The General Data Protection Regulation (GDPR) was signed into law in May 2016. A common refrain amongst clients in the United States is that it doesn't apply to them. Many U.S. companies, including law firms, have recently discovered that not only does GDPR apply to American companies, but failure to comply with the GDPR is going to be extremely costly. According to a recent PwC survey, most multinational American companies have made GDPR their top focus, and 77 percent budgeted at least $1 million to comply with the law.
Generally, the GDPR applies to EU companies, however, if your U.S. company/law firm chooses to do business in the EU, the GDPR may apply to you. The GDPR regulations are about the data, not where your company is based. Does your company have a representative or offer goods or services in the EU? If the answer is in the affirmative, the GDPR will likely apply to your U.S. based company.
The GDPR also applies to online businesses that own a website that is accessible by EU citizens, if that website collects personal data. Since the definition of personal information includes online identifiers such as cookies, GDPR has implications for huge numbers of U.S. businesses. GDPR defines personal data as "Any information relating to an identified or identifiable natural person." That includes names, addresses, telephone numbers, email addresses, credit card details, IP addresses, financial information, social media posts and medical information. Under the GDPR, personal data does not include data that does not relate to an identified or identifiable natural person or to data rendered anonymous in such a way that the data subject is no longer identifiable, i.e., key-coded data. GDPR applies to all companies that do business with customers in the EU member states, with the exception of law enforcement agencies or when data is collected for national security activities.
GDPR also applies to organizations of all sizes. If you collect or process data on EU citizens, GDPR compliance is not optional. Further, if you process data for another company (the controller) it would be that company that had to comply with past regulations. Now, the GDPR applies to both processors and controllers. Under the GDPR, the controller is now liable for the actions of the processors they utilize. Both parties are now responsible for data privacy protection.
The GDPR will be replacing the current EU Data Protection Directive. The goal of GDPR is for widespread unification and standardization of data privacy requirements across 28 EU member states. The purpose is to give customers control over how their personal data is collected, protected and used.
The GDPR has several robust requirements. Companies need to implement controls to ensure the confidentiality of their customers' data. GDPR requires companies to be able to show they have implemented effective policies and procedures in compliance with data protection principles. An organization must take affirmative steps to train their employees on the correct handling of data. A company must document what personal data is held, where it is stored, where it came from, how it is processed and why and who the data is shared with. Businesses will be responsible for assessing the degree of risk that the processing of their data posed to their customers. Further, under the proposed "privacy by design" requirement of the GDPR, companies will need to design and implement policies and procedures at the outset of any product or process development. The company must take a "risk-based approach" to this implementation, taking into account the purpose, scope and context of the processing of the data and the implications associated with the data in the event it is compromised.
The GDPR now formally recognizes Binding Corporate Rules (BCR) for processors and controllers. Prior to the GDPR, the standard contractual clauses included a prior notice and approval requirement. Now the BCR may be used without prior approval. The GDPR also allows for organizations to transfer data to third countries if they have been granted an adequacy designation.
The GDPR's breach requirements are far more demanding than several U.S. directives and regulations. When personal data rights may have been violated, the GDPR requires the company to notify the supervisory authority within 72 hours. The company must provide detailed documentation and communication of the breach, including "adequate" detail of the breach and how it has been handled. If these obligations are not met, a company must provide justification for the delay.
Data controllers and processors may need to designate a Data Protection Officer (DPO). There are three specific instances where a DPO is required. DPOs are required when the "core activities" of the company consist of "regular and systematic monitoring" of data subjects on a "large scale." DPOs are further required when an organization's "core activities" are "large scale" processing of sensitive data or data relating to criminal convictions and offenses, religious or philosophical beliefs, political opinions, racial or ethnic origins, health or genetic data. Lastly, DPOs are required of public authorities, with the exception of courts. There may be other requirements for organizations that require further DPOs. This DPO must be knowledgeable about GDPR and will oversee compliance of data collection, storage or data processing. This person must also have a sufficient understanding of the company's technical and organizational infrastructure.
Organizations must obtain consent from customers, including website customers, that is both informed and unambiguous. A company must inform their customers how their information will be collected and used. Parental consent is mandatory before accessing children's personal data. Further, if the consent is withdrawn or data is processed unlawfully, this is in direct violation of the GDPR.
Companies are required to be in compliance with these regulations by May 25, 2018. The penalty for non-compliance with GDPR for enterprises is up to €20,000,000 ($23,138,200) or 4% of the global annual turnover of the company for the previous fiscal year, whichever is the greatest. For less serious infringements, a company is subject to a fine of 2% or up to €10,000,000, whichever is greater. If a company fails to comply with these requirements, the company will also be subjected to regular, periodic data protection audits to ensure its policies and procedures are updated.
If you are unsure if the GDPR affects your business and whether you need to be compliant, companies — including law firms — are urged to seek advice from compliance experts who can counsel you accordingly.