Like many US businesses, you are probably already struggling to understand and satisfy a variety of state and federal privacy and data protection laws. Rather than adopt a single broad privacy law that applies to all industries and data types, historically, the US has taken a sectoral approach to privacy – implementing laws that focus on particularly sensitive data types (such as health or financial information) and particular vulnerable users (such as children).
As a result, the US has many different privacy laws. Adding another law to wade through – particularly one as formidable the GDPR – may not be appealing. But even though the GDPR mainly affects those living within the European Union (EU), it is important that US businesses pay attention too.
Remind Me Again- What is GDPR?
The General Data Protection Regulation (GDPR) is a legal framework that sets new standards for the collection, storage, and processing of personal data of individuals inside the EU. It went into effect in May 2018 and builds upon an earlier policy from the 1990s. It has far-reaching implications for how companies handle consumer privacy and gives people new rights to access and control their data.
The GDPR’s regulations apply to a broad array of personal data, including obvious things like a person’s name, email address, and phone number, but also less obvious information such as a customer ID or an IP address. It requires that companies clearly explain how they collect and store people’s information and get their consent before collecting it. It also gives people the right to ask companies to delete their personal information and to object to their personal data being used for certain purposes such as direct marketing.
The penalties for failing to comply with the GDPR can be severe. Companies found to violate the GDPR can face eye-watering fines. The maximum fine for a violation is 20 million euros or four percent of a company’s annual global revenue from the prior year, whichever is higher.
What If My Business Isn’t Based in the EU?
Organizations don’t have to be based in the EU to be bound by the GDPR. The GDPR will apply to companies outside the EU if they provide goods or services to EU data subjects or monitor their behavior (for instance, by using cookies or similar tracking technologies). Thus, if you collect personal data or behavioral information from an individual in an EU country – whether that individual is a customer or your own employee, then your company is subject to the requirements of the GDPR.
So What Do I Need to Know About The GDPR?
Given the breadth of the GDPR’s requirements, it would be difficult to cover everything in a single blog post. Fortunately, we plan to return to this issue repeatedly to discuss individual topics and break down core compliance obligations into specific actionable steps. For now, there are four key points to keep in mind:
As burdensome as it may be, launching a GDPR compliance effort will help you get your company’s privacy and security affairs in order.
While there is no one-size-fits-all GDPR compliance strategy, at a minimum, preparing for GDPR compliance will require that you determine:
(i) what “personal data” your business collects and stores;
(ii) what you do with that data;
(iii) whether your current use of the data would be considered lawful under the GDPR; and
(iv) what policies, procedures, and plans your company already has in place.
There are many ancillary benefits to undertaking this exercise. By inventorying and mapping your data holdings you will develop a solid understanding of the array of personal data you are responsible for safeguarding. Updating your privacy notices to comply with the GDPR’s enhanced transparency requirements will force you to review your public-facing privacy policies and other online notices to ensure they are up-to-date and accurate. Benchmarking your existing policies to the GDPR will help you identify gaps and inconsistencies in your current approach. And adopting privacy-by-design techniques that integrate privacy and security into your business in the early stages of product development will protect you from costly problems after you have gone to market.
Anonymization and pseudonymization can significantly reduce GDPR compliance burdens.
The GDPR provides exceptions to many of the most burdensome provisions of the regulation when steps are taken to de-identify personal data. For instance, companies may not be required to provide breach notification to individuals if the data that was compromised had been properly anonymized. By using anonymization or pseudonymization techniques companies can also give themselves more flexibility in how they process data. For example, under Article 6(4)(e), companies may process pseudonymized data for uses beyond the purposes for which the data was originally collected. Moreover, anonymizing and pseudonymizing data can also make it easier to respond to data subject access requests (DSARs). DSAR responses present one of the greatest risks under the GDPR. Failing to respond accurately or timely to a DSAR can result in regulatory or judicial enforcement actions or a class-action style complaint from a consumer organization. By limiting the amount of responsive information about individuals, anonymization and pseudonymization can reduce this risk.
Nonprofit organizations can enforce the GDPR on behalf of consumers and typically these organizations have greater resources to fund a legal action than individuals do.
In addition to EU regulators, individuals have a “right to an effective judicial remedy,” including monetary damages, for violations of the GDPR. This right can be exercised by nonprofit organizations on individuals’ behalf. Thus, US businesses should be aware that privacy and consumer organizations are likely on the lookout for indications of basic failures to comply with the GDPR. It is reasonable to expect that these organizations are actively reviewing companies’ public notices and may submit DSARs to “test” compliance with the GDPR. Preparation is key to avoiding becoming an early target for one of these class-action style forms of litigation. This is particularly important because given that courts will be considering many of these issues for the first time, early judicial outcomes are hard to predict.
While the GDPR is an important privacy law, it is not the only one.
Companies should be careful to not mistakenly assume that if they comply with the GDPR, they have met all of their privacy and security obligations across the globe. Implementing a GDPR compliance strategy will undoubtedly help with any privacy and security program, but different jurisdictions have different laws and requirements can vary in substantial ways. It is important to always carefully review the relevant laws and regulations and to be prepared for future developments in the privacy landscape.
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.