How could a regulation enacted in the European Union (EU) have anything to do with businesses in the US? Read on to learn how the General Data Protection Regulation (GDPR) is broad enough to impact even small U.S. businesses that have customers in, or market their products or services to, EU residents. Violation of the GDPR carries with it hefty fines which are intended to be “effective, proportionate and dissuasive.” The EU is serious about enforcing the GDPR. It’s important for U.S. business owners to learn about the GDPR and become aware of the risks for failing to comply with the GDPR.
The GDPR embodies the philosophy of data stewardship. Businesses are caretakers of other people’s data and have an obligation to handle the data responsibly. U.S. businesses that embrace the data stewardship philosophy, going beyond doing the minimum to comply with the GDPR, have the opportunity to turn their GDPR efforts into a market place differentiator that matters to consumers.
This article focuses on businesses that deal directly with consumers. Businesses that deal only with other businesses also have many obligations under the GDPR. The GDPR applies to all entities, including nonprofits and non-governmental organizations, that come into contact with personal data from EU residents.
What is the GDPR?
The European Union General Data Protection Regulation provides the most extensive personal information protections in the world. The U.S. protects personal information according to sectors, such as health care and financial services, but does not protect personal information across the board. In the EU, people have a fundamental right to protection when their personal data is processed. Processing includes any operation that is performed on personal data, such as collection, recording, organizing, structuring, storing, adapting and the list goes on. It’s safe to say that the definition is broad enough to cover any use or possession of personal data. The GDPR generally applies to the processing of personal data of EU residents, with limited exceptions.
Let’s take a minute to discuss what personal information is. Many Washington State business owners may be familiar with Washington State’s definition of personal information in the data breach context: An individual’s first name or first initial and last name, in combination with a Social Security number, a driver’s license or Washington identification card number or an account, credit or debit card number plus information that would permit access to an individual’s account.
The GDPR speaks in terms of “personal data,” not “personal information,” a distinction without a difference for the purposes of this article. The GDPR defines personal data as “any information relating to an identified and identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Clearly, the EU definition for personal data is much broader than the Washington State definition for personal information. Only one factor is required to identify a person under the GDPR. A name is not required for data to be classified as personal data. Information which is not considered personal information in the U.S. can be considered personal data in the EU. U.S. business owners should understand how the GDPR defines personal data so that they can determine whether they are collecting personal data from EU residents.
The GDPR takes a risk-based approach to protecting personal data. “The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.” Businesses are required to identify risks related to processing personal data and to take appropriate actions to mitigate those risks.
Which businesses must comply with the GDPR?
The GDPR applies to U.S. businesses that either 1) offer goods and services to people residing in the EU, regardless of whether a payment is required or 2) monitor the behavior of people within the EU.
Offering goods and services to people residing in the EU requires more than having a website that can be accessed anywhere in the world. The GDPR applies when a business envisages offering goods or services in one or more EU countries. Other factors considered in determining whether the GDPR applies are making the website available in languages spoken in the EU, making the goods or services available in currencies used in the EU and mentioning other EU customers on the business’ website.
Monitoring the behavior of people within the EU includes tracking them on the Internet. Even if your business does not offer goods or services to people residing in the EU, if your business uses the Internet to track people residing in the EU, the GDPR likely applies to your business. If your business’ tracking includes profiling an individual so that decisions or predictions can be made about that individual, the GDPR is even more likely to apply to your business.
What does the GDPR Require Businesses to Do When Processing Personal Data?
This section describes some of the GDPR’s major requirements, but does not include an exhaustive list.
The GDPR requires businesses to comply with personal data processing principles.
- Lawful, fair and transparent processing;
- Purpose limitation. Data collected for one purpose cannot be further processed for an incompatible purpose;
- Data minimization. Data collected shall be adequate, relevant and limited to what is necessary for the processing purpose;
- Accurate. Data shall be accurate and kept up to date;
- Storage limitation. Data shall be kept in a form which permits identification of people for no longer than is necessary for the purposes of the processing; and
- Integrity and confidentiality. Data shall be processed in a manner that ensures appropriate security.
Processing is lawful under the GDPR only when the individual gives consent, the processing is necessary for the performance of a contract, the business that controls the data has a legal obligation to process it or processing is necessary to protect the vital interests of the individual or another person, plus two other situations that are not relevant to this article.
The consent requirements are strengthened by the GDPR, compared to previous EU law. Consent must be freely given and as easy to withdraw as it is to give. The business owner must be able to demonstrate that the individual gave consent. Consent requested for one matter must be clearly distinguishable from other matters. The request for consent must be presented in an intelligible and easily accessible form, using clear and plain language.
The GDPR enumerates individuals’ rights in the categories shown below. These rights place corresponding obligations on businesses in processing individuals’ personal data:
- Transparent information, communication and modalities for the exercise of the rights of the data subject. Requires concise, transparent, intelligible and easily accessible communications to be made to individuals regarding data processing.
- Information to be provided where personal data are collected from the data subject. A business must provide an individual with certain information when the information is obtained from the individual.
- Information to be provided where personal data have not been obtained from the data subject. A business must provide an individual with information on personal data processing even when the business did not collect the information directly from the individual.
- Right of access by the data subject. An individual has the right to obtain from a business confirmation of whether personal data concerning that individual is being processed, and, if so, access to the personal data, the purposes of the processing and other information about the processing.
- Right to rectification. An individual has the right to get the business to correct inaccurate personal data.
- Right to erasure (‘right to be forgotten’). An individual has the right to get the business to erase personal data about her.
- Right to restriction of processing. An individual has the right to get the business to restrict processing of data about her.
- Notification obligation regarding rectification or erasure of personal data or restriction of processing. A business must communicate to the individual that the business has corrected, erased or restricted the data processing according to the individual’s exercise of her rights.
- Right to data portability. An individual has the right to receive her personal data in a commonly used, machine-readable format and has the right to transmit that data to another business.
- Right to object. An individual has the right to object to processing data about her.
- Automated individual decision-making, including profiling. An individual has the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects concerning her or significantly affects her.
The rights of individuals to the protection of their personal data are not absolute, but must be balanced against other fundamental rights. Fundamental rights include the respect for private and family life, home and communications; the protection of personal data; freedom of thought, conscience and religion; freedom of expression and information; freedom to conduct a business; the right to an effective remedy and to a fair trial; and cultural, religious and linguistic diversity.
The GDPR requires businesses to keep extensive records of processing personal data. Businesses with fewer than 250 persons are relieved from these obligations in many instances, but each business must still keep sufficient records to fulfill its obligations to individuals according to the rights listed above. For example, all businesses are required to respond to individuals’ requests to correct or erase their data or move their data to another business.
Other GDPR requirements include data protection by design and default, secure data processing, data protection impact assessments in some situations and a 72-hour timeline for notifying authorities of a data breach.
What are the Penalties for Failing to Comply with the GDPR?
The GDPR enables supervisory authorities in the EU to impose administrative fines of up to 20,000,000 EUR or 4% of total worldwide annual turnover (gross revenue), whichever is higher, for violating the GDPR. The EU starts enforcing the GDPR on May 25, 2018. Many U.S. companies are scrambling to try to comply with the GDPR by that date.
While many U.S. companies are scrambling to comply, there are still many business owners that are unaware of the GDPR and unaware that the GDPR could apply to their business. It makes sense for all U.S. business owners to determine whether the GDPR applies to their operations, and, if so, to make conscious decisions about implementing the GDPR’s requirements into their operations. Those businesses that aspire to provide their consumers with more protection than minimum compliance requires may be able to turn their GDPR compliance efforts into value added programs that matter to consumers.