A Primer on the GDPR

From: Mark Del Bianco

 

This memorandum is for informational purposes only.  It is not intended to constitute or provide legal advice.  If you would like to discuss your company’s situation and how to become GDPR compliant, please contact me.

 

Introduction

 

The General Data Protection Regulation (“GDPR”) is a new data privacy and protection law adopted by the European Union.  It goes into effect May 25, 2018. It replaces and expands on the existing EU data protection law, which was enacted back in 1996.  The GDPR regulates the processing by an individual, a company or an organization of personal data relating to individuals who are located in the EU.  It applies to any organization anywhere in the world that intentionally offers products or services to persons in the EU (including but not limited to EU citizens), or that collects and stores data on those individuals.  The GDPR does not apply to the data of companies or deceased individuals. It is much broader then existing EU privacy law, and penalties for violations are potentially much harsher.  Companies that violate the GDPR could face fines of up to 4 percent of global sales (not profits).

 

Because it is an EU regulation, the GDPR has binding effect and can be enforced without any requirement for national legislation.  The requirements of the GDPR create a minimum level of legal protection for individuals’ personal data throughout the EU, but individual EU nations can enact their own legislation that provides additional protections or penalties.

 

Depending on the nature of your company’s operations, there may be a fair amount of work involved in ensuring that it becomes GDPR-complaint in a timely manner.

 What data does the GDPR cover?

 

The GDPR applies to the personal data of all individuals in the EU, whether or not they are citizens or residents of the EU.  In general, it covers the data of any customers and any employees that are located in EU countries.  The GPDR sets out rules for how a company can collect, store, use and share such personal data.  In addition, it provides each person with certain rights to know what data has been collected about them, to access and correct such data and to require deletion of data (a/k/a “the right to be forgotten”).

Personal data is any information that relates to an identified or identifiable living individual (a “data subject”). Different pieces of information that are not specifically identified with a person, but which collected together can lead to the identification of a particular person, can also constitute personal data.  Personal data that has been rendered anonymous in such a way that the individual is not identified or no longer identifiable is not considered personal data. However, for data to be truly anonymized, the anonymization must be irreversible.  Personal data that has been de-identified, encrypted or pseudonymized but can be used or combined to re-identify a person remains personal data and falls within the scope of the law.

The law protects personal data regardless of the technology used for processing that data. It is technology neutral and applies to both automated and manual processing, provided the data is organized and thus searchable in accordance with pre-defined criteria (for example alphabetical order). It also does not matter how the data is stored – for example, in an IT system, on a removable hard drive containing video surveillance, or on paper.  In all cases, personal data is subject to the protection requirements set out in the GDPR.

The following are examples of personal data covered by the law:

• a name;
• a home address;
• an email address such as [email protected];
• an identification card or credit card number;
• location data (for example the location data function on a mobile phone)[1];
• an Internet Protocol (IP) address;
• a cookie ID;
• the advertising identifier of a mobile phone; and
• data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.

 

The EU has provided a few examples of data that are not considered to be personal data.  They include a company registration number and a generic email address such as [email protected].

 

What does the GDPR require?

 

The GDPR requires any entity that controls or processes personal data to meet a number of requirements.  It creates two categories of entities, “controllers” and “processors”, and imposes different requirements on each. The duties imposed on controllers are more stringent.

 

Many U.S. companies marketing products and services to EU individuals will be both a “controller” and a “processor” of the personal data of their data subjects, which include both customers and any employees who are individuals located in the EU.[2]  A controller is the entity that obtains and determines what to do with the data subject’s personal data.  For example, a company is a controller if it collects personal information from its EU customers in order to sell them products and services, and it stores the data and controls its distribution and use.

 

To the extent that a company processes some of that data itself, it is also a processor. The concept of “processing” covers a wide range of operations that can be performed on personal data, whether by manual or automated means. It includes the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data. Examples of business functions that inevitably involve processing of personal data include:

• customer billing;
• staff management and payroll administration;
• access to/consultation of a contacts database containing personal data;
• sending promotional emails;*
• shredding documents containing personal data;
• posting/putting a photo of a person on a website;
• storing IP addresses or MAC addresses or using them to route internet traffic; and
• video recording (CCTV).

When a controller provides any of the data that it controls to its service and payment vendors (or allows them to collect such data on its behalf), they become processors of the company-controlled data.  They are then subject to all the duties imposed on processors, and the controller has an obligation to ensure that they fulfill those duties.  It cannot outsource its obligations as a controller.

What Duties Are Imposed on A Controller?

 

 

Under the GDPR, a controller must at a minimum:

1. Identify the data processing activities for which it is a controller and ensure that it understands its responsibilities.
2. Review internal and outsourced data processing activities and – if applicable – conduct a Data Privacy Impact Assessment (DPIA).  A DPIA is required whenever processing is likely to result in “a high risk to the rights and freedoms of individuals.”[3]

• Whether a company needs to conduct a DPIA because its processing is likely to result in “a high risk to the rights and freedoms of individuals” is a fact-specific determination that can only be made after careful review of a company’s operations, including the types of data it obtains.

1. Ensure that it has implemented (i) appropriate technical and organizational measures to ensure compliance with the GDPR; and (ii) appropriate processes and templates for identifying, reviewing and (and to the extent required) promptly reporting data breaches.[4]
2. Train employees who process personal data to quickly recognize and appropriately respond to potential data breaches and to requests from data subjects to exercise their rights.
3. Ensure that there is a contract or other legal act guaranteeing that each of its processors provides sufficient guarantees to implement appropriate technical and organizational measures that meet the standards of the GDPR. The GDPR outlines a number of contractual requirements between controllers and processors including: identifying the subject matter and duration of the processing; identifying the nature and purpose of the processing; structuring the obligations and rights of the controller; acting only upon the written instructions of the controller; ensuring those processing data are doing it under a written confidentiality agreement; and assisting the controller in meeting breach notification requirements.

What Duties Are Imposed on A Processor?

 

The type and amount of personal data a processor may process depends on the purpose of the processing. Every processor must respect several key rules, including

• Personal data must be processed in a lawful and transparent manner, ensuring fairness towards the individuals whose personal data is being processing (“lawfulness, fairness and transparency”).
• It must have specific purposes for processing the data and you must indicate those purposes to individuals when collecting their personal data. You cannot simply collect personal data for undefined purposes (“purpose limitation”).
• It must collect and process only the personal data that is necessary to fulfil that purpose (“data minimization”).
• It must ensure the personal data is accurate and up-to-date, taking into account the purposes for which it is processed, and correct it if not (“accuracy”).
• The personal data cannot be used for purposes that are not compatible with the original purpose of collection.
• It must ensure that personal data is stored for no longer than necessary for the purposes for which it was collected (‘storage limitation’).
• It must install appropriate technical and organisational safeguards that ensure the security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technology (‘integrity and confidentiality’).

A processor must at a minimum:

1. Review all its data processing activities for each controller.
2. Ensure there is a lawful basis for each processing activity (i.e., that the data subject has consented, that the controller has a legitimate interest in the processing activity, or that another exemption or derogation applies).
3. Where consent is the basis for processing (as will usually be the case), review existing mechanisms for obtaining consent, to ensure they meet GDPR regulations.
4. Where a legitimate interest is the basis for processing, maintain records of the organization’s assessment of that legitimate interest, to show the organization properly considered the rights of the data subjects.
5. Update its website terms of service, privacy policies and other customer-facing documentation.
6. Train employees who process personal data to quickly recognize and appropriately respond to potential data breaches and to requests from data subjects to exercise their rights.

In addition, an entity of a certain minimum size (a “public administration”) is required to appoint a Data Protection Officer (DPO) to oversee its GDPR compliance and to have an onsite legal representative located in the EU.

• The applicability of these requirements depends on the facts of each company’s situation.

 

What steps does a company need to take to become GDPR compliant?

 

You will need to audit your policies and procedures to determine what personal data you acquire, where it is stored, and how and by whom it is used/processed.  You will need to summarize in plain and intelligible language a considerable amount of detail that is mandated by the GDPR, including:

• Name and contact details of the controller/processor/representative.
  • An identification of the categories of data subjects.
  • A n identification of the categories of personal data collected and processed.
• A description of the purposes of all data collected and all processing activities.
  • Where the lawful ground for processing is legitimate interests rather than consent, an explanation of those legitimate interests.
  • The categories of recipients to whom personal data have or will be disclosed, including recipients in third countries.
  • Details about your international data transfers and the appropriate safeguards that are in place.
• A general description of your technical and organizational data security measures.
• An explanation of your data breach notification plan.

This will definitely require looking at the following practices and procedures:

• External facing website privacy notice
  • Internal privacy notice and data protection policy
  • Cookie statement
  • Information security policy
• Email and internet policies
  • Social media policy
  • Incident response and data breach policy
  • Data subject access requests policy – including right of erasure and data portability
  • Supplier/processor due diligence procedure, including standard controller to processor/sub-processer contract terms
  • International data transfers
• Record of processing activities template
  • Data destruction policy
  • Data retention policy
  • Compliance training policy

 

The following areas of practices and procedures are usually not relevant to companies that do not have employees or offices in the EU.   However, each company will need to review them to confirm that they are not an issue.

• Bring your own device policy
  • Data protection impact assessment policy
  • Monitoring in the workplace policy
  • CCTV policy
  • Data Protection Officer appointment
  • Privacy by default/design policy
  • Legitimate interests assessment policy

The EU resources available for GDPR enforcement are relatively limited, so it can be expected initially to focus on larger companies with substantial EU presence and operations.  However, it may choose a handful of smaller, non-EU-based firms as enforcement targets in order to send a message to that group of companies.  Therefore, even if a U.S. company cannot come into compliance by the May 25 GDPR effective date, it should strive to become compliant as soon as commercially reasonable in order to avoid potential regulatory problems.  The commercial reasonableness of its efforts will depend on a variety of factors, particularly the number of EU customers, both absolutely and as a percentage of total customers.

[1] In some cases, there is a specific sectoral legislation regulating the use of location data or the use of cookies – the ePrivacy Directive (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 (OJ L 201, 31.7.2002, p. 37) and Regulation (EC) No 2006/2004) of the European Parliament and of the Council of 27 October 2004 (OJ L 364, 9.12.2004, p. 1).  If your company is using either technology, you will need to examine the possible applicability of these directives.

[2] If it has employees (or other identifiable individuals, such as the subjects of a medical research study) located in the EU, a company would be both a controller and a processor with regard to their data.  Its obligations to them would be the same as to individual customers.  All are “data subjects” as the term is used in the GDPR.

[3] A DPIA is required at least when a company engages in the following types of operations:

• a systematic and extensive evaluation of the personal aspects of an individual, including profiling;
• processing of sensitive data on a large scale; and
• systematic monitoring of public areas on a large scale.

 

[4] A data breach is where personal data held is disclosed accidentally or unlawfully to unauthorized recipients or is temporarily unavailable or altered.   A breach must be notified to the Data Protection Authority (DPA) of an affected EU country without undue delay and at the latest within 72 hours after a company becomes aware of the breach. Note that this timeframe is much shorter than those in U.S. data breach laws.  The company will also need to inform individuals by about the breach by email or letter, not via a public notice or website change.  DPAs are independent national authorities that supervise the application of the GDPR and any national data protection law. They provide expert advice on data protection issues and handle complaints of violations. There is one DPA in each EU Member State.