Implications of the EU GDPR for US companies

Many US companies without EU operations believe they don’t need to concern themselves with European data protection guidelines, such as Safe Harbor, the subsequent Privacy Shield, or the European Data Protection Directive (EDPD). While in some cases that remains true, the new Global Data Protection Regulation (GDPR) is intended to expand and unify data protection for individuals in the EU, and includes broader definitions of data providers and affected citizens.

DIRECTIVE vs. REGULATION

First, the GDPR replaces the EDPD; note that it is a regulation, not a directive; as such it directly imposes uniform data security law on all EU members. Second, it was adopted 27 April 2016 and becomes effective 25 May 2018; while this two-year transition period may seem long, for large organizations with complex operations, it’s a relatively short period of time to comply. Third, GDPR applies not only to EU citizens, but to all EU residents, regardless of their home country.

DATA CONTROLLERS & DATA PROTECTION OFFICERS

If your company is a “data controller”, GDPR applies; a “data controller” is defined as any company that offers goods or services to people in the EU, that monitors behavior (including online activity) of EU residents, or that processes personal data on EU residents on behalf of a company with a base in the EU.

If your company has no base in the EU, this does ease the overhead somewhat, but doesn’t completely absolve you of compliance.  Most affected organizations will be required to appoint a Data Protection Officer (DPO), who will engage with a Supervisory Authority (SA) to support compliance and handle complaints.

NEW REQUIREMENTS

The GDPR also has new data accountability and transparency requirements:

  • Automated individual decision-making, including profiling (Article 22) is made contestable.
  • Privacy by Design is required, meaning all products must be built with data protection in mind
  • Privacy settings must be set at a high level by default.
  • Data Protection Impact Assessments (Article 35) have to be conducted when specific risks occur to the rights and freedoms of data subjects (i.e. data breaches).
  • Risk assessment and mitigation is required and a prior approval of the Data Protection Authority (DPA) for high risks.

Similar to Privacy Shield, cross-border data flows (outside EU member states) require Binding Corporate Rules (BCRs) or Model Contract Clauses (MCCs); there are also new requirements for Codes of Conduct, and an “EU Privacy Seal” certification, which is still under development.

Data subjects, or people who reside in the EU, have new rights; the right to erasure, to data portability, and to be informed in case of a data breach.

Along with the title of regulation comes a new ability to collect fines – and GDPR fines are steep; breaches of some provisions could lead to fines of up to 20 million Euros or 4% of global annual turnover for the preceding fiscal year.

NEXT STEPS

In the near term, the most important steps to take are:

  • Determine if your organization meets the GDRP definition of a “data provider
  • If yes, appoint a Data Protection Officer (DPO), who can identify and begin engaging with the right Supervisory Authorities

Once you’ve made these determinations, engage with your local Supervisory Authority (SA) to better understand the requirements for your company.

Most likely, you’ll need to update or at least review how you handle privacy settings, user profiling and data breaches; this may be followed by updating or implementing processes for impact assessments for data breaches, and for risk assessments and mitigation plans.

Yes, GDPR compliance will take effort, but it’s uniform nature means that once you do it, working across the EU will be so much smoother.