May 25, 2018 is GDPR Day: the deadline to comply with the European Union’s sweeping privacy and data protection law, the General Data Protection Regulation. The intent of the GDPR is to protect the data privacy of individuals in the EU and to create consistent practices for the movement of personal data. In practice, what does the GDPR mean for companies in the United States? This Alert explains why companies in the United States should care about the GDPR, and offers five tips toward GDPR compliance.
The GDPR applies to companies in the United States.
The GDPR has a very broad reach that is not confined to the borders of the EU. The GDPR applies to any person or organization that collects or processes (meaning uses, moves or even stores) personal data of individuals located in the European Union, regardless of where the organization is established or where the processing takes place. For instance, if a United States company collects or processes personal data while selling goods or services to people in the EU via a website directed toward the EU, the GDPR applies. Likewise, if a United States company simply processes personal data on behalf of another company that sells goods or services to people in the EU, the GDPR applies. The definition of “personal data” is equally broad. It means any information relating to an identified or identifiable natural person, including simply someone’s name. Essentially, the only type of information that is not personal data under the GDPR is data that is anonymous, data that relates to companies or legal entities (non-natural persons), and data relating to people who are deceased.
The GDPR is significantly different from United States privacy law. For that reason, even companies who comply with existing privacy law regulations in the United States (such as the Gramm-Leach-Bliley Act for financial institutions and the Health Insurance Portability and Accountability Act (“HIPAA”) for health care providers) will be required to take additional steps to achieve GDPR compliance.
Five steps toward GDPR compliance.
Compliance with the GDPR is a process, not a fait accompli. In a recent study conducted by IBM, only 36% of executives say their companies will be fully compliant by May 25, 2018. Organizations can assess their readiness with a “gap analysis” that compares their current privacy and data security practices to the “goal state” of GDPR compliance. The gap analysis results in recommendations that can be implemented based on budget and organizational priorities. Frequently, addressing 20% of the recommendations can result in 80% compliance, and the remaining recommendations can be addressed on a longer-term basis. Here are some common steps that can result in significant progress toward GDPR compliance:
- Know Thy Data: The GDPR requires most organizations to maintain records describing the categories of personal data they collect and the lawful basis for processing it; the third parties to whom the personal data has been disclosed; whether personal data has been transferred internationally; and the anticipated time limits for storing the data. Getting control over an organization’s data and processes can seem daunting, but it is a critical first step and creates a useful organizational resource.
- Update Your Privacy Notice: Privacy notices tell customers, regulators and other stakeholders what personal data the organization collects, what the organization does with the data, how long it keeps the data, and who to contact for complaints. The GDPR requires that privacy notices contain certain specific information, and these requirements are in addition to any privacy notice requirements imposed by state law, such as California’s Online Privacy Protection Act (“CalOPPA”) (Cal. Bus & Prof Code §§22572-22579). Also, organizations must do the things the privacy notices say they do. If the privacy notice states that the organization disposes of data after a set length of time, the data should be securely destroyed at the end of that period, not stored indefinitely (assuming no legal holds or regulatory requirements apply).
- Prepare for Requests from Data Subjects: The GDPR gives individuals many rights to access and control their personal data, such as the right to know whether a company has collected personal data about them, to obtain a copy of their personal data, to correct inaccurate data, to know whether their data has been shared with third parties, and to have their data “erased.” Organizations must respond to these requests within 30 days under normal circumstances.
- International Transfers Must Comply: Organizations that transfer personal data relating to individuals in the EU outside of the EU (yes, including to and from the United States) must follow GDPR-approved safeguards for those data transfers. The best method will depend on the nature of the organization and the identity of the recipient countries.
- Have a GDPR-Compliant Data Breach Response Plan: The GDPR has specific rules that govern data breaches, including when the notification must occur (generally within 72 hours), who must be notified, and the information that must be communicated. For United States organizations subject to the GDPR, these rules apply in addition to the breach notification rules imposed by federal and state law.
The maximum penalty for GDPR violations is severe: up to €20 million or 4% of an organization’s annual worldwide revenue, whichever is greater. On top of that, non-compliant companies could be prohibited from conducting future business in the EU. Complying with GDPR standards not only avoids stiff penalties, it provides organizations with tangible ways to elevate their service and brands in the eyes of the consumer. In light of the changing privacy landscape at home and abroad, each company’s privacy and data security practices are best analyzed by an interdisciplinary team consisting of stakeholders, attorneys, and information specialists.
This information has been prepared by Keesal, Young & Logan for informational purposes only and is not legal advice. Transmission of the information is not intended to create, and receipt does not constitute, an attorney-client relationship between you and Keesal, Young & Logan. You should not act upon this information without seeking professional counsel.