GDPR: The Regulatory Iceberg of 2018

You’re heading into dangerous waters. On May 25, 2018, the European Union (EU) General Data Protection Regulation (GDPR) goes into full effect, and it will almost certainly affect you. If you are not compliant with the GDPR by this date, you could face fines of up to 20 million Euros or 4% of worldwide annual revenue per breach. So it’s important to understand whether the GDPR applies to your business, and if it does, what you must do to comply.

It probably applies to YOU

The GDPR is a comprehensive regulation meant to protect the personal data of EU citizens, wherever that data might be processed. It greatly expands the geographical scope of the EU data protection laws. In fact, the GDPR applies not only to organizations located within the EU, but also to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU residents. SoUS-based companies will need to comply with the GDPR if they are doing business (or attempting to do business) in the EU and are handling or storing any personal data of individuals residing in the EU.

Personal data is broadly defined

Personal data” under the GDPR is broadly defined and covers far more information than one may initially believe. It comprises any information relating to an identified or identifiable natural person. If information can be used to identify the particular natural person using “all means reasonably likely to be used,” that information is “personal data” under the GPDR. That’s right: data may be “personal data” even if the organization holding such data cannot itself identify a natural person. Names are not necessary for the information to be “identifiable;” any identifiers such as IP addresses, cookies or RFID tags are included.

How to comply

There’s no getting around it. By this time next year, you will need to have done the following:
  1. Adopt accountability and governance measures. New provisions within the GDPR require that companies put governance measures in place so as to minimize the risk of breaches and to protect personal data. The GDPR also requires that in response to a breach, the controller without undue delay, and where feasible, no later than 72 hours after having become aware of it, notify the supervisory authority.
  2. Appoint a Data Protection Officer (DPO): Data controllers and processors are required to appoint DPOs to manage all affected data processing operations. The DPO is required to be an expert in data protection law, and must be allowed to act independently, reporting directly to the C-suite.
  3. Perform impact assessments. The GDPR requires data controllers to perform impact assessments before carrying out any data processing that is likely to involve high risks to the rights and freedoms of individuals. If the results of the assessment indicate a high risk, the controller must obtain a prior review by the relevant Data Protection Authority.
  4. Update data transfer policies. The GDPR imposes new restrictions on the transfer of personal data outside the EU.
  5. Implement new policies to accommodate individual privacy rights. Under the GDPR, individuals have stronger rights, including, the right to be informed, the right of access, the right of rectification, the right to restrict processing, the right of data portability, the right to object, rights in relation to automated decision-making and profiling and the right to be forgotten/erasure.
  6. Revise online consents.  If your terms of use are densely worded or confusing, you need to change them. The request for consent must be given in an easily accessible form, clearly indicating the purpose for data processing, and such consent must be clear and distinguishable from all other matters. If you intend to reuse existing data for new or different purposes, you’ll need to explicitly obtain consent to do so. You will also have to obtain parental consent to process personal data of children under 16 years old.
  7. Add “Privacy by Design”  to your development process. Privacy must now be built into any new products, systems, and processes using personal data at the time of development.
  8. Add “Privacy by Default” to your operations. The GDPR requires that the strictest privacy settings be automatically applied once a business acquires a new product, system, or service (no manual configuration of the privacy settings should be required). You will need to document how you have built data privacy protections and processes into the initial design stages of any new project as well as throughout its life cycle.

Steps you need to take NOW

You need to immediately review what kinds of data you handle, from where and how you are gathering such data, how that data are processed, and what security mechanisms, policies, and procedures you have in place already. Then, if you believe you are subject to the GDPR, you will need to review the GDPR to see what you may need to add or modify in order to comply.

 

Written by Ken Moyle, Guest Blog
Digital policy, e-signatures, startups, technology law. Ken holds a B.S./B.A. in Business Administration and a J.D. from University of Washington School of Law. He is a member of the Washington State Bar Association and has been admitted to practice before the Supreme Court of the United States. He also manages public policy for the Washington, D.C.-based Electronic Signature & Records Association.
2018-07-02T10:10:27+00:00