’s requirements by shifting the processing or storage of that data to a processor (such as a cloud service company).
Considering GDPR’s broad definitions of personal data and controllers, GDPR could affect virtually every U.S. company in the consumer goods and services industries that conducts business with individuals located in the EU.
However, GDPR does not apply to every U.S. company or organization that controls or processes the personal data of individuals in the EU. Generally, if a company does not have an “establishment” in the EU, such as an office or other location at which it conducts activities, GDPR will not apply unless the company’s controlling or processing of personal data relates to:
- Offering goods or services to individuals in the EU; or
- Monitoring behavior of individuals within the EU, such as profiling individuals for business purposes.
Whether a company has offered goods or services to individuals in the EU must be determined on a case-by-case basis. For GDPR to apply to such a company, it must be apparent that the company “envisages” that activities will be directed toward individuals in the EU.
GDPR generally will not apply to a U.S. company that controls or processes personal data of individuals located in the EU if the company does not: (1) have an establishment in the EU; (2) offer goods or services to individuals in the EU; or (3) monitor the behavior of individuals within the EU. For example, a U.S. hospital that provides healthcare services to an EU citizen in the U.S. would generally be outside the scope of GDPR.
GDPR requires controllers and processors to ensure that an individual’s rights are not violated with respect to his or her personal data. These steps include, but are not limited to:
- Ensuring that the company has a lawful purpose for processing the data, which can take the form of clear and affirmative consent.
- Implementing technical and organizational data protection measures.
- Conducting “data protection impact assessments” on the company’s high-risk data processing activities.
- Keeping an audit trail of the company’s processing of personal data or decisions related thereto, or both.
- Determining whether a data protection officer (DPO) must be appointed by the company to oversee the protection of personal data controlled or processed by the company.
- Documenting the unauthorized disclosure of personal data and notifying the company’s supervisory authority or authorities in the EU and, in some cases, affected individuals.
GDPR imposes additional requirements on the use of an individual’s sensitive data, such as limitations on why such data may be processed. GDPR also has strict requirements regarding cross-border data transfers to the U.S.
Due to the complex nature of these requirements, we advise companies to assess all aspects of their business involving the personal data of individuals located in the EU, including their internal structure for processing and/or controlling such data.
Each of the 28 EU member states has a “supervisory authority” that can enforce GDPR against controllers and processors. Individuals may also sue companies under certain circumstances for data breaches.
Company assets within the EU will be subject to enforcement actions, while company assets outside the EU will be more difficult for EU supervisory authorities and individuals to reach. U.S. companies having no physical presence or assets in the EU may still be subject to enforcement in other ways:
- Supervisory authorities may bar non-compliant companies from doing business in their respective member states.
- Non-compliant U.S. controllers or processors may be subject to contractual actions by their EU clients.
- U.S. companies that have elected to obtain privacy shield certification to engage in cross-border transfers of personal data could be subject to enforcement by the U.S. Federal Trade Commission in the event of a violation.
Steps to Compliance
If companies and organizations haven’t already, they should begin the process of becoming GDPR-compliant by assembling a GDPR compliance team and defining its role. The team should:
- Formally assess the company’s collection, use, and retention of personal data and how the company obtains consent from individuals in the EU to use their personal data.
- Identify and assess existing and potential risks with respect to the use of personal data by suppliers, vendors, and partners.
- Assess the state of the company’s cybersecurity program and how personal data is protected.
- Determine whether a DPO must (or should) be appointed to lead appropriate efforts.
- Present the results of the above efforts to the company’s governing board.
The company may also consider engaging legal and compliance advisers to assist with the above steps.
Edward Cyran is an associate at Fox Rothschild and member of the firm’s privacy and data security practice. Bill Shipp is co-founder of Vaxient Cybersecurity and Risk Management services based in Philadelphia. Jonathan Marks, CPA, is a partner at Marcum.