American companies that do business in the European Union (EU) have until May 25 to come into compliance with the EU’s new General Data Protection Regulation (GDPR).
The purpose of the GDPR is to protect EU citizens’ privacy in their dealings with businesses around the world, especially those that are capturing and using EU citizens’ personal data. The 28 countries currently in the EU are Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom (UK). The UK has begun the two-year “Brexit” process of leaving the EU.
In the past, the EU focused its data protection laws on organizations that have physical operations in the EU and those it classifies as “data controllers” (i.e., organizations that determine the purpose and means of processing personal data and make decisions about that data processing). Only data controllers were subject to prior EU data regulation and oversight. But as the economy has become more globalized, political officials in EU member nations expressed concern about the likelihood that their citizens’ personal data was being exploited without their knowledge or approval.
The GDPR expands the organizations subject to regulation to include “data processors,” defined as entities that handle personal data and follow the instructions of data controllers. The GDPR requires companies to offer enhanced data protection to EU citizens through numerous means, including undertaking increased security measures, appointing data privacy officers, and keeping records of data processing activities.
A business subject to the GDPR must be able to document its corporate compliance efforts and its commitment to data privacy and security. It also must be able to establish that in the event of a data breach, it can meet its obligations for notifying anyone whose data was affected. Significantly, the GDPR expands the businesses governed by EU law to include those that offer goods and services to EU member countries but don’t have operations in the EU.
To maximize data privacy protection for EU citizens, the GDPR includes seven governing principles for covered businesses’ collection and use of personal data:
(1) Lawfulness, fairness, and transparency;
(2) Data collection for only a stated limited purpose;
(3) Minimization of data collected to what is relevant and necessary to fulfill the limited purpose of collection;
(4) Accuracy in data collection, including the means for correcting any errors in the data collection process;
(5) Limits on storage to accomplish the limited purpose of collection, but keep the data no longer than necessary for that purpose;
(6) Integrity and confidentiality of storage to minimize the possibility of data loss or compromise; and
(7) Accountability to show compliance with the other six principles.
With respect to accountability, the GDPR requires an affected business to implement data protection measures into its corporate policies and procedures as well as infuse its corporate structure with a culture of compliance. In the event of an investigation by an EU supervisory authority, businesses subject to the GDPR will need to show not only that they have comprehensive data privacy policies and procedures in place but also that they follow their policies and procedures in order to maximize their compliance efforts.
The expansion of data privacy protections in the EU greatly increases the likelihood that American businesses will be subject to EU regulation, investigation, and enforcement. Once it takes effect, it will allow private citizens to bring complaints and set off investigations into whether their rights to data privacy were violated. Moreover, supervisory authorities will be able to levy substantial fines—$25 million or more—on organizations that violate the GDPR.
For more information on the GDPR, see the July 2017 issue of West Virginia Employment Law Letter.