After years of preparation and debate, On May 25th 2018, the European Union’s General Data Protection Regulation (“EU GDPR” or “GDPR”) will go into effect and be fully enforceable.
The law’s primary objective is to protect all EU citizens’ data and privacy, as well as promoting standardization of responsibilities of in scope data controllers and processors. The regulation does not seek to impede the free movement of information in an effort to not adversely affect the EU economy.
The EU GDPR replaces Data Protection Directive 95/46/EC. Prior to GDPR, each EU member state controlled implementation and enforcement of data protection laws. Key changes from the Directive include an increase to the territorial scope and the strengthening of the data subject’s rights.
The EU’s authoritative bodies designed and passed GDPR in an effort to harmonize enforcement across the union. Due to the GDPR’s status as a regulation, as opposed to a directive, member states no longer individually decide how to implement and enforce the law. Alternatively, the Regulation explicitly states how it must be implemented and enforced.
Scope
Major changes from the Directive to the GDPR, include an increase in the territorial scope of the law. In terms of material scope, the Regulation applies to:
‘the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
This means the regulation applies to any processing of personal data of EU citizens, whether in an automated or manual fashion. By personal data, the law means any information relating to an identified or identifiable natural person. This data includes, but is not limited to:
- Names
- Identification numbers
- Location data
- Online identifiers, such as an IP address
- Physical, physiological, genetic, mental or any other health information
- Economic, cultural or the social identity of the natural person
The old Directive was only applicable to persons or entities located within the EU. However, one of the major changes of the GDPR is that the Regulation now applies to any person or entity that processes EU citizen data, regardless of the location of the person or entity.
The Regulation applies to entities outside of the Union if the processing of personal data is related to one of the following options:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.
If you, or your organization, are responsible for either the offering of goods and services or the monitoring of the behavior of EU citizens that involves the processing of their personal data, your organization will be subject to this Regulation.
Data Processing Principles
The Regulation requires that all processing of covered personal data follow established principles including:
- Lawfulness, fairness and transparency– the data is collected and processed only when the data subject has given appropriate consent, it is necessary for the performance of a contract, is necessary for compliance with a legal obligation, or is vital to protect the interests of the data subject or the public
- Purpose limitation– the information is collected solely for the purpose established and agreed upon by all parties
- Data minimization– limited to what is necessary to complete the agreed upon processing
- Accuracy– the data is ensured to be accurate, and where necessary, kept up to date
- Storage limitation– the data is kept no longer than what is necessary for the purpose for which the personal data is being processed
- Integrity and confidentiality– the data is processed in a manner that ensures appropriate security of the personal data
GDPR’s Impact on US Businesses
Under GDPR, organizations are accountable for reporting their covered processing activities to the applicable authorities, as well as being able to demonstrate their compliance with the Regulation. To be GDPR compliant, organizations must provide evidence of:
- Data protection by design and by default
- The creation and maintenance of a record of processing activities
- Security of the processing
- Data protection impact assessments and prior consultation
- The establishment of a data protection officer
- Codes of conduct and certification
GDPR’s Severe Fines and Penalties for Non-compliance
So why is this important to US Businesses?
Outside of the desire to keep one’s customer’s personal data safe and private, US Businesses who are not compliant with this Regulation may face significant penalties: administrative fines up to 20 million Euros, or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Freed Maxick Can Help You Become GDPR Compliant
Our team of privacy and security control experts will work with you and your organization to review your overall compliance with GDPR. By conducting a thorough examination of your organization’s privacy practices, we can help you navigate GDPR, identify weak areas in your current processes, and advise you on the most effective and efficient ways to achieve and maintain compliance.
For a complementary review of your organization’s situation and assessment of how to become GDPR compliant, please contact me at Peter.Schnorr@freedmaxick.com or connect with me on LinkedIn.
