Get on Board with EU Data Regulation
The European Union’s General Data Protection Regulation, which came into force last year, is the most significant development in data protection law in the past 20 years.
The regulation also applies to organizations located outside the European Union if they offer goods or services to, or monitor the behavior of, EU citizens. A U.S.-based business that markets to businesses and/or individuals in Europe and collects personally identifiable information, including demographic data, via its website must comply.
The regulation, also known as the GDPR, applies to both “controllers” and “processors.” Controllers are organizations that make decisions regarding personal data, while processors are third parties that process personal data for and on the instructions of controllers. If a U.S.-based business with employees located in the EU uses a third-party human resources information system to process HR and compensation transactions, the U.S. employer is the data controller, while the system vendor/operator is the processor.
Personal data not only includes names, addresses and images but also health, ethnicity, religious and political beliefs as well as biometric and genetic data. In many cases, businesses that use personal data are required to obtain explicit consent from data subjects to do so.
There are also increased requirements as to what information must be provided to individuals via a privacy notice before processing their data. Such notices must be in plain language and prominent.
Individuals have enhanced data subject rights including the right to be forgotten — also known as the right of erasure — rights of access, rights to understand profiling by controllers and processors, rights of rectification and the right of portability.
Data processing agreements between controllers and processors are required to contain extensive mandatory data protection clauses such as the controller’s right to audit its processors, and obligations on processors to assist with subject access requests and data incidents.
If controllers or processors outside the EU are subject to the regulation, they will likely have to designate in writing a representative who must be established in an EU member state where the data subjects are located. When processing of EU citizens’ personal data takes place in several member states, the representative will need to be appointed in the member state where most of these citizens are located.
"In many cases, businesses that use personal data are required to obtain explicit consent from data subjects to do so."
The role of the representatives is to sit between the controller or processor and the relevant supervisory authority and/or data subjects, and respond to investigations or communications from those parties.
Multinationals benefit from a one-stop shop, whereby the data protection authority in the EU-member state where the controller or processor has their main establishment will be the lead authority in relation to data processing undertaken by that controller or processor and any reporting or investigations.
Codes of conduct and certifications will be developed to assist controllers and processors to demonstrate their compliance with the regulation.
The GDPR mandates that data protection by default or “privacy by design” is a process that needs to be implemented so that when new technology is used, the controller ensures that the protection of data rights of individuals are embedded into the design, rather than retrofitted afterwards. The controller needs to have regard to the state of the art and the costs of implementation, and take into account the nature, scope, context and purposes of the processing when implementing these privacy standards. As technology continues to outstrip the law, controllers will need to ensure that privacy by default is embedded into the procurement processes and technology contracts.
Organizations whose core activities consist of processing operations which require regular and systematic monitoring of individuals on a large scale or special information categories are required to appoint a data protection officer. The officer will need to be an expert and have sufficient resources to perform a compliance and governance role.
Organizations are required to maintain a record of all their data processing activities, which must be made available for inspection in the event of an investigation.
Data breaches which are significant and may pose a risk to individuals must be notified to the lead data protection authority within 72 hours and to affected individuals without undue delay.
Fines of up to four percent of annual worldwide revenues for the preceding annual year or €20 million — whichever is greater — may be imposed for major noncompliance.
Additionally, they need to develop a data protection impact assessment, put in place procedures to manage use of processors and consider cybersecurity insurance. They should also review their international data transfer solutions, and implement and update policies, procedures and training.
If a contractor suspects that it needs to comply with the new regulation, putting in place a plan is a good risk management approach.
Robert Bond is a partner in the law firm of Bristows LLP and a certified compliance and ethics professional. He can be reached at firstname.lastname@example.org.