GDPR: What You Need to Know

On May 25, 2018, the long awaited General Data Protection Regulation (“GDPR”) will finally come into full effect.  The EU Parliament enacted GDPR as a replacement for the 20-year old Directive 95/46/EC in response to growing global concerns regarding data privacy and consumer data protection.  The enforcement and compliance structure set forth by GDPR is centered around the concept of giving consumers full control and transparency regarding their data.

GDPR is an extensive piece of legislation that attempts to establish a wide-reaching compliance and enforcement framework.  The goal of this article is to provide you with several key takeaways from GDPR to help you digest the basics of the regulation and evaluate whether your company needs to comply with it.

GDPR will apply to any company that targets EU markets and consumers, not just those companies in the EU

Companies must be aware that they are not immune from the reach of GDPR just because they are based outside of the EU.  GDPR requirements apply to any company, wherever located, that (i) offers goods and services in the EU, (ii) monitors behavior of individuals in the EU or (iii) collects, receives, transmits, uses, stores or otherwise processes personal data of EU residents.  It is important to note that GDPR requirements apply to the collection and processing of both customer and employee data.

GDPR breaks down its application into three categories: (i) data subjects, (ii) data controllers, and (iii) data processors.  “Data subjects” are those individuals whose personal data and information is being collected.  “Data controllers” are those entities that are engaged in the actual collection of data from the data subjects.  “Data processors” are those entities that are engaged in the processing of all of the data and information collected by the data controllers.

Companies must have a legal justification for collecting and processing personal data

GDPR builds upon previous regulations by specifically identifying the following six different justifications for the legal collection and processing of personal data:

• Consent of the data subject;

• Contract with the data subject;

• Necessary for compliance with a legal obligation;

• Necessary to protect the vital interests of a data subject or a third party;

• Necessary for the performance of a task in the public interest or in the exercise of an official authority vested in the data controller; and

• Necessary to achieve legitimate interests pursued by the data controller or a third party, except where such interests are overridden by the rights of the data subject.

Currently, the most widely used justification is consent of the data subject.  The data subject must freely give such consent in a clear manner and such consent must be based on accurate and digestible information provided by the company.  In a departure from current practices, the data subject’s consent must be active.  A data subject’s silent acceptance of a privacy policy or a pre-checked acceptance box are no longer acceptable means of obtaining consent from a data subject.  Also, companies will need to make sure that the consent and information regarding the processing of the privacy policy is clearly set forth in plain language, rather than “legalese”.  As such, companies hoping to use the consent justification must re-visit their privacy policies and consent mechanisms to ensure that they clearly set forth the data that they are processing/collecting, how such data will be processed/collected and any other such matters that affect the rights of the data subjects.  Additionally, data controllers and data processors should review their contractual agreements to ensure that all necessary compliance responsibilities have been allocated to the appropriate parties.

The penalties for non-compliance could be severe

GDPR contains very stringent penalties for non-compliance that could potentially have disastrous economic effects for a company.  While the fines imposed by GDPR differ depending on the violation, the maximum fine possible for a violation under GDPR is the greater of EUR 20 million or 4% of global annual revenue.  These fines can be imposed on both the data controller and the data processor.

GDPR both expands existing data rights and introduces new data rights for consumers

While EU residents already have certain legislated and judicially protected rights regarding personal data and data privacy, GDPR expands those rights and introduces several additional rights.  Specifically, GDPR provides the following list of rights to individuals:

• The right to be informed.  Data controllers are required to inform data subjects about the data controller’s identity, the purpose behind the processing of the data subject’s data, the categories of data that will be processed, who the data will be directed to, the existence of the data subject’s rights to the data, the retention period for such data, the right to withdraw consent at any time and the right to file a complaint regarding such data usage.

• The right of access.  Each data subject has a right to obtain confirmation from the data controller regarding the processing of such data subject’s data.  The data controller is required to provide the data subject access to that personal data.

• The right to rectification.  The data subject has the right to fix any errors in the personal data held by the data controller and to have any other errors rectified.

• The right to erasure.  Otherwise known as the right to be forgotten, each data subject will have the right to request the deletion of such data subject’s data on certain grounds.

• The right to restrict processing.  Data subjects now also have the right to request that a restriction be placed on certain forms of processing of their personal data.  In the event of any such restriction, the data controller would only be allowed to store (but not process) such personal data, subject to limited exceptions.

• The right to data portability.  If a data subject’s data is subject to automated processing based on consent, such data subject has the right to request that the data controller provide a copy of such data in a transmittable form so that the data subject can provide such data to another data controller.

• The right to object.  Data subjects have the right to object to the processing of their data in any of the following situations: (i) if the data processing is based on the justification that it is necessary for the public interest or for a legitimate interest of the data controller; (ii) if the data is processed for direct marketing efforts; or (iii) if the data is process for certain research purposes.  Under GDPR, the burden has now shifted in such an instance to the data controller to demonstrate that the data controller has compelling grounds for continuing the data processing or that the data processing is necessary in connection with the data controller’s legal rights.

• Certain rights in relation to automated decision making and profiling.  Data subjects have the right to not be subject to any decisions that are based solely on automated processing, including automated profiling, if such decisions have legal effects concerning the data subject or otherwise significantly affect such data subject.

Companies may have to appoint Data Protection Officers

GDPR requires that certain companies whose “core activities” involve (i) large-scale, regular and systematic monitoring and processing of individual’s data or (ii) the processing of special categories of sensitive data on a large scale, must appoint a Data Protection Officer.  Those who are appointed as Data Protection Officers are given the formal responsibility for implementing data protection compliance measures within such company.  The Data Protection Officer is intended to be an independent position whereby the Data Protection Officer is responsible for monitoring all issues associated with data protection compliance and acts as a primary point of contact for relevant supervisory authorities.  The appointment of a Data Protection Officer, if necessary, could be a significant, additional cost of compliance with GDPR.

GDPR provides a uniform data breach notification requirement

Under previous regulations, EU member states were allowed to adopt their own data breach notification laws, which resulted in multiple compliance frameworks for companies that experienced data breaches in the EU.  GDPR has set forth a single, uniform data breach notification requirement that will ease the compliance burden for companies that experience any such data breach.  GDPR requires that data controllers must notify the appropriate authorities within 72 hours of having knowledge of any breach.  When notifying the authorities, the data controller must identify the type of the breach, what categories of data were breached and the estimated amount of data subjects that were impacted by the breach, among other items.  Data processors, on the other hand, must notify the appropriate authorities “without undue delay” upon learning of any such breach.

Additionally, if the data controller determines that the data breach “is likely to result in a high risk to the rights and freedoms of individuals,” the data controller must notify the affected data subjects of such breach “without undue delay.”

As previously stated, this article is merely a brief overview of the key components of GDPR and is not meant to be a comprehensive analysis.  We encourage you to check with your legal and compliance professionals for further detailed information and to figure out how you can prepare for compliance with GDPR when it becomes fully effective.

Scannavino Lamb LLP is a boutique law firm based in New York City offering legal and strategic advice to forward-thinking entrepreneurs, startup companies, and startup investors.  Founded by former Big Law lawyers with a range of experience in corporate law and business transactions, the firm serves its clients by blending world-class service with entrepreneurial perspective.  Check us out at www.scannavinolamb.com.

This publication is for general information purposes only. The information in this publication should not be construed as legal advice or legal opinions, is not a substitute for fact-specific legal counsel, does not necessarily represent the views of the firm or its clients, and is not intended to create a lawyer-client relationship. This publication may constitute attorney advertising in some jurisdictions.