The General Data Protection Regulation (GDPR) was adopted in 2016, strengthening data protection for citizens of the European Union (E.U.). It becomes enforceable on May 25, 2018, following a two-year transition period. This law protects E.U. residents’ data and defines how marketers can use it.
The General Data Protection Regulation (“GDPR”) becomes effective in at the end of May. You’ve probably already heard about the GDPR and may be well on your way to compliance. We’ve been working hard to prepare for the GDPR and want to share some high level information with you as you finalize your preparations. This email is provided as a resource, but it is not legal advice, and you should not rely on this information to determine your compliance obligations. Every business is different, so if you have not spoken to legal counsel, we encourage you to do so to determine how the GDPR may affect your business and what you need to do to comply.
What is the GDPR?
The GDPR was adopted in 2016, and comes into force on May 25, 2018 after a two year implementation period. The GDPR, directly enforceable in each European Union (“EU”) member state, will replace the current EU Data Protection Directive, harmonizing data protection law in the EU. The GDPR regulates how any organization that is subject to the GDPR collects, stores, uses, and protects the personal data of people located in the EU.
Does the GDPR Apply To Your Organization?
The GDPR will apply to any organization established in the EU. The GDPR also applies to organizations not established in the EU (i) that process the personal data of individuals in the EU, where the processing activities are related to offering goods or services to EU residents; or (ii) when an organization monitors the behavior of EU residents. Monitoring includes the tracking of individuals online to create profiles, including where this profiling is used to analyze and predict personal preferences, behaviors, and attitudes. The applicability of the GDPR is fact specific and must be made on a case-by-case basis.
I think the GDPR applies to me. Now what?
If you determine the GDPR applies to your organization, you should review all of your data processing activities and understand all of your responsibilities as either a controller or processor of the personal data. You will need to document all of key business processes that involve collection, use, storage, transfer or other processing of EU personal data. Make sure you have a legal basis (as defined in the GDPR) for collecting and using the personal data of people located in the EU.
What is new with consent?
You need to have a legal basis, such as consent, to process the personal data of people located in the EU. Under the GDPR, consent must be “freely given, specific, informed, and unambiguous” and must be demonstrable (i.e. auditable). Provide individuals with a clear explanation of the processing to which they are consenting, make sure the consent mechanism is voluntary and “opt-in” (no pre-checked consent boxes), and ensure individuals can easily withdraw their consent. You cannot rely on previous consents if the pre-GDPR consents do not meet the GDPR standard.
What is new with individual rights?
The GDPR also outlines the rights of individuals around their personal data. Data subjects will have the right to ask for details about the way you use their personal data and can ask you to do certain things with their personal data. Under the GDPR, data subjects have new statutory rights, including the “right of portability” and the “right of erasure” (also known as the “right to be forgotten”). A controller must, within 30 days of receiving a data subject request, provide any requested information in relation to any of the rights of data subjects.
Do I need to put any policies and procedures in place?
The GDPR imposes several specific obligations on data controllers and processors, including notice and privacy by design requirements. In some circumstances, data controllers and processors will be required to designate a Data Protection Officer.
Organizations should consider whether their existing privacy notice needs to be updated to reflect the additional rights granted to data subjects under the GDPR, and to ensure privacy notices are understandable and accessible.
Also make sure your organization has implemented appropriate technical and security measures required by the GDPR.
What about the 72 hour breach reporting requirement?
Under the GDPR, data controllers must report data breaches to their supervisory authority no later than 72 hours after having become aware of the breach unless the personal data breach is unlikely to “result in a risk for the rights and freedoms of natural persons. In some cases, data controllers may also have to notify affected data subjects. Processors must report personal data breaches to data controllers. Make sure you develop or update your incident response plan.
EU GDPR Portal
Data Protection Commissioner: GDPR
Information Commissioner's Office: Guide to the General Data Protection Regulation (GDPR)