The European Union’s new General Data Protection Regulation (GDPR), which takes effect on May 28, 2018, automatically applies to the twenty-eight EU Member states and three EEA (European Economic Area) states.
One of GDPR’s key features, “extraterritorial application,” affects all US companies with personnel in the EU (either permanently or temporarily) or that market goods and services to EU residents.
At the same time when many US companies are already implementing extensive, evolving data and network security measures, the GDPR creates a broad overlay of privacy requirements that come with the risk of major fines.
Here some key points on GDPR:
- “Personal Data” (for GDPR purposes) is any information about a natural person that can be used to identify an EU resident, alone or together with other data.
- Any collection or processing of EU Personal Data must have a legal basis for those activities.
- “Consent” of the data subject can be that legal basis, but the consent must be express, clear, and freely given. In addition, the person providing the consent must be informed about the purpose of the collection and the consent is limited to that purpose. Consent, even if initially given, can always be withdrawn and the data based on such consent must then be deleted. For this reason, companies should avoid relying on consent. Consent must also be “opt-in” rather than “opt-out.”
- All decisions and choices must be fully documented. Data subjects have the right to know what personal data is being held, by whom, and for what purpose, and they must be able to access and transfer their data to another processor.
- GDPR imposes its own breach notification requirements. The US has long complied with these requirements, but the process is brand new for the EU.
- A new e-privacy regulation that governs all web-based communications was intended to be enacted at the same time as GDPR, but that regulation has been delayed by feverish industry lobbying. It will be “consent-based” but also very disruptive to current online practices.
- GDPR is meant to harmonize these rules across all member states. However for certain subject areas such as employment, each member state can pass a national or local adjustment to the rule, which means that a state-by-state analysis is still often required.
- There must be a legal basis for collecting and processing HR data, but that legal basis does not include the right to transfer that data outside of the EU. Exporting data across borders centers on whether the recipient country can be trusted to apply the same privacy rules as the EU.
- One option for cross-border transfer to processors in the US is the Privacy Shield, a program administered by the US Department of Commerce. Future transfers of EU data to vendors, cloud firms or other third parties must be subject to specific privacy compliance agreements.
In conclusion, the GDPR is adding another layer of complexity and legal risk to US companies. For now, there are far more questions than answers as to how it will be interpreted and applied.
But its reach is broad and pervasive, and it will likely result in voluntary compliance by many companies that engage in international commerce. Why? Because configuring networks and data practices for different legal regimes is more complicated and expensive than imposing a common set of requirements, even if those requirements are as complex as GDPR.
The EU thinks it is changing the rules of the game for all businesses worldwide and, frankly, they may be right.
Berenzweig Leonard is teaming up with Red Team Consulting for a monthly newsletter to provide an in-depth look on the latest trends and key issues in government contracting. This post was published in the March 2018 Words of Wisdom newsletter.