No Excuses: GDPR Ups Ante on Accountability and Risk

Wednesday, June 6, 2018 - 09:43

Complying with the new EU privacy regulation is not easy – but it is critical.

The General Data Protection Regulation (GDPR) took effect in the European Union (EU) on May 25, 2018. Although U.S. businesses may think that EU regulations do not apply to them, the GDPR extends to any entity, in any location, that collects, stores or uses the personal data of people in the EU. Privacy regulators in the EU have taken the -position that they will enforce the GDPR against businesses that have no physical presence in the EU.

Now that the regulation has taken effect, businesses subject to GDPR cannot make excuses for noncompliance. Therefore, it is crucial to bring your organization into compliance, or it will face significant risk.

New Rules of the Road

The GDPR represents a fundamental change in privacy regulations. It expands the definition of personal data, requiring protection of significantly more data than ever before. Under GDPR, personal data is any information that could be used to identify an individual. This includes information that U.S. companies have not traditionally considered to be protected, such as names, email addresses and personal IP addresses. The regulation also covers “sensitive data or special personal data” – a subset of personal data that includes information revealing racial or ethnic origin, political opinions, religious or -philosophical beliefs, -trade-union membership, health, sexual orientation, genetic information and biometric information.

The GDPR holds organizations much more accountable  for data privacy, and it creates a number of obligations for companies. For example, it tightens consent requirements to the extent that many generally accepted consent mechanisms will now be noncompliant. It introduces restrictive, enforceable data- handling principles. Also, it requires compliance from “data controllers” – organizations that determine the pur-poses and means of processing (which include collecting and storing) personal data; and from “data processers” – parties that process personal data on behalf of a data controller.

Finally, the GDPR imposes harsh consequences for noncompliance – companies can be fined as much as 4 percent of their annual global turnover or €20 million, whichever is greater. In addition, individuals – known as “data subjects” – can file private lawsuits against infringing controllers and processors.

Organization Obligations

The GDPR places a number of privacy-related requirements on organizations.

Ensure lawful processing.
To process the personal data of individuals in the EU, an organization must have a “lawful basis” for such processing. The available lawful bases include:
  • Consent: Data processing is lawful when the data controller obtains the data subject’s consent to process their personal data for one or more specific purposes. Although consent is a perfectly legal basis for processing, it creates extra obligations for a data controller.
  • Contractual necessity: Data processing is lawful when it is necessary to fulfill a contract with the data subject, or because the data subject has asked the controller to take specific steps before entering into a contract.
  • Legal obligation: Data processing is lawful when it is necessary for the data controller to comply with the law.
  • Vital interests: Data processing is lawful when it is necessary to protect someone’s life.
  • Legitimate interests: Data processing is lawful when it is necessary to protect a legitimate interest pursued by the data controller (or a third party), except where the data controller’s interests are overridden by the fundamental privacy rights of the data subject, particularly when the data subject is a child.
Institute and comply with purpose limitations.
An organization must ensure that data is used only for the specified, explicit and legitimate purpose that was described to the data subject upon collection of the subject’s data.
 
Protect rights of data subjects.

Under GDPR, a data subject is the identified or identifiable person to whom the personal data relates. A person is identifiable if he or she can be identified by reference to a name, identification number, location or other physical, physiological, genetic, mental, economic, cultural or social identifier. Data subjects hold certain rights under the GDPR, and organizations must make sure that their policies and procedures protect  these rights. Data subject rights include:

  • Right to transparency: All data subjects have the right to receive certain information about an organization’s data processing, including, but not limited to, the nature of the organization’s data processing, whether or not the data subject’s data is being processed by the organization and the existence of any data breaches that create a high risk to the data subject’s rights and freedoms.
  • Right to access: All data subjects have the right to confirm whether an organization processes their personal data. If an organization processes a data subject’s data, the organization must honor requests by data subjects to access the data and other detailed information about the organization’s use of the data.
  • Right to rectification: All data subjects have the right to request that an organization rectify any inaccurate personal data or complete any incomplete data.
  • Right to restriction of processing: All data subjects have the right to object to the processing of personal data when the personal data is inaccurate, or the data controller has no lawful basis for processing.
  • Right to erasure: Data subjects have the right to request that an organization erase their personal data when the data is no longer necessary for the purposes it was collected for, when the data subject withdraws consent or when the data subject objects to data processing. If an -organization has already made the data public, it must take reasonable steps to inform anyone currently processing the data of the erasure request.
  • Right to data portability: Data subjects have the right to request a copy of all personal data if their data is processed subject to their consent or a contract, and the processing is carried out by automated means.
Appoint a data protection officer.
An organization must appoint a data protection officer if its “core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale.” (We are still awaiting guidance from the EU regarding what exactly falls within this category.) A data protection officer must act independently and report directly to the organization’s highest level of management.
 
Review contracts with third parties.
If an organization uses a third party to process the data, the third party must accept, by contract, specific obligations related to the GDPR.
 
Protect data by design.
Organizations must institute “data protection by design.” In other words, they must design data security measures into systems and processes that coincide with the risk of data breach and the resulting harm to data subjects. This “data protection by design” approach must be extended to any and all existing systems within three years.
 
Comply with documentation requirements.
An organization must maintain records of all processing operations in a way that demonstrates its compliance with the -detailed requirements of the GDPR.  Organizations must document and enforce internal data protection policies and procedures. These policies and procedures may be requested in the event of litigation. Also, organizations must document any data breaches and subsequent investigations.
 
Next Steps

To help ensure compliance with the GDPR, companies should inventory or “map” the personal data of individuals in the EU that they collect, store or process, and identify why it is collected and how they use it. They should also ensure that data protection is built into existing systems and processes – and embedded into all new systems and processes going forward.

Beyond the technology, companies should check that privacy policies and procedures are transparent, easily accessible and compliant. They should establish a framework for accountability by making sure that policies are clear and create a culture of monitoring, reviewing and assessing data processing procedures. They should have clear policies and procedures for handling a data breach, as well. They should train staff to ensure that people understand their obligations under the Regulation. And if they have any questions, they should consult an attorney who can help them navigate the intricacies of the GDPR.


Devin Chwastyk, CIPP/US, leads the Privacy & Data Security group at McNees, advising businesses on privacy policies and practices and helping entities victimized by data breaches in meeting their obligations under state, federal, and international laws. Reach him at dchwastyk@mcneeslaw.com.

Sarah Dotzel is an associate in the Privacy and Data Security group at McNees. Reach her at sdotzel@mcneeslaw.com.