by Robert J. Scott and Stephen F. Pinson
What is GDPR?
The General Data Protection Regulation (GDPR) becomes effective on May 25, 2018 and should give all in-house counsel and law firms cause for worry. GDPR is the most wide sweeping privacy regulation to hit the global market since the 1995 EU Data Protection Directive. GDPR is a regulation that requires businesses to protect the personal data and privacy of EU residents (EU data subjects). The new legislation introduces tough new fines for non-compliance and gives individuals assorted rights regarding how their data may be used (“processed”) by companies doing business involving EU data subjects. The regulation also affects US businesses through its extraterritorial jurisdiction and scope.
Why Was GDPR Enacted?
GDPR was drafted to give European residents more control over how their personal data is used and exploited, notably by large US companies like Facebook and Google. These companies transfer data from locations all over the world, aggregating it for their internal business purposes and utilizing the data for advertising and tracking purposes, among others. But cross-border data transfers are not limited to large internet companies. In an increasingly global economy, more and more companies operated in all continents. GDPR seeks to address this use and to set up a cohesive data protection regime throughout the EU and abroad.
Who Should be Preparing for GDPR?
Any business that processes personal data (PD) of EU residents is subject to GDPR, regardless of the location of the processing. This includes EU domiciled businesses and non-EU businesses (i.e., US companies). Additionally, companies are subject to the regulation regardless of whether they receive a fee or compensation for the services they provide or the activity in which they participate. See GDPR Art. 1-3.
Why Should In-House Counsel and Law Firms be Concerned?
The fines for non-compliance can be as much as 20 million euros or 4 percent of annual revenues (whichever is higher). See Art. 83-84.
Under GDPR, the regulation defines anyone processing PD as either a “controller” or “processor”, each with its own set of obligations. See Art. 4. All businesses affected by the regulation must understand which definition applies to them.
Further, GDPR articulates fundamental privacy rights. The data subject has a right to control how his or her data is being used, which requires controllers or processors of PD to seek consent on how the data is processed or transferred inside and outside the EU. See Art. 12-22. Several rights may become cumbersome for controllers and processors to manage, such as the right to the deletion or erasure of records, commonly known as “the right to be forgotten”. See Art. 17. Another principle is the right to restriction of processing, which is an individual’s right to restrict the way his or her data is processed. See Art. 18. Tracking data related to these rights may become cumbersome or time intensive for businesses.
Additionally, GDPR creates a legal requirement that controllers and processors must enter into contracts that contain language that they are in compliance with GPDR, and outline their obligations. See Art. 28. Controllers and processors must have technical safeguards in place to monitor how the data is being processed. See Art. 5-6.
How Prepared Are We?
For many impacted companies, GDPR preparations are still underway. Many businesses are still seeking guidance on compliance, and some companies may not fully implement a compliance plan until well into 2018. Delaying preparation is a mistake.
A recent study from Trend Micro, Inc., a global leader in cybersecurity, found that C-suite executives are not approaching the regulation with the seriousness required. Trend Micro found that 95 percent of business leaders know they need to comply with the regulation. However, by May 25, 2018, Trend Micro predicts that less than 50 percent of businesses will be in full compliance with GDPR requirements.
Of those surveyed, the following percentages show that C-suites executives are unaware that the following information is personal data: 64 percent are unaware that a customer’s date of birth is PD, 42 percent unaware email marketing database is PD, 32 percent unaware that physical address is PD, and 21 percent unaware customer email list is PD.
These results indicate that businesses are not prepared. Regardless, PD provides hackers with all they need to commit identity theft. Any business not properly protecting this information is at risk of a fine.
In the coming months, engaging legal counsel with expertise in privacy and security matters, including GDPR, will be key for US companies to meet their legal compliance obligations.
Robert J. Scott is the managing partner at Scott & Scott, LLP and can be reached at email@example.com. Stephen F. Pinson is an associate at the firm, and can be reached at firstname.lastname@example.org.