Does Your Company Need to Comply with GDPR?
Think you don’t need to comply with the new European Union General Data Protection Regulations (GDPR) now in effect? Think again. The new GDPR rules are extremely broad and could seriously impact U.S. businesses. According to these new rules that went into effect on May 25, 2018, if a U.S. company collects data on just one citizen in the E.U., that company must comply with the GDPR regulations. A company must also comply with the GDPR requirements if the company markets goods or services to individuals in the E.U.—even if the company itself is located in the United States. The GDPR also applies if the company has a presence in the E.U. These are all examples of whom the GDPR may apply to, but determining whether the GDPR applies is only the first step in compliance.
So, What Does Compliance Mean?
Those who must comply with GDPR face a long list of requirements. The legislation itself is complex and comprehensive. It is highly probable that new privacy policies and consent forms will need to be created. You may need to analyze what data you are collecting and how you are using, or plan to use, such data by creating a data map. You also need to contact an attorney to ensure your organization is in compliance with the GDPR. Here are some of the particulars a lawyer is likely to discuss with you.
- Consent Required. Specific, clear, and explicit consent is required to use personal data beyond the legitimate purpose for which the data is collected. For children under the age of 16, consent must be given by the parents or guardian. Moreover, separate consent is now required for different types of sensitive data. Pre-ticked boxes and blanket consents are no longer considered valid. Now, all consent must be documented and tracked for compliance purposes. A person also has the right to withdraw consent at any time.
- Limited Collection Rights. Companies are allowed only to collect the minimum data necessary and should not retain personal data once the purpose for collection of the data is complete. This may require reviewing and adjusting your current data retention policies.
- Rights of the Person Whose Data is Collected. A person whose data is collected has the right to ask the company what information it retains about them and what the company intends to do (and has done) with this data. Generally, the company must respond to these requests no later than one month after the receipt of request. Each person whose personal data is held by a company also has the right to ask for a correction or the deletion of his or her data.
- Data Breach. Each company must maintain a Personal Data Breach Register, and, based on the type of breach, the regulator must generally be informed of a breach within 72 hours after the breach is discovered. A company must also communicate the breach to the data subjects without undue delay. You should review your data breach policy to ensure it is up-to-date.
- Significant Requirements to Protect Data. Companies must incorporate organizational and technical mechanisms to protect personal data. Moreover, a Data Protection Impact Assessment should be conducted any time a significant change is introduced in the processing of personal data.
- Third Party Vendor Errors Don’t Decrease Responsibility. Any company that collects personal data has the responsibility to ensure that the GDPR requirements are met by any third party vendor it uses to process the data. This may involve amending your contracts or entering into a separate addendum with such vendors.
- Data Protection Officer. If there is a significant use of personal data by a company, the company must assign a Data Protection Officer. The Data Protection Officer must be skilled and experienced and report to the highest level of management. Protections must also be put in place to ensure that there are no conflicts of interest.
- Employee Training. Companies are required to conduct regular trainings to ensure that employees understand their responsibilities with regard to the protection of personal data and are better able to promptly identify personal data breaches.
The fines for breaching GDPR can be significant, particularly for a larger company. Under the law, data authorities in the E.U. have the power to levy fines up to 20 million Euros (about $23.4 million) or 4 percent of the annual worldwide gross revenue of the entire company, whichever is more. That said, fines are determined on a case-by-case basis and must be proportionate.
Fines are only part of the risk. In cases of breach, persons whose data have been breached have the right to claim compensation from the company. Moreover, the public relations risk of breaching GDPR or any privacy obligations is often the most significant penalty of all. Compliance with GDPR should therefore not be overlooked.