GDPR D-Day: If Not Prepared, It Could Cost You Europe
GDPR D-Day: May 25, 2018. If you are not prepared, the results could cost you Europe.
In the U.S., we’ve had a pretty business-friendly approach to consumer data protection. And while federal and state authorities have their respective consumer protection laws, there is no single federal law that clearly defines U.S. policy on how consumer data may be collected and used. Businesses have come to view customer data as a potential gold mine, and the ease and cost-effectiveness of data collection as a gold rush.
Things are different across the pond. Historically, the E.U. and its member states have been diligent in protecting the consumer and consumer data. It started in 1995 with the E.U. Data Protection Directive. U.S. businesses have had to be mindful of the Directive, insofar as their business involved E.U. citizen data, but have been able to operate under a freer regimen than that imposed in Europe. The Directive’s successor, the General Data Protection Regulation (“GDPR”), changes things up substantially however, even on this side of the Atlantic.
The GDPR is both comprehensive and extensive, covering businesses both in and outside of Europe. If you have an E.U.-based establishment, if you offer goods or services to people in the E.U., or if your business involves monitoring individual behavior within the E.U., you likely will be required to adhere to the regulation. Given the significant compliance requirements and the hefty penalties for non-compliance, we suggest you gear up and prepare sooner rather than later.
What Lies Beneath. To best prepare for the GDPR, we recommend you become familiar with the underlying rationale. The regulation begins with the principle that “[t]he protection of natural persons in relation to the processing of personal data is a fundamental right.” The drafters of the regulation approached data privacy with an eye toward (1) empowering and informing individuals as much as practicable and (2) limiting businesses’ individual data usage to what is necessary.
Strategic Thinking. Some general concepts that businesses should adopt, as they develop their approach to GDPR compliance:
- Mine/Not Mine:
Personal data is “their” information, not “yours.” To operate your business within the framework of the GDPR, you may need to change the way you view, and the way you value, personal data. It is not a gold rush for data mining (and capitalizing on that data). The GDPR puts the rights to data and how it is used in the hands of the individual “data subject”: personal data should be viewed as the property of the individual. Businesses need to respect individual’s data ownership rights.
- Serve Your Subjects:
Since “data subjects” are primary stakeholders in their data and how it is used, you will need to ensure you obtain individuals’ explicit and affirmative consent. You will also need to keep individuals up to date on any developments in how their data is used and (potentially) how their data may have been compromised. Bundled consents and blanket notices need to be a thing of the past. The GDPR requires consent be clear, affirmative, and freely given. You need separate consents for different data usage elements. Notice must be given in a clear, concise, transparent, and easily accessible way: you must notify data subjects of the what’s, why’s, and when’s their data is used as well as their rights to and over the data. Data subjects’ rights are numerous and include the right to access, port, correct, erase, or restrict data.
There are some enumerated exceptions in which you can process data without needing to get the consent of the data subject. You should further assess these exceptions if you think you qualify. They include: (1) data processing where the processing is necessary to contract performance, (2) processing to comply with a legal obligation, or (3) processing necessary for enumerated legitimate interests (e.g., for internal admin purposes or to prevent fraud). But even if you don’t have to get an individual’s consent, you are still required to provide them notice on how their data is processed.
- One Size Does NOT Fit All:
Instead of striving to capture and hold onto as much data as possible, you should tailor your data usage to what is necessary; and you should only retain that data for so long as necessary. The GDPR requires there be an established and documented legal rationale for your data usage, including a legal basis for any follow-on data processing that may transpire. It is also important to develop data protection by design measures that ensure privacy is a part of any new processing or product deployed. You should incorporate measures like pseudonymisation of data where practicable and retention policies tailored to meet business and legal requirements. As you develop data processing measures, those measures should incorporate ways to facilitate data subjects’ rights to access, port and erase their data.
- Paper Trails Are Happy Trails:
The GDPR regularly cites the importance of demonstrating compliance measures – so you should factor ways to demonstrate compliance throughout the lifespan of your data usage. For instance, you should be able to demonstrate with sufficient documentation (1) that you have individuals’ specific and informed consent, (2) that you have provided notice of individuals’ rights, (3) that data transfers (to countries outside the E.U.) are permissible under the regulation, and (4) that you have employed privacy by design measures.
Battle command on the move (BCOTM). It is important to keep in mind that the GDPR is an expansive and tedious undertaking that will have issues in implementation and enforcement. Just as with a new product rollout, when the GDPR takes effect, inevitably there will be stops and starts and unforeseen complications; there will be both legal and logistical challenges. You will want to keep up to date on the latest developments (we’ll be on it). But if you think strategically, and develop an approach to data processing that focuses on the rights of the individual, you can brave the regulatory onslaught. And developing data processing tools that adhere to GDPR principles could give you a competitive advantage down the road.
 The GDPR uses the term “data subject” but that’s a bit of a misnomer, as the regulation treats the individual whose data is at issue as the owner.