What the new General Data Protection Regulation means for U.S. businesses

The GDPR introduces the obligation for certain organizations to appoint a Data Protection Officer (DPO). Organizations must appoint a staff member or an external consultant as its DPO.

If you are a marketer with a large consumer database, you will probably need to appoint a DPO; national data protection authorities are expected to provide guidance on who qualifies.

Your DPO will be responsible for monitoring compliance with the GDPR, advising you of your obligations, advising on when and how a privacy impact assessment should be carried out, and be the contact point for enquiries from national data protection authorities and individuals.

The concept of a one-stop shop allows an organization which is established in several EU countries to deal with only one national data protection authority × According to the GDPR, a DPA - supervisory authority is "an independent public authority which is established by a Member State pursuant to Article 51", the one-stop-shop concept means that where a business is established in more than one Member State, it will have a lead authority, determined by the place of its main establishment in the EU (but other local supervisory authorities which are not the lead authority may still have regulatory roles). , although the rules for determining which DPA should take this role, and how they would handle complaints, are complex in some cases.

The GDPR redefines a data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored otherwise processed”.

This is a broader definition than before and does not take into consideration whether the breach creates harm to the individual. If you suffer a data security breach, you must inform your national data protection authority immediately, or no later than 72 hours after discovering the breach.

However, you are exempted from notifying individuals if you have implemented appropriate technical and organizational measures to protect the personal data, such as encryption.

An important part of complying with the GDPR is privacy by design, i.e. designing each new process or product with privacy requirements front and center. This approach, while previously best practice, is now an explicit requirement.

A data protection impact assessment, also known as a privacy impact assessment (PIA), is intended to identify and minimize non-compliance risks.

The GDPR makes PIAs a formal requirement; specifically, controllers × A controller is a person or body which, solely or collectively, determines the purposes and means of processing personal data. The GDPR defines a controller as: "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law." must ensure that a PIA has been run, before it begins, on any “high risk” processing activity.

If you operate internationally, your rules and processes for transferring data × The transfer of personal data to countries outside the European Economic Area or to international organizations is subject to various restrictions, which are set out in chapter V of the GDPR. As with the existing directive, data does not need to be physically transported to be transferred, so viewing data hosted in another location amounts to a transfer for GDPR purposes.The GDPR defines cross-border processing as either:
"(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State." to non-EU jurisdictions will be a significant consideration, as the penalties for non-compliance or transfer of data to jurisdictions not recognized (by the European Commission) as having adequate data protection regulation will become much more severe under the GDPR.

Now is the time to start explaining the need for GDPR compliance to your own employees. You may already need to start planning revised procedures to deal with the GDPR’s new transparency and individual rights provisions. This could have significant financial, IT and training implications.

One of the main aims of the GDPR is to bolster the rights of individuals. As a result, the rules for dealing with subject access requests will change, and you will need to update your procedures to reflect this.

In general, you will not be allowed to charge for complying with a request; also, you will typically have only one month to comply (the current limit is 40 days).

The right to be forgotten (‘erasure’ in the terminology of the GDPR) allows individuals to require your data controllers × A controller is a person or body which, solely or collectively, determines the purposes and means of processing personal data. The GDPR defines a controller as: "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law." to erase their personal data without undue delay in certain situations, for instance where there is a problem with the underlying legality of the processing, or where they withdraw consent.

Third parties with whom you share individuals’ data are also covered by these rules.

The GDPR defines profiling as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict certain aspects concerning that natural person’s performance at work, economic situations, health, personal preferences, interests, reliability, behavior, location or movement”; however, there is some ambiguity about how data subjects’ right not to be subject to decisions based on profiling will be enforced.

The GDPR introduces a new right to data portability, which goes beyond individuals’ right to require that you provide their data in a commonly used electronic form and requires that the controller provide information in a structured, commonly used and machine-readable form.

There are some limits to this rule, for instance it only applies to personal data processed by automated means.

As part of its aim to bolster the rights of individuals, the European Commission is also granting a right to restrict certain processing and a right to object to personal data being processed for direct marketing purposes, including profiling activities for direct marketing purposes.

Once an individual objects, their data must not be processed for direct marketing any further and the individual’s contact details should be added to an in-house suppression file.

Organizations must inform individuals about their right to object to the processing of their data in a way which is explicit and separate from other information which they must also provide to individuals.

You may need to review how you seek, obtain and record consent; a data subject’s consent × The GDPR defines the consent of a data subject as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. to processing of their personal data must be as easy to withdraw as to give, and must also be a positive indication of agreement to personal data being processed – it cannot be inferred from silence, pre-ticked boxes or inactivity.

The GDPR grants special protections when it comes to the handling of personal data pertaining to children, particularly in relation to commercial internet services like social networking.

Online, parental prior consent is required for use personal data for anyone under 13 years of age; Member States can set their own rules for those aged 13 to 15. If they choose not to, parental consent is required for children under 16 years of age.

As a result, you should start thinking about how to implement robust systems to verify individuals’ ages and to gather parents’ or guardians’ consent to process such data.

Consent must be verifiable, and when collecting children’s data your privacy notice must be written in language that children will understand.

The GDPR will probably increase the range of things you have to tell data subjects × A data subject is a natural person, who can be identified, or is identifiable, directly or indirectly. The GDPR defines a data subject as "an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person". , for instance your legal basis for processing their data, your data retention periods and their right to complain to their national data protection authority if they think there is a problem with the way you are handling their data; note that the GDPR requires this information to be provided in concise, clear language.

The GDPR specifies encryption as one approach that can help to ensure compliance with some of its obligations. To quote from the regulation:

Article 32 – Security of processing

“1.   Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller × A controller is a person or body which, solely or collectively, determines the purposes and means of processing personal data.The GDPR defines a controller as: "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law." and the processor × A data processor is an entity which processes data on behalf of a data controller.
The GDPR defines a processor as "a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller". A controller is a person or body which, solely or collectively, determines the purposes and means of processing personal data. shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymization and encryption of personal data […]”

Article 34 – Communication of a personal data breach to the data subject

“3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met: (a) controller × A controller is a person or body which, solely or collectively, determines the purposes and means of processing personal data. The GDPR defines a controller as: "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law." has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption […]”

You should document what personal data you hold, where it came from and with whom you share it.

If you have inaccurate personal data and have shared this with another organization, the GDPR requires that you tell the other organization about the inaccuracy so that it can correct its own records. To do this may require an information audit across your organization or within particular business areas. This will also help you to comply with the GDPR’s accountability principle.

Under the GDPR, you should examine how you process personal data and identify the legal basis on which you carry out and document these processes.

This is necessary because some individuals’ rights will be modified by the GDPR depending on your legal basis for processing their personal data. One example is that people will have a stronger right to have their data deleted where you use consent as your legal basis for processing. However, consent is just one of a number of different ways of legitimizing processing activity and may not be the best (as it can be withdrawn).