As businesses become more global in nature, increasingly, they find that they need to comply with differing laws, regulations and local customs. In April 2016, the European Union adopted the General Data Protection Regulation (GDPR), which took effect on May 25, 2018. While it clearly applies to businesses physically located in the EU, for businesses in the US, the applicability of the GDPR becomes less clear. What can US based businesses do to prepare for the GDPR?
First, it is important to understand that the GDPR takes a fundamentally different approach to privacy as compared to current systems across the world. For example, In the U.S., businesses have privacy policies outlining the collection of data as well as how it is shared and secured. The FTC governs these policies by ensuring they are fair and not deceptive. Under the GDPR, consumers continue to own their data even though a business may have collected it. Because of this, consumers can request a copy of their data, make corrective edits and even ask for its deletion.
There are three key questions a business can ask to determine if they are under the scope of the GDPR. Do you have a physical or digital EU presence that collects, transmits, or processes personal data? If so, the GDPR applies. Does your business offer services to individuals in the EU? This means more than just having a website accessible in the EU. Do you target EU customers by offering services (physical or digital, paid or free) in their language or accepting euros? If so, the GDPR applies. Do you track or monitor EU individuals — meaning collecting data on EU individuals to monitor or profile them? If so, the GDPR applies.
So what data is covered under GDPR? “Any Information relating to an identified of identifiable natural person” which we can break down based on the nature, content and format of the information. Both objective and subjective information about an individual are personal data. Meaning a person’s job title as the “Head of HR”, and the statement that they are a “good worker” are both personal information. It’s also important to note that information does not need to be true to be classified as personal data. The content includes information about an individual’s private life and activities that occur in the public sphere. Recital 30 explains that “internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags” may be associated with natural person thereby making them personal information. Lastly the regulation covers information in any format, electronic and paper, processed by automated means and by manual means if “for part of a filing system”. IAPP European Data Protection Law and Practice page 68&69.
Understanding how the GDPR defines Data Controllers and Processors is also important. A Data Controller is the person, agency or business that makes key decisions as to what data is collected and how it is processed, thus most of the responsibility for compliance with GDPR resides with the Data Controller. The Data Processor has some responsibilities under GDPR, but is the subordinate with the primary duty to comply with the contract from the Data Controller on when and how data is to be processed. The Processor is also responsible for “security, record-keeping, notifying controllers of data breaches and ensuring they comply with the restrictions on international data transfers”. IAPP European Data Protection Law and Practice page 74&80
The GDPR should be viewed as an opportunity rather than something to be feared. An organization’s ability to present evidence of its compliance efforts to regulators will help reduce liability under Article 83 (General conditions for imposing administrative fines). Therefore it benefits an organization to not only take measures to minimize potential consequences, but to create a culture that embraces the principles of the GDPR and enforces meaningful accompanying systems and controls.