After years of anticipation and preparations, the European Union’s (EU) new data protection regime will take effect on May 25, 2018. The General Data Protection Regulation (GDPR) applies to companies located in both EU member and non-member countries that collect consumer data about EU citizens.
While European privacy laws have long been more protective for citizens than the comparable laws in the United States, the GDPR is taking privacy protection in the EU to another level. Under the GDPR, companies will need to protect EU citizens’ IP addresses, cookie data, and other similar types of information with the same standards they use to protect names, addresses, and social security numbers. The GDPR will apply to more businesses in EU member and non-member countries as well (including the United States), and small businesses that target European consumers will need to comply with the GDPR in order to avoid potential liability.
What is the GDPR?
The GDPR is a new data protection law that was adopted by the Council of the European Union and the European Parliament in January 2016. It replaces the EU’s current data protection regime under the Data Protection Directive 95/46/EC enacted in 1995; and as mentioned previously, it takes effect on May 25, 2018. The GDPR is designed to protect EU citizens’ data in the online environment; and, with the global nature of today’s marketplace, it establishes compliance obligations not only for companies located in the EU, but also for foreign companies that target EU consumers.
How is the GDPR Different from the Outgoing Data Protection Directive and from US Privacy Laws?
The GDPR represents a sea of change from the already-strict data protection requirements in the EU. And it stands in stark contrast to the piecemeal state-by-state data protection standards that apply to domestic companies collecting data about US consumers. While the differences between current standards and the impending GDPR regime are far too extensive to list, the major changes can be broken down into three categories: (i) the impact for small businesses, (ii) the scope of companies that are subject to regulation, and (iii) the penalties for non-compliance with the GDPR.
1. The GDPR’s Impact for Small Businesses
The GDPR applies to all companies that process EU residents’ “personal data.” While other laws with comparable compliance burdens have typically targeted companies with large consumer bases (and, presumably, with the financial resources to implement comprehensive compliance programs), the GDPR does not contain a comparable limitation. As a result, small businesses inside and outside of the EU must be prepared to comply, even if they were not concerned with compliance under the soon-to-expire Data Protection Directive.
Under the GDPR, “personal data” includes, “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.” This means that small businesses will need to protect information such as:
- Names
- Identification numbers
- Location data
- Online identifiers
- Genetic and biometric data
- Certain pseudonymised data
2. The Scope of Companies Subject to GDPR Regulation
The GDPR applies to both “controllers” and “processors” of EU consumers’ personal data. A “controller” is any company that determines the purpose for using personal data and the means by which such data is used or consumed. A “processor” is any company that performs data-related tasks (such as processing or storage) on behalf of a controller.
Critically, controllers cannot simply outsource their GDPR compliance obligations to third-party processors. As summarized in the United Kingdom ICO’s Guide to the General Data Protection Regulation (GDPR):
“If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach. However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.”
3. The Penalties for Non-Compliance with the GDPR
Small businesses that fail to meet the data protection standards of the GDPR can face substantial penalties. Serious violations, such as failing to obtain an EU resident’s consent prior to processing personal data, carry a penalty of up to the greater of €20 million (currently, approximately $23.8 million) or four percent of the violator’s annual global revenue. Lesser violations, such as inadequate recordkeeping, carry penalties of two percent of annual global revenue – and these penalties apply equally to controllers and processors.
How Can US Small Businesses Comply with the GDPR?
Small businesses that collect personal data about EU citizens need to start preparing for the GDPR now, if they haven’t already. While a GDPR compliance program must be exhaustive and tailored to the specific online activities and types of personal data that a small business collects, generally speaking, a GDPR compliance program should include:
- Consent: Going forward under the GDPR, companies will need to use “meaningful” methods to obtain consent prior to collecting or processing EU consumers’ personal data. Generic Terms of Use will no longer be sufficient. EU consumers must also have a clear option to withdraw their consent and have their personal data erased.
- Record-Keeping: Small businesses must have a way to record EU consumers’ consent (i.e., in a website submission form) and consent withdrawals. Records documenting the types of personal data stored and the means used to ensure adequate privacy protection should be kept as well.
- Privacy Policy: Small businesses will need to revise their Privacy Policies to reflect the GDPR’s new compliance standards. An outdated Privacy Policy is likely to be one of the first signs EU authorities look for when determining whether to impose penalties for non-compliance.
- Data Breach Notification Protocols: In the event of a data breach, small businesses will need to have breach notification protocols in place to provide the requisite notice to affected EU consumers.
- Designation of a Data Protection Officer (DPO): For companies whose businesses primarily involve processing and storage of personal data, designation of a Data Protection Officer (DPO) will be mandatory. For other companies, appointing a DPO may be an effective way to help ensure and demonstrate compliance with the GDPR. For companies required to appoint a DPO:
- The DPO must have expert knowledge on data protection law and best practices.
- The DPO must be provided with adequate resources to serve his or her function.
- The DPO must avoid conflicts of interest and report directly to senior management.
- The DPO’s contact information must be disclosed to the appropriate data protection agency.
- Impact Assessment: In order to determine the scope of their compliance obligations, small businesses should conduct an internal impact assessment based on a clear understanding of the GDPR rules and regulations that apply. This assessment should be conducted with the help of an experienced outside professional who can provide independent advice regarding the company’s GDPR compliance burden.
Speak with an Attorney at Jiah Kim & Associates
If you need to get your small business ready for the GDPR, or if you are not sure if you need to comply with the GDPR and would like to find out, we encourage you to contact us for a confidential consultation. To schedule an appointment with an attorney at Jiah Kim & Associates, please call (646) 389-5065 or get on our calendar today.
This blog post is written for educational and general information purposes only, and does not constitute specific legal advice. You understand that there is no attorney-client relationship between you and the blog publisher. This blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.