GDPR Is Here – The New European Union Data Protection Regulation Goes Into Force
You’ve probably received a barrage of emails in the past week from a wide variety of websites that you may (or may not) remember having an account with, telling you that they’re updating their privacy policies. The reason: the European Union (“EU”) has reached the official start date of its new General Data Protection Regulation (“GDPR”). It is a wide-ranging regulation that is based on the notion that it “protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”
But I’m not in the European Union?
The GDPR is striking in its breadth and claims to apply in two circumstances. First, it applies to EU entities that handle personal data, even if the entities outsource the handling of the data outside of the EU.
Second, and importantly for this audience, the regulation claims to apply to companies located outside of the EU, but who handle E.U. citizens’ personal data. That’s a pretty broad claim of jurisdiction, and on its face would suggest that a U.S. Company that got data from an EU person either for purposes of a commercial transaction, or to track their behavior in the EU (e.g., website cookies), is subject to the rule. So, for example, a winery that had a single sale to an E.U. person in its wine club database might appear to meet the requirements to comply with the GDPR.
Hold on, how can the European Union tell me what to do in the United States?
The provisions of the GDPR provide limits to these broad jurisdictional assertions by namely providing that it “does not apply to the processing of personal data … in the course of an activity which falls outside the scope of [E.U.] law.” GDPR Art. 2 Sec. 2(a). So, if you simply happen to acquire the data of an E.U. person in your U.S. database while going about the course of your U.S. business, the GDPR does not apply to you. You don’t have to purge your U.S.-based email lists of E.U. persons, or block them from accessing your U.S.-based website, as long as the activities you are engaged in are solely under U.S. law. And, keep in mind that it only applies to actual people: a person means just that, not a “legal person” such as a corporation. The GDPR does not limit your collection or handling of data on E.U. companies – but it does apply to their individual employees. Additional information can be found regarding when the regulation does not apply here. The European Commission has also begun to promulgate some guidance.
Thus, you should review your particular situation carefully to determine whether or not your activities might be under E.U. law.
Should I just follow the GDPR anyway to be safe?
Even if you are not sure whether the GDPR technically applies to you or could be enforced against you, the GDPR contains a set of provisions that could simply be considered good business practices, even if you have a good argument they are not legal obligations. The GDPR is high-minded and based on the notion that protecting personal data is a fundamental right. Its provisions include providing users with additional rights over whether and how companies use their data, to know why and for which purposes their information is gathered and for how long will the Company retains such data.
So, what do I do?
First, if you don’t want to comply with the GDPR but think you might otherwise be subject to it, you could just delete or block EU persons from your system. You would not be alone in doing that, some large and noteworthy organizations have taken this course
Otherwise, if you intend to retain EU citizen information in your system and comply with GDPR provisions, you need to determine if you are a “processor” of data or just a “controller.” The terms are fairly self explanatory: the “processor” of data is the one that actually processes personal data on behalf of the “controller,” who “determines the purposes and means of the processing.”
You also need to determine whether you fall below the threshold of 250 employees that trigger additional record keeping and other obligations (unless processing of personal data is a regular activity of the business).
Even smaller companies have obligations under the GDPR though. Those obligations are subject to a general balancing requirement of weighing the risks created against the level of effort needed to address those risks. For example, the amount of data security needed by your organization should take “into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.” GDPR Art. 32, Sec. 1. The European Commission has put out some helpful guidance for how smaller business should approach complying with the GDPR, complete with a reassuring note that: “The less risk your activities pose to personal data, the less you have to do.”
Unlike many complicated statutes, the requirements of the GDPR are fairly easy to read (well, some of them anyway). Most importantly, the rights of the “data subject” (the person whose data you have) are set out in Articles 13-15 of Chapter III of the GDPR in fairly plain language.
Some steps all organizations that are concerned with GDPR compliance should take include:
- Contact your IT staff and request that they review existing data protection measures to prevent any breach of data privacy, and make appropriate updates – but only to the extent reasonable and proportionate to the risk;
- Update your privacy policies and disclosures to be more transparent with users and provide them with additional information regarding the reason why you are retaining their information, how long you will retain their information and let them know of their rights to request deletion or transfer of their data;
- Give thought to the type of information you gather, and collect only useful information; and
- Consider your current retention policies, and do not keep data for longer than needed.
In addition, and particularly important for smaller organizations that outsource their IT functions, if you are a controller you must contact your data processor and enter into a new or revised contract in which a number of items set out in Article 28, Section 3 of the GDPR are detailed. But while much of the technical obligations may fall on the processor, keep in mind that controllers are ultimately responsible for accountability with the GDPR’s principles of processing of personal data. You have the obligation to make sure the data you control is treated appropriately: an obligation that isn’t new at all.
This blog post is only a summary and provides only general information regarding some notable portions of the GDPR. It is not a complete discussion of your obligations and not legal advice upon which anyone may or should rely.
For more information about the GDPR’s requirements and your obligations, please contact Joshua S. Devore.