The impact will be significant and yes, U.S. businesses will be impacted.
GDPR will impact any U.S. company that has a web presence and markets their goods or services to European markets. A recent study by the International Association of Privacy Professionals indicated that Fortune’s Global 500 will spend roughly €7.8 billion to implement GDPR. IAPP also estimates that the GDPR’s global reach will require the hiring of at least 75,000 data protection officers worldwide.
What is GDPR?
The European Union’s (EU) General Data Protection Regulation (GDPR) concerning the collection, processing, and transfer of personal data repeals and replaces the EU’s 1995 Directive 95/46/EC (“The Directive”).
What is the Purpose?
The GDPR harmonizes data privacy laws across the EU, grants greater privacy rights and protections to EU data subjects (i.e. EU citizens), imposes new obligations on data controllers and processors, and levies potentially severe penalties for non-compliance.
When Does it Go Into Effect?
The GDPR goes into effect and becomes enforceable on May 25, 2018. The United Kingdom’s (UK) decision to leave the EU will not affect the commencement of the GDPR in the UK.
Who Will be Impacted by GDPR?
The GDPR applies to any organization (EU or non-EU) processing the personal data of any EU citizen. The GDPR addresses the collection and processing of personal data of data subjects (i.e. individuals) and applies to data controllers (i.e. entity that collects personal data and decides how and why personal data is processed) and data processors (i.e. entity that processes the personal data at the direction of the controller) of that information. The GDPR does not apply to collection and processing for law enforcement or national security or to collection and processing by individuals for personal use.
Personal Data: any information relating to an identified or identifiable natural person (i.e. ‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special Categories of Personal Data: personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data and biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
How Will GDPR Be Implemented?
Three Critical Areas for Consideration:
1. Lawful Processing – under the GDPR, a lawful basis must be identified before the processing of personal data. The lawful bases are explicitly listed in the GDPR. Art. 6, sec. 1, (a) – (f).
b. Performance of a Contract
c. Compliance with Legal Obligation
d. Protect the Vital Interests of the Data Subject or another Natural Person
e. Carry-out in the Public Interest or in the Exercise of Official Authority of the Data Controller
f. Serves Legitimate Interests of Controller or Other Third Party, unless overridden by the interests, fundamental rights, or freedoms of the Data Subject
2. Consent – where consent is the basis for processing, consent must be informed and unambiguous, specific, and freely given. Consent must be a positive, opt in form of affirmative action. Consent must be verifiable.
3. Personal Data of Minors – the GDPR contains enhanced provisions related to the protection of the personal data of minors. Where consent is the basis for processing, parental consent must be obtained. The age limit can be as young as 13, but not older than 16. Parental consent is not required for processing of personal data related to preventative or counseling services offered directly to a minor.
For an Overview of GDPR Compliance click HERE.
The European Union’s General Data Protection Regulation (GDPR), which goes into effect on May 25, 2018, applies to any organization (EU or non-EU) processing the personal data in the EU. The GDPR has specific requirements regarding the transfer of data out of the EU. One of those requirements is that the transfer must only happen to countries deemed as having adequate data protection laws. In general, the EU does not list the U.S. as one of the countries that meets this requirement.
The Privacy Shield is designed to create a program whereby participating companies are deemed as having adequate protection, and therefore facilitate the transfer of personal data out of the EU and into the U.S. In short, Privacy Shield allows U.S. companies, or EU companies working with U.S. companies, to meet the “adequate data protection” requirement of the GDPR.
For an Overview of the EU-U.S. Privacy Shield Framework click HERE.