A Giant Demanding Piece of … Restrictiveness: Do you need to pay attention to the coming GDPR?
GDPR. If you see those letters and think it is an acronym for Gosh Darned Pain in the Rear (or an edgier equivalent) you are in large-part correct. But if you don’t know any more than that, and you are a company with any ties to Europe, then you need to read further.
GDPR, the General Data Protection Regulation, is an extensive and broad-reaching regulation issued by the European Union dealing with how companies (including U.S. companies) process the data of people living in the E.U. It replaces the E.U. Data Protection Directive and is slated to take effect May 25, 2018.
Companies that fall under the regulation’s requirements need to ensure (1) individuals’ data they are processing is secure in their hands, (2) that they have individuals’ consent to process it (or have an enumerated reason they don’t need consent), and (3) that they will keep individuals notified of individuals’ rights and developments surrounding the use of their data.
If you are a U.S.-based company, with little European presence, you may slough off the idea of getting into GDPR compliance. You may have analyzed the GDPR’s predecessor (the Data Protection Directive), decided that it didn’t implicate you, and assume the GDPR won’t implicate you either. Or you may have relied upon the Safe Harbor and assume you can continue to operate under that. Don’t draw assumptions. Don’t ignore the regulation. If you do, and you are ultimately found to have violated it, you could face some hefty penalties. Under the GDPR, there are two sets of thresholds for administrative fines:
- Up to €10million (almost US$ 12million) or up to 2% of global revenue, whichever is higher, for certain violations, including failure to implement data protection by design, failure to maintain written records, to report breaches when required; and
- Up to €20million (almost US$ 24million) or up to 4% of global revenue, whichever is higher, for other violations, including failure to adhere to basic processing principals such as consent, notification of individuals’ rights, and international transfers.
These fines are meant to catch attention. Hopefully, they caught yours. They may inspire you to do a double take to see whether or not your business will be subject to the GDPR. The GDPR has a broader reach than the earlier Data Protection Directive. Moreover, the Safe Harbor is no longer valid. It has been replaced by a “Privacy Shield” regime – which applies to data that companies transfer from the E.U. to the U.S. But even the Privacy Shield is on shaky ground and it may not be enough to shield companies (so to speak) from liability for GDPR violations. GDPR is broader, covering information on E.U. residents even if the data is not transferred across borders – and instituting stricter measures in terms of how data should be handled.
Here are some questions you should ask to help you determine whether you need to prepare for the GDPR:
- Do you have an E.U. office, or even a company representative who operates out of Europe?
If you have any real and effective European activity through stable arrangements (terms in italics represent terms used by E.U. courts to define implicated businesses), then you will be subject to the GDPR even if you do not process personal data in the E.U. So long as the data processed in the context of the European activities, the GDPR applies.
- Are you outside of the E.U., but process data about E.U.-based individuals in connection with offering goods or services?
It does not matter whether or not there is any payment involved in the offer. Your offers can be free of charge and you are still implicated by the rule. So long as your company anticipates activity directed at E.U. individuals (e.g., you suggest items in E.U. currency or pay a search engine to increase access to E.U.-based people), you are implicated.
- Are you outside of the E.U., but monitor the behavior of individuals in the E.U.?
If you track E.U.-based individuals online to create profiles, or to analyze or predict preferences, you are implicated.
The long and short is that, if you touch Europe, directly or remotely, in your operations and you process data that incorporates E.U. individuals, you should spend time assessing GDPR compliance.
- Review your E.U.-focused actual or directed information
- Review the type of information you collect/use
- Review the types of consent obtained and notifications on data usage provided
- Review your service contracts to determine your company’s role in data processing and follow-on companies’ roles in data processing
 We will treat the E.U.’s ability to enforce these penalties in a later post, but assume they will be able to reach your assets.