The European Union (EU) Parliament’s new data privacy law, known as the General Data Protection Regulation (GDPR), is set to become enforceable in all EU member states on May 25, 2018, just six months from now. The GDPR replaces the former Data Protection Directive.
Among other things, the GDPR provides new clarity about the applicability of its regulations to U.S. companies without data processing establishments in the EU. Under the old Directive, it was ambiguous as to whether U.S. companies without a physical presence in Europe were subject to its requirements. That ambiguity has been removed. The new Regulation states that, regardless of the location of a data processing establishment, the GDPR applies to all companies processing personal data of EU residents.
This expansion of jurisdiction is arguably the biggest change to the EU privacy laws. And it is of utmost importance for U.S. companies conducting business in the EU to understand and comply with the GDPR because violations come with heavy penalties.
Here are some of the GDPR’s key provisions:
- Penalties – penalties can be as high as 4 percent of annual global turnover or €20 Million, whichever is greater.
- Consent – requests for consent must be simple and easy-to-read, and include the purpose for data processing.
- Withdraw – withdrawing consent must be as easy as providing consent.
- Breach notification – notification must be made within 72 hours of first awareness of an incident in all EU member states where the breach is likely to “result in a risk for the rights and freedoms of individuals.”
- Rights to access – rights are expanded as data subjects can request confirmation as to whether his/her personal data is processed, where and for what purpose. When requested, an electronic copy of the personal data shall be provided to the data subject, free of charge.
- Right to be forgotten – the right to be forgotten allows the data subject to have the data controller erase his/her personal data and cease further dissemination of the data.
- Data Portability – this new concept allows a data subject to request a data controller to transmit his/her data to another controller.
- Privacy by Design – requires the inclusion of data protection from the onset of the designing of systems, rather than as an addition.
- Data Protection Officer – controllers and processors whose core activities include regular and systematic monitoring of data subjects must appoint a data protection officer.
Again, the scope of the GDPR extends to all companies that process the personal data of any EU residents, even if your company does not have a physical presence in Europe, so keep the above concepts in mind as we head into the new year.