This is not just a problem for European-based companies. If your organization does business in the EU, offers goods and services to EU citizens, or processes EU citizen data, then all the provisions of GDPR apply, including:
- More rigorous data security measures
- A higher bar for obtaining consent
- New breach notification provisions
- New rights of the data subjects, including the “right to be forgotten”
- New requirements for governance over data and data processes
- New framework for data transfer under the EU-US Privacy Shield Framework
The GDPR defines “personal data” as “information relating to an identified or identifiable natural person.” This includes IP address, device ID, and any customer reference number. Importantly, these protections apply to all entities that process the personal data of EU citizens, even if the processing of personal data does not take place within the EU. The new regulation also imposes restrictions on transferring personal data outside the EU. Personal data may be transferred outside the EU only if the European Commission determines that the receiving jurisdiction “ensures an adequate level of protection” consistent with the GDPR; the processing entity has provided “appropriate safeguards”; or the individual has provided specific consent for the transfer. (The European Commission is responsible for proposing legislation, implementing decisions, upholding treaties, and managing the day-to-day business of the EU.) Furthermore, the GDPR guarantees several privacy rights to EU internet users, including mandatory, prompt notification of data breaches likely to “result in a risk for the rights and freedoms of individuals,” access to one’s data, the ability to instruct an entity to erase one’s data (consistent with the “right to be forgotten”), and the ability to move one’s data from one processing entity to another. Together, these rights are at the heart of the regulation’s purpose – to give back to individuals control over their data.
These objectives are advanced through several mechanisms. First, organizations that breach their obligations can be fined as much as 4 percent of their annual global revenue, or 20 million euros, whichever is greater. This fine applies primarily to breaches of the GDPR’s consent requirements related to the second point: Under the GDPR, consent must always be unambiguous. For special categories of personal data (e.g., race or ethnicity, political opinion, genetic data, union membership), explicit affirmative consent is required. Third, the GDPR requires that entities monitoring data subjects “on a large scale” or special processing categories of personal data appoint a data protection officer. Such officers advise their organization on GDPR compliance, serve as a point of contact for subjects inquiring into their data, and liaise with EU supervisory authorities. Fourth, the GDPR encourages the creation of data protection certification mechanisms such that entities can demonstrate compliance with the regulations.
If you have a website, mobile app, or other online services that EU users access, you will need to update your relevant online agreements and notices to comply with the GDPR. Some suggestions include:
- Utilize clip wrap agreements to get clear, unambiguous consent before collecting personal data.
- Add Privacy Notices in places where you are asking for consent to collect data to help users understand what they are consenting to, why you are collecting the data, and your planned use of the data.
The GDPR is a complicated regulation, and indeed, all essential parts cannot be summarized here. If you have any questions or would like a legal review of your online agreements and notices, please contact Carlile Patchen & Murphy LLP, business attorney.