The European Union’s General Data Protection Regulation (“GDPR”) will come into effect on May 25, 2018.  Many American companies are unaware of GDPR requirements and unprepared for its imminent arrival.  This Article summarizes key provisions of the GDPR and outlines steps US companies should consider in anticipation of its effective date.  If you have questions after reviewing this article, please don’t hesitate to contact us.

A Summary Of Certain Key Provisions of the GDPR

The GDPR applies to non-EU organizations, including U.S. companies, that process personal data of individuals or data subjects located in the EU. The GDPR expands existing EU data protection law in numerous ways, including the following:

·       “Personal Data” is defined more broadly.  In fact, the reach of the revised definition may surprise some as it includes data not previously considered to be personally identifiable information or “PII”, such as IP addresses.

·       The processing of Personal Data must be lawful, fair and transparent.  

·       Personal data may only be collected for specified legitimate uses and may not be kept longer than is necessary for the purpose for which it was collected. 

·       A robust duty to delete data after it is no longer needed will be instituted.

·       More explicit notice and consent requirements are imposed on the data controller, the entity amassing the data.  The consent of the data subject whose personal data is being collected must be freely given, specific, informed and unambiguous.    

·       Increased attention is paid to data security measures as well as to the types of data.

·       Breach notification rules are tightened.

·       The data subject is given broader rights to require that his or her data be deleted from a database, in other words, to exercise “the right to be forgotten”.

·       Personal data may only be transferred out of the EU to a jurisdiction which provides adequate safeguards for that data.

·       The GDPR applies equally to data controllers who amass information and data processors who get information from controllers.

Preliminary Steps US Companies Should Take To Prepare

Failure to comply with the GDPR can subject violators to significant penalties. US companies processing EU data, or planning to do so, should take measures to ensure compliance.  Some preliminary steps include the following:

·       Determine if your company is subject to GDPR as a threshold matter.

·       Review existing privacy policies to ensure the new notice and consent requirements are met and consider revisions to existing policies if not.

·       Review data security protocols and determine if a DPIA (Data Privacy Impact Assessment) is necessary.  A DPIA may be required if new activities are undertaken with respect to the processing of personal data.  The DPIA will identify potential areas of shortcomings.

·       Appoint a Data Protection Officer if your company’s primary activities consist of processing which requires regular and systematic monitoring of individuals on a large scale or if the processing concerns certain types of sensitive data.  Note: The activities of the company and not the size of the company determine whether a DPO is necessary.

·       Review the data security measures of your vendors to ensure that those vendors which handle personal data also provide sufficient protections, and revise your existing vendor agreements to address GDPR compliance matters. A company is responsible for ensuring that it uses vendors which also comply with GDPR.

·       Consider becoming “Privacy Shield” compliant in order to transfer data out of the EU.

·       Prepare Binding Corporate Rules or Model Contractual Clauses to meet the adequate   safeguards requirement for transfer of data out of the EU.

Why It Matters

Customers in the US and EU and indeed throughout the world are increasingly concerned with the privacy of their personal data.  In addition to avoiding penalties for non-compliance, compliance with GDPR demonstrates to customers that your company has their interests at heart.  

Please note the foregoing is not intended to be an exhaustive summary of the GDPR or the steps to be taken to become compliant and is not intended as legal advice.  For customized recommendations and guidance concerning your EU data security and compliance, please contact us directly.