Happy GDPR Eve! Are You Ready?Print PDF
Happy GDPR Eve! Tomorrow is the effective date of Europe’s extensive, new and much talked about regulation, the General Data Protection Regulation (GDPR). GDPR is an ambitious regulatory framework that seeks to rebalance the relationship between “data controllers” (in other words, organizations that hold data about people) and “data subjects” (essentially, people). The regulation had a very broad extraterritorial reach – applying not only to organizations with a physical presence in the E.U., but also to organizations outside the E.U. who hold or use data about E.U. data subjects.
GDPR is widely misunderstood in the United States. The regulation is sometimes summarized as “an opt-in law;” a law that “establishes the right to be forgotten;” or “Europe’s data breach notification law.” Though there is some truth to these claims, such summaries skip over so much about what GDPR mandates that they serve to confuse rather than elucidate. In truth, GDPR is a complex regulatory framework through which the E.U. seeks to provide protections to individuals over what it sees as their “fundamental right” regarding the processing of personal data, a category of data that is broadly defined to include not only such things as names, dates of birth, and health or financial data, but also information that can be used in combination with other information to trace back to a natural person, such as a username or an IP address. The regulation also provides special protections to children’s data and to data about particularly sensitive matters (such as genetic or health data, race, religion, ethnicity, sexual orientation or criminal history).
The regulation mandates that organizations only process personal data if they do so in accordance with one of six set reasons, which need to be identified in advance. One of these six reasons is consent (hence the understanding of the law as an “opt-in” statute), but consent is narrowly defined, requiring that it be explicit, clear, and obtained without any kind of coercion or undue inducement, making it hard in some cases to obtain valid consent. Organizations also must provide data subjects with clear details regarding how and why the data is used, for how long it will be kept, and who will have access to it. Data subjects retain certain rights in their data, including (with some restrictions), the right to access, the right to correct, the right to restrict further processing, and the right to erasure. The law also requires that organizations regularly conduct privacy impact assessments, incorporate privacy into their product design, minimize the use and dissemination of personal data, execute certain specific contractual agreements with their data processors and sub-processors, avoid exporting the data to countries outside the E.U. (such as the U.S.) unless certain conditions are met, and, in most instances, appoint a Data Protection Officer to oversee these efforts. Additionally, the law requires notification of individuals and regulators if there is a breach of personal data, and provides a means for both civil and regulatory enforcement including fines of up to the greater of 20 million Euros or 4% or an organization’s global revenue.
In other words, there is a lot there. Because GDPR has no de minimis exception, U.S. organizations that have any contact with people in Europe need to consider whether GDPR applies to them, and how they should respond to it.
This advisory is for information purposes only and should not be construed as legal advice on any specific facts or circumstances. Under the rules of the Supreme Judicial Court of Massachusetts, this material may be considered as advertising.