With less than one year until the May 25, 2018 deadline for compliance with the EU General Data Protection Regulation (Regulation (EU) 2016/679) (the "GDPR"), affected companies should already be preparing. The GDPR was passed into EU law in 2016 to increase data privacy protections for EU residents and provides a uniform, consolidated framework for business usage of personal data across the EU. The GDPR replaces the existing data protection framework under the earlier EU Data Protection Directive. Of critical note for most readers of this alert, the GDPR applies not only to companies within the EU, but also those companies located outside the EU that offer goods or services to, or monitor the behavior of, EU data subjects, i.e., persons physically residing in the EU (even if they are not EU citizens). Thus, the GDPR applies to all companies processing and holding personal data of EU residents regardless of the company's location.
The GDPR contains 91 articles, many of which will require action by affected companies to ensure compliance. The articles that will likely have the most impact include:
- Articles 12/14. Mandate clear notice to data subjects of the purpose for which data is being collected and restrict use of data solely to the manner indicated to data subjects;
- Articles 15/21. Give data subjects more control over personal data that is processed automatically through the right to portability and right to erasure (right to be forgotten);
- Articles 23/30. Require companies to implement reasonable data protection measures to protect personal data of data subjects and privacy against loss/exposure;
- Article 28. Provides a list of requirements (some previously contained in the EU Data Protection Directive and some new) to include in contracts with vendors and other third parties that process personal data of EU data subjects;
- Articles 33/34. Data breach notification to supervisory authority within 72 hours of learning of a breach with details and approximate number of affected subjects and notification to the data subject in certain cases;
- Article 37. Requires companies whose "core activities" involve large-scale processing of "special categories" of data1 to appoint a data protection officer;
- Articles 38/39. Outline the role of the data protection officer and his or her responsibilities in ensuring GDPR compliance and reporting requirements;
- Articles 44/46. Extend data protection requirements of the GDPR to international companies that collect or process the personal data of EU residents; and
- Article 83. Imposes fines up to 20,000,000 EUR or 4% of total worldwide annual turnover of the preceding year (whichever is higher) for violations.
Companies (of any size) affected by the GDPR must not only be aware of the GDPR requirements, but be prepared to comply by May 25, 2018. Compliance is not something that can be accomplished overnight, but instead requires companies to: (a) develop an in-depth knowledge and understanding of the GDPR; and (b) implement a framework of policies/procedures/agreements that adhere to the GDPR's strict and far-reaching tenets. If you have not already, now is the time to consider whether your company must comply with the GDPR before it is too late.
1 This data includes information that reveals a data subject's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, health or sex life, or sexual orientation.