Companies must begin to get their houses in order now, however. The GDPR will impose strict requirements and hefty penalties for non-compliance, with fines running as high as 4% of a company’s total global annual turnover. Companies will have to conduct thorough assessments of the personal data that they collect, maintain, use, and disclose, as well as review their contracts with vendors and their policies and procedures with respect to such data, so that they can make any necessary changes well before the GDPR becomes effective.
Below are brief descriptions of key provisions of the GDPR and what they mean for U.S. companies:
Affects U.S. Companies That Do Business in the EU or That Process Data on Behalf of Such Companies. The GDPR will apply to an extremely wide range of companies: data controllers (entities that, alone or with others, determine how personal data will be processed and for what purpose) and data processors (entities, such as cloud providers, that process personal data on behalf of a data controller) that (1) are established in the EU, or (2) that are not established in the EU, but that offer goods and services to EU residents or track EU residents online (e.g., for marketing purposes).
Sets High Bar for “Consent” to Collect Personal Data. Among other requirements, the GDPR will require companies to obtain freely given, specific, informed, and unambiguous consent before collecting personal data (i.e., information relating to an identified or an identifiable natural person, including a unique device ID or location data) from an EU resident. An individual’s silence, inactivity, or failure to uncheck a pre-checked box will not indicate consent. Companies that do not obtain consent to collect personal data must have another valid legal basis (defined in the GDPR) for doing so.
Requires New Mechanisms to Give Data Subjects Control Over Personal Data. In addition, the GDPR will give EU residents certain rights, such as the right to request removal of personal data that they have posted online and the right to data portability. Specifically, a company will be required to remove, erase, or otherwise delete the personal data of an EU resident upon request and subject to some exceptions, if, among other things, the data are no longer necessary for the purpose for which they were collected or the EU resident withdraws consent or objects to the processing, and there is no other legitimate basis to continue processing. In addition, a company will have to, at an EU resident’s request, transfer that resident’s personal data in a structured, machine-readable format to another company.
Establishes New Data Breach Notification Requirements. Companies that experience a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data will be required, subject to some exceptions, to notify (1) the relevant Data Protection Authority (i.e., the supervisory authority in the relevant Member State) within 72 hours of discovering the breach, unless the breach is “unlikely to result in a risk to the rights and freedoms of individuals,” and (2) the data subject, “without undue delay,” if the breach is “likely to result in a high risk to the rights and freedoms of individuals.”
Maintains Restrictions on Cross-Border Transfers of Personal Data. The GDPR will retain the 1995 Data Protection Directive’s restrictions on cross-border transfers to countries (such as the U.S.) that the EU believes do not provide “adequate” data protection. The GDPR also will preserve the exceptions to those restrictions (e.g., transfers made with explicit consent or that are in the public interest), and will continue to allow companies to use binding corporate rules (“BCRs”) and model contracts to ensure adequate safeguards transfers to the U.S. The GDPR also envisions a more extensive menu of valid transfer mechanisms, including codes of conduct and certifications, which, if and when approved by the EU, could help companies.
Requires Extensive Recordkeeping to Enable Proof of Compliance. The GDPR will require companies to maintain records of all processing of personal data. Companies will need to turn such records over to Data Protection Authorities, when requested, to verify compliance. Otherwise, they could be subject to the steep penalties described below.
Imposes Steep Penalties for Non-Compliance. In terms of remedies and sanctions, the GDPR will up the ante considerably for both controllers and processors of personal data. The GDPR will give the Data Protection Authorities “complete independence,” more resources, and greater powers. Moreover, the GDPR provides for potentially substantial fines for “infringements” of the GDPR’s provisions—in many cases, up to €20 million or 4% of a company’s total worldwide annual turnover, whichever is greater.
Given this laundry list of requirements and the lead time necessary for developing and implementing new procedures and systems to address them, companies must begin now to (1) seek advice on how to interpret various provisions of the GDPR, (2) determine the scope of their obligations under the GDPR, (3) assess their current policies and operations, (4) identify gaps between current policies and operations and the GDPR requirements, and (5) design and implement GDPR compliant policies and operations in collaboration with legal and IT departments.