Companies that routinely collect or process data of European Union residents have likely spent the past couple of years preparing for May 25, 2018. On that date, enforcement of the EU’s new General Data Protection Regulation (GDPR) takes effect. However, many companies with limited or incidental activities in the EU are scrambling to put at least some level of compliance in place. There is no explicit exception in the regulation for processing limited amounts of data. Companies that only have a handful of EU customers or incidentally collect data from individuals involved in business-to-business transactions still need to comply.
This comprehensive privacy regulation contains numerous requirements that go above and beyond typical privacy practices in the United States. Non-compliance can result in civil actions and administrative fines of up to 20 million Euro or 4 percent of your total worldwide annual turnover of the preceding financial year, whichever is higher.
GDPR applies to processing of personal data of individuals residing in the European Union. Both "processing" and "personal data" are very broadly defined. "Processing" means any operation performed on personal data "whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction." More significantly, "personal data" not only covers what is traditionally viewed in the U.S. as personally identifiable information or PII, but covers "any information relating to an identified or identifiable natural person." Personal information includes location data and online identifiers, such as IP address or cookies.
GDPR's broad scope can potentially entangle U.S. companies operating a website that is accessible to EU residents. That could include almost any website. Article 3 of the regulation states that GDPR applies to a controller or processor outside of the EU where the processing activities relate to "offering of goods or services, irrespective of whether a payment of the data subject is required" and "monitoring of their behavior as far as their behavior takes place within the Union." Fortunately, GDPR Recital 23 provides some potential relief by stating that "mere accessibility" of a website in the EU does not alone constitute intent to offer goods or services. A U.S. focused website, however, should be careful to avoid other indicia of intent such as use of a language generally used in one or more Member States or mentioning customers in the EU. Stating that the website is intended for U.S. residents only could be helpful. Use of cookies and other tracking devices, however, might subject a website to the GDPR through the behavior monitoring prong of Article 3.
If GDPR applies to your company, then you likely need to designate an EU representative unless the collection is incidental and doesn't include certain special categories of information. A GDPR compliance program must address a number of issues including the following:
-
Prior to processing any personal data, the individual must provide affirmative consent. If the company opts to obtain such consent through an “I accept” button, then it must have the ability to track such acceptance and document the same in the event of a civil or administrative action.
-
The data subject has the right to be forgotten. In this regard, the individual may request that the company delete all personal data it has in its control. Third parties to whom the company transmitted personal data must also delete such data. Companies will need to engage in data mapping and understand where personal data is collected, stored and transmitted. Vendor contracts need to address personal data deletion.
-
The data subject also has the right to receive the personal data concerning her or him from the company "in a structured, commonly used and machine-readable format."
-
The data subject has the right to object at any time to the processing of his or her personal data. Once the company receives such objection, the company shall no longer process that data unless it can demonstrate "compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject…"
-
The company, at the time when personal data is collected, needs to set forth the rights above and provide other information related to the processing of such data. Such notification may take the form of a revised website privacy policy.
The GDPR also contains some overarching principles that run counter to the typical development process in the U.S. Those include Privacy by Design and Privacy by Default. Under the Privacy by Design principle, companies must consider privacy in the initial design phase of a development process and continue to address privacy throughout that process. Privacy by Default requires that companies apply the strictest privacy settings by default without any manual input from the end user. Personal data must only be kept for the minimum amount of time necessary to provide the product or service. These two principles can be particularly problematic for emerging companies who realize that there is immense value in data they collect but have not yet decided how to commercialize it.
If your company does have employees in the EU, keep in mind that GDPR imposes significant obligations on your human resources department. Employee consent is required for data processing and the consent must justify collection of sensitive data. Internal audits are required along with updates of HR policies and notices.
