GDPR: What It Means for US-based Companies

December 22, 2016 MARIA SANCHEZ FLORES

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) was created to best uphold the fundamental personal information rights of individuals and further unify the member states of the EU in their endeavor to manage and protect data. The GDPR’s predecessor, the Data Protection Directive (the Directive) was in place to afford similar protections to data subjects. However, since the Directive’s adoption in 1995, we’ve seen tremendous changes to the technology landscape and a constancy of cross-boarder data transfers, and we’ve recognized that the protections offered through the previous legislation were antiquated and obsolete.  With the introduction of the GDPR, individuals have been empowered like never before, and organizations bound to the new framework are starting to feel the weight of that.

How it will affect US-based companies

The US stands to be affected directly by the GDPR because the new privacy model applies to any enterprise in the world that targets the European market in offering goods or services or profiles European citizens, and as a result, must process the personal data drawn from those member states. All companies processing EU personal information will have until May 25, 2018 to comply with the reform.  Many of the companies that will be affected directly already have existing policies and procedures around privacy due to their need to be compliant with the previous Directive.  It is important for these companies to note that the GDPR added new protections for EU data subjects that will require revisions of their current privacy and compliance programs.

Data Breach Notification

The GDPR’s breach notification requirements are far more prescriptive and demanding than the Directive and will likely require most US-based companies to amend their breach notification policies and procedures to comply with the GDPR.  In instances where personal data freedoms and rights may be violated, data processors must notify data controllers with undue delay and data controllers must notify the supervisory authority within 72 hours.  The documentation and communication of breaches must be delivered in an outlined form and adequately detail certain key information about what’s occurred and how it’s been handled.  When the timing obligations are not met, an organization must justify delays to said supervisory authority.  It seems as though the GDPR’s battened down the hatches of the upstream and downstream obligations and it may require organization’s to slightly overhaul their data sharing relationships.  However, a likely benefit to come from this effort is that companies will be able to simplifytheir policies and procedures so that they uniformly overarch the expectations of all EU member states US-based and will be able to dispatch a single notice.

Data Protection Officer

Under the GDPR, data controllers and processors may designate a data protection officer (DPO) where the main activities of a company involve monitoring of data subjects on a large scale or when the company conducts large-scale processing of special categories of personal data.  This new requirement can be met with a company’s current privacy or compliance professional.  There is still a great deal of uncertainty as to what the role of the DPO will encompass and what the parameters on appointment are.  Further guidance is to be issued on the matter that American companies should keep an eye out for.

Consent

Under the old Directive, companies were able to rely on implicit and “opt-out” consent in some circumstances.  Under GDPR, silence, pre-ticked boxes, or inactivity will no longer constitute consent. Data subjects must confirm choice by a freely given, specific, informed, and unambiguous statement or a clear affirmative action.  Like with the Directive, GDPR has distinct requirements for processing special categories of personal data, but has added more to the list.  Data subjects must be given the right to withdraw consent at any time.  Lastly, the GDPR has introduced restrictions on the ability of children to provide consent without parental authorization. US-based

Cloud Service Providers Navigating through the GDPR

Data Transfers Across Borders

Companies will be able to transfer data to third countries, territory, or a specified sector within a third country, or international organization so long as they have been granted an adequacy designation. US companies should know that the designation or retraction of the adequacy award is binding in all EU member states.

Right to be Forgotten and Data Portability

The GDPR introduced two new rights for data subjects. The right to be forgotten was codified to allow individuals to request the deletion of their personal data.  The GDPR also gives the data subjects the right to receive data in a common format and to have their data transferred to another controller if the data subject so requests.

Vendor Management

Under the GDPR, the controller is liable for the actions of the processors they choose. It is important that US-based companies carefully choose their processors.  A relationship between a controller and a processor should be governed by a contract. The contractual relationship should include details around the data itself, retention periods, disposal requirements, the nature and purpose of the data, etc…

Pseudonymization

Under the GDPR, personal data does not include data that does not relate to an identified or identifiable natural person or to data rendered anonymous in such a way that the data subject is no longer identifiable.  US companies who familiar with HIPAA may be familiar with this concept given it’s similarities with de-identification of protected health information. The GDPR plainly endorses the use of pseudonymization and there are incentives for companies who choose to apply it to the data that they collect.  US-based companies should explore this method as an option if it is not something they currently do with the personal data they collect and/or process.

Code of Conduct and Certifications

Due to the difficult task of ensuring that each company is compliant with the GDPR, codes of conduct and certifications have been endorsed as guidance to the requirements and as proof of compliance.  US-based companies should familiarize themselves with the differences in each to ensure they choose the best one for their business model.

Enforcement and Fines

The new enforcement procedures and fines associated with the GDPR are perhaps what have most companies nervous about. The hefty fines associated with the non-compliance of the GDPR can reach the millions or even billions of dollars.  Violators will be placed in one of two tiers, with the higher tier costing violators up to over 20 million euros or 4% of the company’s net income.

Conclusion

The GDPR has revealed itself to be the highest denominator in privacy doctrine in history.  It’s greatly broadened its definition of personal data and overhauled or bolted on principles that will take some time for organizations to tackle, even if privacy-mature and familiar with the Directive.  May 25, 2018 may seem like an eternity away as we only near the end of the 2016, but be assured that the GDPR was intentionally designed with a long fuse given the necessary reform it involves.  Albeit challenging maybe for US-based companies in certain respects, the GDPR must be hailed as an awesome step in the direction of promoting the rights of natural persons and should ultimately strengthen global relations and commerce.

Previous Article
The Benefits of a Clean Desk Policy
The Benefits of a Clean Desk Policy

We all have our own ways of creating our perfect working environment. Some of us like to have ph...

Next Article
Can The UK’s Data Privacy Survive Brexit?
Can The UK’s Data Privacy Survive Brexit?

On June the 23rd an unprecedented event took place in the United Kingdom. After many months of i...

×



Subscribe now
to receive content updates once a week

First Name
!
Success
Error - something went wrong!