Not Just Europe: New EU Data Protection Regulations Can Affect U.S. Businesses
By: Joseph D. Zarkowski, CPA
While the European Union (EU) just began active enforcement of a sweeping new data privacy regime, that news generated far less visibility in the United States, largely because many people assume that their business or personal interests are not affected by the change. But reliance on that assumption could result in expensive consequences.
The General Data Protection Regulation (GDPR) was approved by the EU Parliament in April after four years of substantive debate and refinements. The goal was three-fold: To unify data privacy regulations across the EU region, to give online users greater control, knowledge and rights regarding the handling of their personal data, and to specify how businesses and other organizations must handle the personal data contained in their systems.1
For U.S.-based business leaders, the actionable element of this new law can be summarized in one clause: The GDPR applies if “your company is established outside the EU but offers goods or services to, or monitors the behavior of, individuals within the EU.”2 If companies are found to be out-of-compliance, the EU can assess a fine of either 20 million euros ($23.3 million) or up to 4 percent of an entity’s annual revenue.3 In fact, on the very first day of GDPR enforcement, data privacy advocacy groups filed a series of complaints against several prominent U.S. based social media companies, including Google, Facebook, and Instagram. If those complaints are upheld, the total fines could exceed $9 billion.4 The GDPR compliance date was May 25, 2018.
Following are some key questions business leaders should consider regarding GDPR regulations, and quick tips on how to assess exposure and risk:
Does your organization possess applicable personal data?
EU regulators define this data as any detail that can be linked to an identified (or identifiable) living person, such as name, address, phone numbers, income, computer IP information, voice records, health records or other relevant personal information disclosed to – or recorded by – an organization. Any “de-identified” information that can still potentially be reconstructed into personally linked data is also fair game for GDPR regulation. However, information made “irreversibly anonymous” is not considered personal data by the EU, and thus falls outside the scope of GDPR rules.5
- Practical tip: In today’s digital marketplace, multinational corporations are not the only entities at high risk of GDPR exposure. For that reason, it’s wise for any midsized or large firm to build a “personal data pool,” in which all identifiable information across the enterprise can be reviewed, sorted and reconciled to its purpose and source. If people residing in the EU are identified in this data pool, then the organization will need to confirm that if the information was gathered under a voluntary or opt-in framework, and that at least one of the following criteria is met:
- That the individual provided consent to use their information for a “specified and legitimate purpose.” This means the organization cannot use any personal information for purposes beyond the consent originally granted.
- That there is a contractual obligation between the organization and individual.
- That there is a legal obligation between the organization and individual.
- That the information is needed to protect vital interests of the individual.
- That the information is needed to carry out tasks in the public interest.
- Finally, that the information is needed for the organization’s legitimate interests (however, if there is any doubt that the person’s rights to privacy outweighs the organization’s interests, then the data cannot be processed or retained).6
Is your organization a personal data controller?
Under the new regulations, a data controller is one that “determines the purposes for which and the means by which personal data is processed.” For example, a data controller could be an organization’s marketing area, which frequently gathers a broad range of personal information from customers, active prospects in contact with salespeople and online inquiries about products or services. This area typically exercises latitude about how that detail is processed or shared.
- Practical tip: Under GDPR, data controllers must be able to show that all personal data is processed “lawfully, fairly and in a transparent manner,” and that the use of the data is limited to “specified, explicit and legitimate purposes.”7 Thus, organizations should develop (or modify) a code of conduct that holds staff and third-parties accountable for meeting these standards and adjust their internal controls to ensure ongoing compliance with these objectives.
Is your organization a personal data processor (or contracting with such a resource)?
A data processor defined by the EU as an entity that “processes personal data on behalf of the controller.”8 To leverage the example above, a marketing department that is a data controller could outsource social media services to a third-party. In that event, the social media firm could be considered a data processor for GDPR purposes.
- Practical tip: While data processors are often a step removed from the initial collection of personal information, that does not exempt them from GDPR rules. In fact, these new regulations mandate that data controllers select processors who agree to specific performance and data privacy guarantees. The EU adds that any contract must include certain mandatory clauses, such as a requirement that the processor will only use personal data within the documented instructions of the controller.9 Noncompliance on these guarantees can subject the data processor to significant fines.
Is your organization ready to accommodate specific privacy requests from individuals?
Under the GDPR regulations, there are three major rights spelled out to help boost individual control over private information. These include:
Right to access and portability. Individuals have the right to access any personal data maintained by an organization. When an individual makes such a request, the entity must confirm whether it is – or is not – processing their personal data, advise them of the purposes for which the information is being processed, and provide a free copy of the data being processed in an easy-to-access form. In addition, any individual has the right under GDPR to request that their personal data be transmitted to another organization without charge.
Right to be forgotten. Under the GDPR, an individual has the right to ask that their personal data be erased from all processing systems. However, an organization can deny that request under certain conditions, such as when processing is necessary to maintain freedom of information or expression, when processing of such information is legally required (or necessary to support a legal claim), or when processing of such information is in the public interest.
Right to correct and object. Any individual who believes that their personal data is inaccurate can request that corrections be made in a timely fashion. Individuals also now have the right to object to the processing of their data, unless the organization can demonstrate a “legitimate interest” in that specific use of the data. On the other hand, if individual objects to the use of personal data for direct marketing purposes, the entity must honor that request and stop processing the information for that purpose.10
- Practical tip: As noted earlier in the article, the creation and review of a personal data pool can go a long way toward identifying an organization’s potential GDPR exposure, while also validating areas of legitimate interest for the use of personal information. As a follow-up step, consider creating internal review and response tools to handle individual requests regarding the use and processing of personal data.
Does your organization need a Data Protection Officer?
In many cases, particularly in data-driven businesses with substantial digital exposure, the answer is “yes.” The International Association of Privacy Professionals estimates that the new GDPR regime will create 75,000 jobs data protection officer (DPO) jobs around the world, with 28,000 in Europe alone.11
European regulators view the DPO as the conduit through which all GDPR-related compliance should flow. In broad terms, the EU says companies that “regularly or systematically” monitor individuals or process special categories via large-scale personal data processing must appoint a DPO. If an organization meets the criteria for appointing a DPO, that person is also responsible for other risk-based GDPR obligations, such as implementing design- and default-based data protection tools, ensuring proper notifications to affected individuals in the event of a data breach, and determining whether the organization needs to conduct a data protection impact assessment.12
- Practical tip: The EU defines large-scale operations as processing entities with over 250 employees or other organizations that use personal data for 5,000 or more subjects in any 12-month period.13
Clearly, there are a lot of U.S.-based businesses that will have minimal exposure to the GDPR. But for large or midsized businesses with defined global operations or smaller companies with known or potential interactions with European consumers, a small investment to determine risk now can eliminate the prospect of much more expensive problems down the road.
1) “2018 Reform of EU Data Protection Rules,” (2018) European Commission
2) “The GDPR: New Opportunities, New Obligations,” (2018) European Commission
3) “Frequently Asked Questions About the Incoming GDPR,” (2018) European Commission
4) Keane, S., “GDPR: “Google and Facebook Face Up to $9.3 Billion in Fines on First Day of New Privacy Law” (May 25, 2018) CNET
5) “The GDPR: New Opportunities, New Obligations,” (2018) European Commission
7) “What is the Difference Between a Controller and a Processor in GDPR?” HIPAA Journal
8) “What is a Data Controller or a Data Processor?” (2018) European Commission
9) “The GDPR: New Opportunities, New Obligations,” (2018) European Commission
11) Rodriguez, S., “Rise of the Data Protection Officer, the Hottest Tech Ticket in Town,” (February 14, 2018) Reuters
12) “The GDPR: New Opportunities, New Obligations,” (2018) European Commission
13) Kaelin, M., “GDPR: A Cheat Sheet,” (May 24, 2018) TechRepublic