Before May 25th:
- Make sure all your users opt-in to your possessing of their data
- Make sure all of your users can download and delete their data on demand
Many small and mid-sized U.S.-based businesses without a physical presence in Europe may be surprised to learn that they may be subject to sweeping new European Union data protection regulations set to take effect later this month.
But the General Data Protection Regulation (“GDPR”) has a far-reaching scope that is specifically intended to apply to any enterprise that processes the Personal Data of individuals in the EU. The GDPR applies not only to EU-based businesses, but also any business that processes Personal Data of any identified or identifiable person who is in the EU (called a “data subject”), regardless of the location of the processor of the information.
It is important for U.S.-based businesses to determine whether they are subject to the GDPR, as the penalties for noncompliance may be crippling – administrative fines for certain violations can be as high as €20,000,000 or 4% of worldwide revenue in the preceding year, whichever is higher.
Does the GDPR apply to your business?
- If you collect, record, organize, store, adapt, or disseminate Personal Data, and you envision that you have users in the EU, the GDPR probably applies to your business
- “Personal Data” means information that makes identifying the user likely, such as a name, identification number, location data, username, or other personally-identifiable characteristics
The GDPR regulates both those who determine the purposes and means of the processing of Personal Data (called “Controllers”) and those who processes Personal Data on behalf of a Controller (called “Processors”). Because of the broad definitions of both Processing and Personal Data, the scope of the GDPR is likewise very broad and very different than any regulation to which U.S. based businesses are accustomed. The territorial scope provisions make the GDPR even farther-reaching. Keep in mind that this is an evolving issue with some uncertainty as to how the regulation will affect businesses in the United States. We will be monitoring these effects closely.
The fact that goods and services are generally available to EU residents (such as via a website) does not by itself qualify as offering goods or services to them. It must be apparent that the provision of goods and services to those in the EU is envisioned by the Controller.
The GDPR applies. What now?
If you believe that the GDPR might apply to your online presence, you should immediately ascertain and analyze the sources and types of Personal Data you process; the purpose for processing it; and the methods by which this data is collected, stored, used, and shared. You should undertake this evaluation through the prism of your users:
- Have they opted-in to your possession of their data in a way that is clear and unambiguous?
- Can they easily download their data?
- Can you easily delete their data upon their request?
This may require a thorough audit involving many divisions or departments. Only after your data collection operations are fully understood and accounted for can you determine your business’ obligations under the GDPR.
While GDPR is a complex, sweeping set of regulations that is far too detailed to fully discuss in this context, some of the key inquires you should make include:
- Determine whether you process certain highly sensitive categories of data which have a higher regulatory burden. Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying an individual, Personal Data concerning health or an individual’s sex life or sexual orientation, and Personal Data relating to criminal convictions and offenses are subject to special protections under the GDPR. These categories of data may not be processed unless specified exceptions apply.
- Determine whether you have a “lawful” basis for processing any Personal Data, including:
- The data subject has given consent to the processing for a specific purpose or purposes
- The processing is necessary for the performance of a contract to which the data subject is a party
- The processing is necessary to comply with a legal obligation
- The processing is necessary to protect the vital interests of the data subject or another individual
- The processing is necessary for a task carried out in the public interest or in the exercise of official authority
- The processing is necessary for the purposes of legitimate interests, unless overridden by the interests or fundamental rights and freedoms of the data subject
- Determine whether you have adequately obtained your users’ consent for possessing or controlling their Personal Data. While consent may be a common basis for collecting Personal Data, the GDPR contains very specific requirements for obtaining consent. The consent must be freely given, specific, informed, and clear and unambiguous. The request for consent must be clearly distinguishable from other matters contained in the same writing; intelligible; and written in clear, plain, easily accessible language. The data subject must be informed of his or her right to withdraw consent at any time, and it must be made easy to withdraw consent. Businesses should review their methods of obtaining consent (and providing for withdrawal of consent) and revise them accordingly.
- Determine whether you have adequately accommodated the rights of your users whose Personal Data you possess or control, including giving your users:
- The right to access and receive a copy of his or her Personal Data being processed and to be provided the purposes for processing, recipients of the data or categories of the data, along with the expected period during which the data will be stored
- The right to have his or her inaccurate Personal Data corrected and incomplete Personal Data completed
- The right to require the erasure of his or her Personal Data without undue delay (also called the “right to be forgotten”), which applies under certain conditions (such as if the data subject withdraws consent or the Personal Data is no longer necessary for the purposes for which it was collected)
- The right to require the Controller to restrict processing under certain conditions
- The right, under certain conditions, to receive his or her Personal Data in a structured, commonly used and machine readable format and to transmit the data to another Controller
- The right, on certain grounds, to object to the processing of Personal Data concerning him or her
- Determine whether you have provided your users with certain information listed in the regulation, including:
- The identity and the contact details of the Controller
- The purposes and legal basis of the data processing
- The recipients or categories of recipients of the Personal Data, if any
- The period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period
- The existence of the right to request from the Controller access to and correction or erasure of Personal Data or restriction of processing or to object to processing, as well as the right to data portability; and the right to lodge a complaint with a supervisory authority
- Determine whether you are keeping your users’ Personal Data sufficiently secure. The GDPR requires that Controllers ensure data is protected through appropriate organizational and technical measures that ensure a level of security appropriate for the risk involved. These measures should ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services; the ability to restore the data in a timely manner after an incident; and regular testing and evaluating.
- Determine whether third parties you use in data storage and processing are GDPR compliant.
This article does not by any means outline all of the obligations of enterprises subject to the GDPR. Each entity subject to the GDPR should thoroughly review the regulation as it applies to its specific circumstances. For example, a Controller is required to designate a representative in the EU unless its processing is only occasional or does not involve large-scale processing of highly sensitive categories of data. Other applicable obligations may include recordkeeping, the designation of a data protection officer and obligations regarding transfer of Personal Data, in addition to many others. The GDPR’s notice requirements following a breach are also stringent and should be reviewed before a breach occurs.More Legal Alerts