DATA PRIVACY: Big changes in data privacy laws are coming in 2018. Are you ready?
What Is GDPR? GDPR is short for General Data Protection Regulation 2016/679 that replaces the Data Protection Directive 95/46/EC. GDPR seeks to protect the rights of individuals regarding their data and automatically became part of each EU Member State’s legal framework unless a Member State enacts laws that specifically derogate from the GDPR.
When Must Companies Comply With GDPR? GDPR was approved by the European Parliament and Council in April of 2016. Enforcement begins .
What Data Is Subject to the GDPR? GDPR applies to “personal data” -- any information relating to an identified or identifiable natural person. Personal data includes less sensitive information which generally is not subject to U.S. privacy or security laws such as work contact information.
What Activities Are Subject to GDPR? GDPR applies to the “processing” of personal data. “Processing” includes collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, disseminating, making available, aligning, combining, restricting, erasing, destroying and transferring personal data.
Can A Non-EU Company Be Subject to GDPR? Yes. GDPR applies to U.S. Companies:
§ With an “establishment” in the EU. GDPR applies to the activities of the establishment, regardless of where processing occurs. A U.S. company may have an EU establishment through a branch, a subsidiary, or a local sales representative, and is not dependent upon having a physical presence in the EU;
§ Which offer goods or services, even if free, to individuals in the EU;
§ Which monitor the behavior of individuals while the individuals are in the EU; or
§ When Member State law applies to the processing of personal data by public international law, which specifically includes a diplomatic mission or consular position.
When Can Companies Process Personal Data Under GDPR? Companies must have a valid, lawful basis to process personal data. A lawful basis may be any of the following: with the consent of an individual, when required to perform a contract with the individual, when a company is required to comply with legal obligations, when it is in the “vital interests” of the individual (such as an emergency), and when necessary to protect the legitimate interests of the company if appropriately balanced against the interests, rights and freedoms of individuals.
What Are Some Of The Accountability and Governance Obligations For Companies Under GDPR? Companies must have a documented privacy compliance program, including the following:
§ Notice. Companies must inform individuals of the lawful basis under which they are processing their personal data. Companies must notify their employees of their obligations and train them with respect to processing of personal data.
§ Contracts. Companies that contract with other companies to process personal data must enter into data processing addendums with their service providers that include specific elements required under GDPR.
§ Documentation. Companies are required to document processing activities and make the documentation available when required to the applicable data protection authority.
§ “Privacy by Design.” Companies must implement technical and organizational measures for compliance.
§ Data Protection Impact Assessments. Companies must assess new technologies prior to processing where the processing is likely to result in high risk to the rights and freedoms of individuals.
§ Data Protection Officer. GDPR requires companies to appoint a DPO in certain circumstances. Germany imposes a more stringent requirement on companies to appoint a DPO. If a DPO is appointed, the DPO has certain rights and duties under GDPR.
What Are Other Key Obligations Under GDPR?
§ Security. Companies must protect against unauthorized or unlawful processing, accidental loss, destruction and damage by deploying and documenting technical and organizational measures.
§ Data breach response. Companies may be required to provide notification of certain breaches to the relevant EU supervisory authority and to customers“without undue delay.”
§ International Transfers. Companies must restrict transfers of EU data internationally except under certain circumstances.
What Rights Do Individuals Have Under GDPR Which Will Impact A Company? Individuals have the following rights: to be informed about personal data and how it is being processed, to access, correct and erase personal data (the “right to be forgotten”), to restrict further processing, to obtain and reuse data for their own purposes across different services and to object to processing. Companies are prohibited from “profiling,” or using data to make a decision based solely on automated processing that significantly affects the data subject’s rights.
What Are The Consequences Of Non-Compliance? Data protection authorities may fine companies up to a maximum of the greater of 2 or 4% of worldwide revenues or 20 million euros, depending on the nature of the violation. Also, individuals may seek judicial remedy for violations, and customers may stop doing business with your company unless you can comply.
This Is Extensive, Is It Too Late To Comply? No. Regulators will want evidence that companies are aware of their obligations, have taken immediate steps to implement key changes, have performed a gap assessment and have a plan that they can use to document and demonstrate active steps towards compliance.
About Stoel Rives
With more than 350 attorneys, Stoel Rives is a leader in corporate, energy, environmental, intellectual property, labor & employment, land use & construction, litigation, natural resources, real estate, renewable energy and technology law. Our cross-industry team of data privacy and security lawyers includes attorneys certified by the International Association of Privacy Professionals who specialize in advising clients on systems and processes to protect business data and prevent unintended releases. Effective data privacy and protection solutions should be tailored to the industry your business serves. Whether you’re a health care provider, retailer, defense contractor or financial institution, you have specific needs for policy development, personnel training, forensic audits, breach response, customer notification, insurance coverage and transactional due diligence. Employers and sponsors of employee benefit plans also have data at risk. We advise on:
· Breach notification and incident response
· Cyber risk insurance coverage
· Advice on model contract clauses to indemnify and hold harmless
· Employee training on personally identifiable information best practices and policies
· Corporate advice regarding enterprise-wide privacy policies and plans
· European Union Data Protection Directive and General Data Protection Regulation (GDPR) Attestations
· EU- US Privacy Shield Assessment and Certification
· CAN-SPAM, UK Data Protection Act, Privacy Act Canada, PIPEDA, and other country-specific regulations
Let us help you with your data security and data privacy legal needs.