The General Data Protection Regulation (GDPR): Steps to Consider to Achieve Compliance by May 2018

The General Data Protection Regulation (GDPR), a uniform regulation aimed at protecting customer and employee personal information, becomes enforceable on May 25, 2018. The regulation will be implemented and applied in all 28 EU member countries [1] and will cover all EU data subjects. [2] While GDPR will impact the data collection and usage practices of virtually all businesses having access to the personal data of EU data subjects, many companies remain unprepared to meet their new compliance obligations.

GDPR covers all companies having a physical presence in an EU country and all companies with more than 250 employees without a physical EU presence, but which process data of persons in the EU. It also covers non-resident companies of less than 250 employees, which process personal data on a regular basis, or where the data processed includes sensitive data. While this description is not precise, the text is broad enough to assume that GDPR is intended to cover any company with an operating and/or internet presence in the EU.

Covered data includes the following:

  • Basic identity information such as name, address and ID numbers (such as a social security number)
  • Web data such as location, IP address, cookie data and RFID tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation

GDPR differs from the prior EU privacy directives, in that data processors now have responsibility for data protection and have liability for non-compliance with GDPR and for breaches of personal data occurring during activities involving the data. Previously, this responsibility fell to the data controller only. For clarity, a “data controller” is the entity that determines how personal data is processed and the purposes for which it is processed. The data controller also has oversight responsibility for third party contractors who handle the data. A “data processor” is an entity that maintains, processes and stores personal data on behalf of the data controller; multiple data processors may provide services for a single data controller.

One benefit of GDPR is that the rules relating to data collection, use and transfer are now more standardized among all EU countries [3]. However, the new requirements will force U.S. companies to change the way they process, store, transfer and protect personal data. For example, companies will be allowed to store and process personal data only when the individual consents and for “no longer than is necessary for the purposes for which the personal data are processed.” Personal data must also be portable from one controller to another, and companies must erase personal data upon request (the so-called “right to be forgotten”). Data controllers are required to disclose user rights and periodically issue reminders of these rights and must maintain supporting evidence of compliance with this requirement. Further, data subjects must opt-in to the controller’s collection and use practices, rather than having to explicitly opt-out.  

GDPR imposes more stringent rules on transferring personal data outside of the EEA. [4] Companies must utilize data processors who maintain adequate standards to transfer personal data outside of the EEA. The date may only be transferred outside the EEA if the country in which the data is transferred maintains adequate privacy protection laws. [5] The EU Data Commission determines whether a controller’s data processors have the ability to provide a “reasonable” level of data protection and privacy of information (previously a determination made by the data controller). The term “reasonable” is not well defined, making it difficult for a controller to have reasonable assurances that the processor’s practices are in compliance. That said, current guidance suggests that encryption, tokenization and pseudo-anatomization of data will meet this standard.

An additional challenge facing companies is the reduced time in which notice of a breach incident must be reported to the applicable Data Protection Authority. Under GDPR, this notice must generally be made within 72 hours after the breach is first detected, although longer periods are provided where the data is encrypted. [6]  Companies must also perform impact assessments, which are intended to identify risk areas and provide for mitigation control. GDPR provides for significantly tougher sanctions (up to the greater of E100m or 4% of global revenue) for non-compliance with regulatory obligations. In some cases, these fines support funding for the regulatory agencies, suggesting that companies should take the risk of an enforcement action seriously. In addition, the Data Protection Authority may also publicly disclose enforcement actions, creating a meaningful risk of reputational damage. Data subjects may also make direct claims for damages under GDPR, including through an EU version of class actions.

Action Items – What should your company be doing between now and May 25, 2017?

The first step is an analysis to understand how GDPR will affect business operations and where current systems and operations fall short. Leadership must come from the executive and senior management team and should involve all company departments (not just the IT team). In order to ensure full buy-in from the business units, the review team should include senior leaders from all groups within the organization that touch personal data. This may include representatives from finance, HR, marketing, sales, other operational groups, the privacy and information security officers and legal counsel. This comprehensive team is best equipped to share information and provide suggestions on how current practices could be modified to meet the compliance requirements. Once the internal assessment is complete, document the steps to achieve and maintain compliance, as well as on-going plans to mitigate risk (both GDPR requirements). A comprehensive data protection plan that addresses all GDPR requirements must be created (or any existing plan modified as needed to create compliance). These reports and plans must be filed with the appropriate Data Protection Authority.

The assessment will lead to a technology/data flow mapping process to determine what information is collected, by whom, how the information is used, where it is stored, and how it is transferred. [7] This will also reveal whether appropriate transfer provisions and related liability allocations are contained within your third party contracts. These contracts will require subsequent modification to incorporate such provisions. [8] Remember that if you are the data controller, you must confirm that your data processors are taking similar steps. As with the initial analysis, the entire organization must support the plan and implementation process.

Another step is to hire or appoint a Data Protection Officer (“DPO”). GDPR requires that, depending on the volume and nature of the personal data involved, both controllers and processors must designate a DPO to oversee GDPR compliance, including GDPR provisions relating to data security. GDPR does not appear to require that this be a discrete position (or that it be filled by a company employee). In fact, the DPO can be a third party consultant, performing similar services for multiple companies. It is critical, however, that the selected individual has competency in privacy and data security compliance and does not have conflicting interests that prevent the DPO from fully performing his or her duties. In addition to retaining a DPO, the action plan should include regular, on-going training for all impacted company personnel.

Finally, set up a process for ongoing assessment to help ensure that you remain compliant. This requires monitoring and incident response testing. GDPR provides a 72 hour window for reporting and your ability to comply with the requirement will minimize damage associated with the breach and directly affect your risk of fines and other regulatory enforcement. [9]

Do not be afraid to ask for help, if needed. Even small companies will be affected by GDPR, and many may not have the internal support to meet the requirements. Outside resources are available to provide advice and technical experts to help you manage this process.

[1] Id 28 EU countries
[2] GDPR does not clearly state whether the regulation extends to non-citizens residing (temporarily or long-term) in an EU country. Based on the definitions of “data subject” in various privacy regulations and directives, companies may choose to assume the broader coverage. Note that GDPR protections extend to a company’s personnel – not just its customers.
[3] There are some exceptions, including those related to other legal obligation. For example, the provisions of HIPAA would continue to apply to health records, even if GDPR would otherwise reduce a company’s obligations.  
[4] The European Economic Area (“EEA”) is broader than the EU member countries and includes counties that are deemed part of the European Single Market.
[5] The United States is not currently deemed to maintain adequate laws for this purpose.
[6] Notice must also be provided to data subjects if the breach is likely to result in a “high risk” to the individual. The timing of these notices is not clearly stated.
[7] This process should also identify hidden capture and storage of personal information that may not be clearly known or understood by the business units. Note that under the GDPR “right to be forgotten” the company may be required to remove or transfer an individual’s personal data. Can all locations of the data be confirmed and how will you handle the logistical details surrounding a global removal or transfer?
[8] It is not unusual for companies to utilize a variety of data compliance practices, including registration under the Privacy Shield, development of model clauses, and updates to website conditions and privacy policies.
[9] Remember that you are required to meet users’ “reasonable expectations” of data privacy. Encrypting, tokenizing, or pseudo-anonomizing data before uploading it to the cloud may meet this standard, and, in any event, will help reduce the risk of actual data breach.

This blog was written by Michele Cohen at Miles & Stockbridge.

Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.