The European Union’s new General Data Protection Regulation (“GDPR”) protects the online data of European citizens. It enacts a strict set of requirements, imposes severe penalties, and becomes effective May 25, 2018.
GDPR applies to all businesses handling personal data of individuals in the EU — even when no transaction takes place and regardless of whether a business is physically located in Europe.
Example: A U.S. hotel that has guests visiting from Europe will process their personal data through the booking system, and then before arrival, during the stay, and after departure (probably retaining their email address for future promotions)… It is therefore subject to GDPR.
Example: A cloud-based company collects name and email address from users for demo of its product, or delivery of white papers, newsletters or other online marketing. Some of these users are EU citizens… It is subject to GDPR.
In other words, if your business offers services or goods to persons in the EU, or profiles persons in the EU, it is subject to the GDPR. Businesses with customers or vendors in EU-member nations need to ensure “personal data” is protected and offer ways for people to opt out of having their information collected.
What is “personal data”?
Examples of personal data include:
- a name and surname;
- a home address;
- an email address such as email@example.com;
- an identification card number;
- location data;
- an Internet Protocol (IP) address;
- a cookie ID.
The following personal data is considered “sensitive” and is subject to specific, restrictive processing conditions:
- personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
- trade-union membership;
- genetic data, biometric data;
- health-related data;
- data concerning a person’s sex life or sexual orientation.
Requirements for obtaining valid consent from individuals are stricter under the GDPR than current US privacy laws. Companies that rely on consent as the legal basis for a processing activity need to ensure that the consent meets the requirements of the GDPR. This includes how the consent is requested, obtained, recorded, tracked, and amended. The GDPR requires that every request for data to be clear in:
- what data is requested;
- why the data is needed;
- how the data will be used;
- a simple but clear way for persons to actively and freely consent to their data being used;
- parental consent for children’s data (under the age of 16) will be required;
- consumers must have the ability to change their mind and request their data be deleted.
Rights of Data Subjects
Companies must be able to provide Europeans with a copy of their personal data upon request. When someone requests access to their personal data, the company must:
- confirm whether or not it is processing personal data concerning them;
- provide a copy of the personal data it holds about them;
- provide information about the processing (such as purposes, categories of personal data, recipients, etc.)
Privacy by Design and Data Protection by Default
The GDPR requires that technical and organizational measures are in place to ensure the integrity and confidentiality of personal data, and to ensure that personal data is processed only when necessary to achieve a specific purpose.
Data Breach Notification
The GDPR has stricter requirements around recording information about data breaches that occur. Some data breaches will need to be reported to the regulatory authorities within 72 hours of detection.
Action Plan for GDPR Readiness
The GDPR sets the bar high compared to U.S. regulations governing the collection, use, and protection of personal data. While many companies will be required to fall in line with the requirements set forth in the regulation, others should consider it as a best practice for protecting personal data.
Identify and take inventory of the data you collect, what its used for, and its movement across the enterprise. Are data being collected or stored that are not actively used for any purpose? Have you identified the specific purpose for which each data point is being used?
Create policies and procedures
Implement or revise privacy and security policies and procedures in your company to address the GDPR requirements.
Renew Consent from EU Users
Obtain positive consent from all new users, which meets the requirements of GDPR. Obtain new consent from EU users for any personal data that is currently held by the company.
Need help preparing for compliance with GDPR? Contact us.