Part 1: EU General Data Protection Regulation (GDPR): What It Means for US Companies [Article]

By: Paul L. Kendall, Accudata Systems

What is the GDPR?

In December 2016, the European Commission (EC) gave its final approval of the General Data Protection Regulation (GDPR).[1] GDPR is a massive overhaul of the EU’s 1995 data protection rules (Directive 95/46/EC, the Data Privacy Act). Work on the GDPR started in 2012 as an effort to strengthen online privacy rights and Europe’s digital economy.

The GDPR takes effect in the European Union (EU) on May 25, 2018.  The regulation imposes strict protection requirements over the personal data of all EU citizens.  While governments and companies inside the EU have been preparing, many businesses outside of the EU and particularly in the United States may not be aware of the impact this regulation will have on them.  In short, GDPR applies to any organization that holds or processes data on EU citizens, regardless of where it is headquartered, and includes companies with employees in the EU as well as companies that sell or market products or services in the EU and/or partner with EU organizations.

How will this law impact my business?

Several requirements in the GDPR will have a significant impact on many businesses outside the EU. While the GDPR is a European regulation, the terms apply extraterritorially to any entity (“Data Processor” or “Data Controller”) that offers goods or services to residents (“Data Subjects”) of the EU.

Data Subject consent is a fundamental aspect of the new law.  GDPR defines personal data as physical address, email address, IP addresses, age, gender, locations, health information, search queries, items purchased, etc.  Most US companies today capture this data, use it, share it, and sell it under the cover of click-through “privacy policies,” most of which are essentially unintelligible to the average user and rarely, if ever, actually read. Under GDPR, Data Subjects must provide explicit consent for each personal data element collected. Additionally, the Data Subject must also provide explicit consent for each use or transfer of these data elements.  Finally, if a Data Processor/Data Controller’s privacy policy or data sharing agreements change, Data Subjects must consent to the changes before they take effect.

Fortunately, the regulation states that having a commerce-oriented website accessible to EU residents does not, in itself, constitute offering goods or services. Businesses must show intent to offer products and/or services to EU residents as customers. Use of local languages or currency options, for example, would be considered “intent.”

There are other ways a business can become subject to GDPR regulations. Multinational organizations that store or process EU citizen data outside of the EU, US-based payment processors, and other organizations that regularly interact with EU citizens should all be compliant.

What are the requirements?

In general, US companies should consider the following major areas for compliance:

  • Data Subjects must be informed in unambiguous terms that their information is being collected and/or processed, and the specific use. If information will be used for multiple purposes, e.g., marketing or data analytics purposes and order processing, the Data Subject must be informed of each and every purpose. Consent must be given explicitly for each purpose, and the language of the consent must be clear, concise, and presented in an easy-to-read/understand format.
  • Data Controllers (businesses) are limited in the length of time in which they can keep an individual’s data. The data must be erased or reviewed at the end of this time period.
  • The identity of the Data Controller or Processor must be readily available and unambiguously shown. Risks, rules, safeguards, and rights in relation to the processing of personal data must be fully disclosed. The process for a Data Subject to exercise his or her rights in relation to the processing must also be clearly shown.
  • Data Controllers must provide a means for Data Subjects to request access to their data, rectification, erasure, and the right to withdraw consent for the data’s use.
  • Furthermore, Data Subjects have the right to withdraw their consent for processing and have their data erased and no longer processed.
  • The Data Subject should be informed about the existence of profiling and the consequences of such profiling.
  • Data Controllers (merchant or other business entity) using a Data Processor (a payment processor, cloud services provider, or other entity) to process data on the Controller’s behalf must ensure the Processor meets all of the GDPR requirements.
  • Data Controllers are required to notify Data Subjects within 72 hours of a data breach involving data that is not encrypted.
  • Any data that is transferred outside the EU for processing (such as putting data into a cloud application) is subject to all of the regulations of the GDPR.

Specific purpose, minimizing data collection, and limitations on storage are key components of the GDPR.  Data collection should include only the data required to perform the task for which it is being collected. Data that is collected can only be used for the purpose for which it was collected; other uses require explicit consent from the Data Subject. Data may be stored only for as long as is necessary to perform the task for which it was collected (there are exceptions for health and safety, as well as national security reasons). Finally, organizations that collect data must allow users to take their data with them or delete it entirely, if requested.  In summary, Data Collectors and Data Processors must understand that users “opt-in” rather than “opt-out” of data collection programs.

How is compliance managed?

Businesses must pay careful attention to the reporting and compliance aspects of GDPR.

Within each EU member state, the GDPR establishes the position of Supervisory Authority, a government official responsible for overseeing the implementation and enforcement of the regulation.  When organizations detect a breach of EU citizens’ personal data, they are required to report it to the Supervisory Authority in each affected Member State within 72 hours.  The use of encryption on Personally Identifiable Information (PII) can be considered a mitigating factor in data breaches, and may eliminate the need for disclosure to Data Subjects.

The GDPR considers each offense as a separate case for fines. If a company suffers a breach due to non-compliance, and fails to report it within the 72 hour limit, this is considered as two finable offenses. With fines per offense running €20MM/4% of global revenue, the total can add up to a sizable fine quickly.

In Summary

Unlike some regulations that allow a grace period once the compliance deadline has passed, GDPR implementation must be in place and operational by May 25, 2018. Businesses with European operations or that do business with EU citizens will need to:

  • Identify a Data Protection Officer (DPO) for the company and ensure the independence of their role within the organization
  • Inventory all data
  • Conduct Data Privacy Impact Assessments
  • Encrypt PII data at rest and in transit
  • Modify privacy policies, data collection processes, and data handling procedures
  • Develop rapid data breach notification processes
  • Change their customer-facing portals so that users can provide consent to data usage
  • Make the language of the consent form easy to understand and in a commonly-acceptable format
  • Reduce or eliminate storage of PII in systems
  • Apply for EU Commission approved transfer adequacy programs, e.g., EU-US Privacy Shield

US companies that conduct business with EU citizens should quickly complete a Data Protection Impact Assessment (DPIA) on an enterprise-wide basis. A Data Protection Officer (DPO) position that will be responsible for the company’s compliance with GDPR should be created and staffed. A DPO’s primary responsibility is to protect the data privacy of the business’ customers (or any Data Subjects whose data is used by the company). He or she must be independent from the normal leadership function of advancing the interests of the company, and instead focus on and be able to enforce GDPR privacy and security requirements to ensure GDPR compliance. The position should report to the CEO and the Board of Directors to ensure it has sufficient authority to institute process changes in order to achieve and maintain GDPR compliance.

GDPR represents a significant step in ensuring EU citizens’ privacy. It addresses many of the concerns the increasing deployment and use of data collection techniques poses on a society. However, fines for violations can be significant. GDPR regulators are already hinting that they intend to be more aggressive in enforcing GDPR than they have been about other past regulations.  It is important your organization is ready and compliant on or before May 25, 2018.

[1] “Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).” Interinstitutional File: 2012/0011 (COD). Brussels, 11 June 2015. Retrieved February 6, 2017.


Additional Resources:

Part 2: Cloud Processor Responsibilities Under GDPR

Part 3: GDPR and the Future of the EU-US Privacy Shield