Touted as one of the most important changes regarding data privacy protections in the last 20 years, the General Data Protection Regulation (GDPR) went into effect on May 25th, 2018 for the entirety of all 28 member states of the European Union (EU).
The goal of the GDPR is protection for all EU citizens from data and privacy breaches in our data-driven world. GDPR goes further in its protection than any directive before it.
Among the primary changes brought about by the GDPR is the expanded reach of regulatory jurisdiction over international organizations. The GDPR applies to every company collecting and processing personal data of consumers residing within the EU regardless of a company’s actual physical location.
Essentially, if a consumer resides within the boundaries of the EU, a company collecting their personal data must abide by GDPR regulation or risk penalty.
What Constitutes Personal Data?
While quite broad, personal data may include anything from a person’s name to any kind of online identifier – i.e. an IP address or browser cookies that can be used to track online activity. Any information relating to an individual’s name, home address, email, location via mobile phone, medical records, or pertaining to one’s cultural, social, or economic identity is considered personal data.
If any personal data collected by a company or government entity is to be used in any way, they must obtain consent and they must do so in a clear and easily understandable way.
What are the Big Changes to Data Rights Under the GDPR?
The Right to Access
The right to access gives data subjects the right to request and obtain confirmation from a data collector, also known as a data controller, to learn whether or not their personal information is being processed and if so, where and for what purpose. Furthermore, upon request, data collectors must be able to provide a copy of said data in an electronic format and free of charge to the data subject (consumer/user). This is considered a powerful shift toward data transparency.
The Right to be Forgotten
This entitles data subjects the right to request a data collector to erase the personal data collected, cease any further data circulation, and by extension prevent any third parties from continuing to process an individual’s data. Conditions for data erasure include withdrawing consent or the data being no longer relevant to its original purpose.
Breach Notification Entitlement
It is now obligatory for data collectors to notify data subjects of data breaches that are likely to “result in a risk for the rights and freedoms of individuals” within 72 hours of becoming aware of such a breach. Likewise, data processors must notify customers without delay after becoming aware of any data breach.
Data Portability Option
The introduction of data portability gives data subjects the right to obtain all personal data concerning them in a commonly used electronic format. With the purpose being the transmission of data to another data controller, i.e. an individual responsible for keeping and maintaining personal information in a structured and accessible way.
Privacy by Design
While not a new concept, privacy by design is only recently becoming a part of the legal requirements set by the GDPR. This means that data protection is to be implemented from the onset of a project, rather than as an afterthought or addition. Compliant businesses must design policies, systems, and procedures in order to adhere to GDPR guidelines. This measure is intended to better protect personal data from any unlawful processing.
Data Protection Officers (DPO)
Not required in all cases. A data protection officer (DPO) is an organization or company spokesperson or manager who ensures GDPR compliance. Data processing operations that require regular monitoring on a large scale or of special categories of data such as criminal offenses or medical records must appoint a DPO. Additionally, public authorities or companies larger than 10-15 employees that also process personal data will be required to designate a data protection officer.
How Does the GDPR Affect U.S. Companies?
As mentioned, the GDPR applies to individuals within any of the 28 member states of the European Union (EU). This also means that any foreign company conducting business that involves individuals within the EU, whether that means they have customers or employees there, will be affected by the GDPR.
For U.S. companies using any form of EU targeted marketing or data collection within an identified market or using localized online content in an EU member state, GDPR will apply. Meaning consent must be obtained in a clear, specific, and unambiguous manner and collected data will have to be protected in compliance with GDPR rules.
However, an EU consumer that finds their way onto a U.S. website that is written and marketed towards U.S. consumers or businesses would not be protected under the GDPR.
Companies found in breach of the GDPR could be fined up to 4% of their annual global profit and a tiered approach to fines is being taken as businesses work towards compliance. For example, not maintaining accessible records or failing to notify data subjects after a data breach can carry with them different levels of penalty.
Legal Solutions & Counsel for GDPR Compliance
There are still questions revolving around how the EU will enforce compliance against the U.S. and other international organizations. Full GDPR compliance is a complex issue and many U.S. companies both large and small will have to navigate carefully around the newly established rules or face the possibility of serious fines and penalties moving forward.
The attorneys at Kundani Chang Khinda & Wilson LLP can help your organization safeguard and prepare for upcoming opportunities and hurdles presented by the GDPR transition. Contact our firm today and learn how our experience, resources, and scale can help you grow your company both domestically and globally.