There’s a new European data privacy regulation coming into full effect in May 2018 called the General Data Protection Regulation (GDPR) – will your organization be ready? The GDPR is designed to establish a single set of rules for data protection across Europe, replacing the patchwork of national data protection laws that were enacted in the 28 European Union member states under the EU Data Protection Directive. It is important to learn about this regulation now and to start preparing in advance to comply with it, for two key reasons:
- First, the GDPR requires organizations doing business with EU residents to take proactive steps to establish and document data privacy compliance measures, and to specifically address data privacy compliance issues when designing products, services, and information technology systems.
- Second, the new regulation includes a significant increase in fines and penalties for non-compliance, up to 20 million Euros or 4% of an organization’s total revenue.
Under the GDPR, it will be risky to ignore data privacy compliance until there is a problem or complaint. Organizations that do not have a well thought out and documented plan to demonstrate active compliance with European data protection rules will be out of compliance with the GDPR on day one. This article outlines the most significant changes coming to EU data protection compliance with the GDPR, and lists the steps you should take to prepare your organization for this new compliance challenge.
Here are the key changes that the GDPR will bring to the EU data privacy compliance landscape:
- Broader scope: Organizations not located in the EU will be subject to the GDPR if they process personal data of data subjects located in the EU in relation to offering goods or services, or if they monitor EU residents’ behavior online. This likely will catch any company that is doing some form of business in the EU, or is involved in internet use profiling activities.
- Stiff sanctions: Fines for non-compliance with the GDPR will increase substantially, up to $20 million Euros or up to 4% of organization’s total worldwide turnover for the preceding year.
- Documented compliance program required: Controllers must maintain data privacy compliance policies and procedures, incorporating a risk based approach and designing data protection safeguards into products, services, and information technology systems from the beginning. This documentation will be required to be produced in the event of a complaint or data breach.
- Data breach notification requirement: For the first time, the GDPR establishes a EU-wide requirement to notify data breaches, both to supervisory authorities (“within 72 hours”) and affected individuals (“without undue delay”). Organizations must document data breaches and breach remediation activities.
- Single supervisory authority: Controllers and processors will be regulated by the supervisory authority in the country in which their main EU establishment is located, although the GDPR allows for cooperation with authorities in other affected countries.
- Private legal claims: The GDPR makes it easier for individuals to bring private claims against data controllers and processors, via consumer protection bodies, data protection authorities, or judicial remedies.
- New “sensitive” data categories: The GDPR adds two new categories of “sensitive” data subject to special protection under EU data privacy rules – genetic data, and biometric data. Since processing of these types of data is prohibited unless specific requirements are met, organizations processing genetic or biometric data should be particularly careful to follow GPDR requirements.
- Obligations added for data processors: Data processors are now expressly subject to specific compliance obligations and are subject to sanctions under the GDPR in their own right, in addition to being subject to compliance requirements imposed in contracts with data controllers.
- Enhanced requirements for consent: Consent for processing of personal data must be “freely given, specific, informed and unambiguous,” and must be separated from other terms & conditions. It must be as easy to withdraw consent as it is to give it, and different types of data uses require separate consents.
- Requirement to appoint Data Protection Officer: Organizations classed as “public authorities” are required to appoint a DPO, as are controllers or processors whose core processing activities involve monitoring data subjects on a large scale.
What do I need to do to comply?
If your organization does business in Europe, here are the steps to take in the coming months to be ready to comply with the GDPR when it comes into force next year:
- Form a dedicated team to work on and coordinate data privacy compliance activities, including representatives from key departments (e.g., Sales, Marketing, Legal, IT, EU affiliate entities) — if your organization does not already have a data privacy compliance program in place, this effort will require adequate staffing and resources;
- Map current data collection and use globally; identify current data privacy compliance measures applicable to your data flows;
- Perform a gap analysis to assess current compliance processes against GDPR requirements, document and implement GDPR compliance plan and train key employees;
- Review contracts relating to data processing activities and re-negotiate higher risk contracts to add GDPR compliance requirements, implement process to include such requirements in future contracts;
- Document data protection compliance processes and procedures in detail so that you will be able to clearly demonstrate your program in the event of an issue or inquiry from a data protection authority; and
- Implement a documented data breach response procedure, train employees on it, and appoint external advisors to assist in the event of a breach. Don’t wait for an incident to occur – if you wait, you may be unable to meet the 72 hour breach notification deadline.
If your organization needs help preparing compliance processes or documentation to meet GDPR requirements, or has questions about other data privacy compliance issues, contact the author at firstname.lastname@example.org.
Lori Manca is a Washington, DC based corporate compliance consultant, helping clients develop compliance programs and resolve compliance questions and issues. For additional information about the Privacy Shield and EU data privacy requirements, or for assistance with other compliance matters, please contact Lori directly at email@example.com. Linked-in Article
The post above reflects the opinions of the author but does not constitute legal advice. Persons seeking legal advice should consult the attorney of their choice.